Why do banks have terrible password policies?

Why do financial institutions not allow special characters in passwords? I changed one of those passwords recently and was told that special characters and spaces weren’t allowed, only characters and numbers. Special characters (you know, things like ! or @ or # or .) and spaces make a password much less susceptible to brute force attacks, increasing the brute force attack time manyfold. It’s possible that such a well-constructed password could remain untouched in thousands of years with a brute force attack, compared to months or years with just letters or numbers.

This is why people use the same basic letter and number password everywhere. Don’t believe me? Watch this.


That video contains over 25,000 passwords, one per frame, all gathered through some of the Sony Lulzsec hacks. I’m amazed at how many people use just ones and 123455 for their password. That kind of thing can be hacked instantly.

Change your password policy, banks. Let me swear like I’m in a %$#@ comic strip in my passwords.

To give credit to a bank that has less sucky password protection than others, ING makes you answer two security questions when you sign in with your customer account number. You answer five of the eight or so questions when you sign up. These questions would be even better if you could write your own, but it’s better than nothing. I recommend making these answers something you can remember since most of these questions are of the generic security question variety: mom’s maiden name, where’d you and your spouse meet, that kind of thing. You also choose a picture and a name for that picture when you sign up from a selection of images (nothing too exciting–mine’s an ice cream sundae) that shows up next to the PIN pad where you enter your PIN. If that image doesn’t show up when you enter your PIN, don’t enter it. Anyway, enter your PIN and you’re in. It’s less terrible, but I wish you could write your own security questions.

So how do you choose a good password? We’ve discussed this before, but don’t use anything that you can find in a dictionary, English or otherwise. This eliminates “password”, folks. Anything connected to you personally is bad, so don’t use your lover’s name either. That makes you open to social engineering attacks. Finally, make your password long but something you can type quickly. You don’t want someone to look over your shoulder while you’re typing.

Banks, I know you can do better than this. Get with the program. You’d protect your own money. Now protect your customers’ cash.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.