In a study that looked at the password strength required to access website account for Wells Fargo, Capital One and 15 other banks, researchers found that 35 percent had significant weaknesses in their password policies, according to University of New Haven Cyber Forensic Research and Education Group.
The crux of UNH’s finding center around the fact all the banks in question had website password policies that do not differentiate between upper and lower-case letters. That, according to the study, is the difference between a “strong” password and a less secure password. Tim Erlin, director of security and product management at Tripwire have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of Security and Product Management at Tripwire :
“Enforced policies around password strength are important, but are also only part of the overall set of security controls banks employ around authentication and authorization. While there may be value in strengthening these policies, it’s an oversimplification to claim that these policies constitute a meaningful weakness in bank security.
When researchers often use the math surrounding theoretical password cracking to claim vulnerability, they ignore the larger ecosystem of controls that an organization might employ, from simple account lockout to more complex fraud detection algorithms. Such measures are described by Wells Fargo as “additional security measures that may be activated in response to certain activities or events through our ongoing monitoring efforts.” All of these mechanisms combined provide a more complete picture of account security.
It’s important to remember that security isn’t the goal of a bank. Most banks are for profit institutions, and all banks must remain solvent. It may be more effective for a bank to keep customers through ease of use at login while applying a myriad of additional controls behind the scenes. No doubt, if the economics of that arrangement change, the banks will adapt to maintain solvency.”[/su_note]
[su_box title=”About Tripwire” style=”noise” box_color=”#336588″]Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.