Since the dawn of computing typing passwords on a keyboard has been the standard way of ensuring secure access to IT systems.

But an article on today questions whether Google and Twitter have better password protection than some Canadian banks where we park our savings.

The social media sites demand users pick passwords with at least eight characters, upper and lower case letters, numbers and special symbols, notes Matthew Braga. But one bank allows a password as short as six characters with no special symbols or characters allowed. Some banks allow long passwords but the letters aren’t case sensitive.

Which raises the question of what’s a best practice for passwords if a bank is seemingly lax?

To be fair, as the article notes passwords aren’t a bank’s only security protection. They have sophisticated intrusion and fraud protection software. Sudden large withdrawals of cash will trigger suspicion — but what if it’s a modest $200 theft? What if it’s $200 a day for a week? A depositor’s only protection is the bank’s promise to reimburse for financial losses.

The Office of the Superintendent of Financial Institutions, which oversees banks, has not guidance for them on passwords.

Canadian banks told the author their systems are secure. Longer passwords wouldn’t offer more protection, one said.

We don’t know how secure bank passwords are because they won’t divulge how many frauds are password-related, said Avner Levin, associate professor in the law and business department at Ryerson University and director of its Privacy and Cybercrime Institute.
The question isn’t whether a six-character password is acceptable, he added, but whose responsibility it is if something goes wrong.

So far, he said, the banks couple easy passwords with taking full responsibility and willing to reimburse losses.

He would object, however, if Canadian banks start following the lead of several European financial institutions and move to a limited liability model, where customers are responsible for some money lost — like the deductable on car insurance.
Levin wouldn’t like to see that unless banks here increase access security.

Still, if six letters are enough for a bank, why not for Revenue Canada, health records, my stock broker?

The article also raises the question that if online two-factor authentication–is good enough for social media sites – optional on Twitter, Facebook and Google — why not for banks?

One reason, of course, is that they take time. Two-factor authentication for Twitter, for example, means when a user logs in Twitter sends a text message with a code to a mobile device. To complete the login the code has to be entered as well as a password. Great for social media where time isn’t important. But how many people will do that for access to their own money?

Few now. But wait until somone’s password is cracked.

Read the full article here   


  1. The weakest password that I use is my bank password. Not by choice. Its forced on me by the bank. I am using the most complex password allowed.

  2. I agree that bank passwords are not secure enough; after all banking information should be treated more securely than the information on social media sites. I am talking about the big Canadian banks which either allow only a simple 8 digit password with no special characters, some only allows for a 6 digit pin…The US banks have better password policies than the Canadian banks.

  3. The problem isn’t length, or arbitrary rules requiring upper+lower case and symbols. Those are “fixes” advocated by people who know nothing about how actual account hacking works. They do nothing to address the real issues of password reuse and social engineering. In fact, they encourage a weakening of password recovery requirements (one of the easiest ways to get somebody’s password), because people are being forced to use long complicated random strings that they inevitably forget.

  4. It has always distressed me that my bank password can only be 8 characters. My standard password is between 11 and 15 characters. Only 8 characters protects my money and so much more information?

  5. What a load of rubbish.

    Force users to use a complicated password with letters of differing cases, numbers, and special characters, and they will either write it down, use something easy to remember like “Pa$$word111” or use one “standard” password for everything. Force a change every month and the password becomes “November2014!”. All of these make the new, more complicated password less secure than using your dog’s name. Walk into any office that requires so-called “high-strength” passwords
    and I’ll guarantee you’ll see a post-it with the password on the monitor
    or under the keyboard.

    Two-factor authentication is equally absurd. Like many people, texting on my phone is turned off. What about people without a cell phone? It takes a special kind of idiot to hand over their phone number to websites whose sole reason for existing is to try to sell you things. Facebook, Twitter, Google. Who really believes your cat videos need that extra security vs. the company fishing for even more personal information. Handing out personal information means less security for you.

    Even mandatory security questions make you less secure. “Where was your first vacation?” “What was your first car?” All these questions and your answers are being stored on a server somewhere. And face it, big companies haven’t had a stellar record lately of keeping your data safe. If Visa gets hacked your answers can be used to get into your Mastercard account at a different bank. In fact, sometimes a password reset by answering a bunch of personal questions is easier than brute forcing.

    Ask yourself this; How many login attempts does your bank allow before locking your account? If it’s five, your password only has to be complicated enough that it can’t be guessed in five attempts. Forcing anything more complicated is just theatrics to make you feel more secure.


Please enter your comment!
Please enter your name here