Are Canadian bank passwords safe enough?

Since the dawn of computing typing passwords on a keyboard has been the standard way of ensuring secure access to IT systems.

But an article on today questions whether Google and Twitter have better password protection than some Canadian banks where we park our savings.

The social media sites demand users pick passwords with at least eight characters, upper and lower case letters, numbers and special symbols, notes Matthew Braga. But one bank allows a password as short as six characters with no special symbols or characters allowed. Some banks allow long passwords but the letters aren’t case sensitive.

Which raises the question of what’s a best practice for passwords if a bank is seemingly lax?

To be fair, as the article notes passwords aren’t a bank’s only security protection. They have sophisticated intrusion and fraud protection software. Sudden large withdrawals of cash will trigger suspicion — but what if it’s a modest $200 theft? What if it’s $200 a day for a week? A depositor’s only protection is the bank’s promise to reimburse for financial losses.

The Office of the Superintendent of Financial Institutions, which oversees banks, has not guidance for them on passwords.

Canadian banks told the author their systems are secure. Longer passwords wouldn’t offer more protection, one said.

We don’t know how secure bank passwords are because they won’t divulge how many frauds are password-related, said Avner Levin, associate professor in the law and business department at Ryerson University and director of its Privacy and Cybercrime Institute.
The question isn’t whether a six-character password is acceptable, he added, but whose responsibility it is if something goes wrong.

So far, he said, the banks couple easy passwords with taking full responsibility and willing to reimburse losses.

He would object, however, if Canadian banks start following the lead of several European financial institutions and move to a limited liability model, where customers are responsible for some money lost — like the deductable on car insurance.
Levin wouldn’t like to see that unless banks here increase access security.

Still, if six letters are enough for a bank, why not for Revenue Canada, health records, my stock broker?

The article also raises the question that if online two-factor authentication–is good enough for social media sites – optional on Twitter, Facebook and Google — why not for banks?

One reason, of course, is that they take time. Two-factor authentication for Twitter, for example, means when a user logs in Twitter sends a text message with a code to a mobile device. To complete the login the code has to be entered as well as a password. Great for social media where time isn’t important. But how many people will do that for access to their own money?

Few now. But wait until somone’s password is cracked.

Read the full article here   

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web