Since the dawn of computing typing passwords on a keyboard has been the standard way of ensuring secure access to IT systems.

But an article on today questions whether Google and Twitter have better password protection than some Canadian banks where we park our savings.

The social media sites demand users pick passwords with at least eight characters, upper and lower case letters, numbers and special symbols, notes Matthew Braga. But one bank allows a password as short as six characters with no special symbols or characters allowed. Some banks allow long passwords but the letters aren’t case sensitive.

Which raises the question of what’s a best practice for passwords if a bank is seemingly lax?

To be fair, as the article notes passwords aren’t a bank’s only security protection. They have sophisticated intrusion and fraud protection software. Sudden large withdrawals of cash will trigger suspicion — but what if it’s a modest $200 theft? What if it’s $200 a day for a week? A depositor’s only protection is the bank’s promise to reimburse for financial losses.

The Office of the Superintendent of Financial Institutions, which oversees banks, has not guidance for them on passwords.

Canadian banks told the author their systems are secure. Longer passwords wouldn’t offer more protection, one said.

We don’t know how secure bank passwords are because they won’t divulge how many frauds are password-related, said Avner Levin, associate professor in the law and business department at Ryerson University and director of its Privacy and Cybercrime Institute.
The question isn’t whether a six-character password is acceptable, he added, but whose responsibility it is if something goes wrong.

So far, he said, the banks couple easy passwords with taking full responsibility and willing to reimburse losses.

He would object, however, if Canadian banks start following the lead of several European financial institutions and move to a limited liability model, where customers are responsible for some money lost — like the deductable on car insurance.
Levin wouldn’t like to see that unless banks here increase access security.

Still, if six letters are enough for a bank, why not for Revenue Canada, health records, my stock broker?

The article also raises the question that if online two-factor authentication–is good enough for social media sites – optional on Twitter, Facebook and Google — why not for banks?

One reason, of course, is that they take time. Two-factor authentication for Twitter, for example, means when a user logs in Twitter sends a text message with a code to a mobile device. To complete the login the code has to be entered as well as a password. Great for social media where time isn’t important. But how many people will do that for access to their own money?

Few now. But wait until somone’s password is cracked.

Read the full article here