Nearly a decade ago, the Federal Financial Institutions Examination Council told banks that passwords are not enough to guard financial data, and many companies scrambled to evaluate new and sometimes bizarre alternatives.
But most of the changes that took place were behind the scenes, such as adding device identification and geolocation to determine if customers are connecting from a known computer; banks still required consumers and businesses to pick a password. And as the recent Sony hack has shown, passwords remain a juicy target for fraudsters.
"All of the banks we spoke with want to see passwords go away tomorrow, but they know it is not going to happen," said Al Pascual, senior analyst for Javelin Strategy & Research. "There is still a considerable amount of time for criminals to attack accounts through passwords."
Just as the financial industry is working to implement changes that will address the weaknesses of magnetic-stripe cards at the point of sale, it is working on new initiatives that will make it possible to phase out passwords. These include efforts from the Fast Identity Online Alliance and the major card networks.
As a result of these and other technologies, large financial organizations are likely to drop passwords for mobile channels in the next five years, followed by dropping online passwords, Pascual said.
Bank policies that recommend unique passwords that customers can remember without writing them down are counterproductive because consumers get tired of trying to remember as many as 50 different passwords on sites and ultimately resort to using the same ones or variations of them, Pascual said.
Pascual and Javelin CEO Jim Van Dyke co-authored Javelin's latest research on identity fraud, for which the firm surveyed more than 5,600 U.S. adults and studied the public-facing password policies of six financial institutions and four consumer-oriented non-banking websites. In addition, the authors interviewed several financial industry fraud and security executives.
Passwords policies are flawed because even an obviously weak password, such as Password123, meets the requirements of many that call for an uppercase letter and numerals, Pascual said.
"These rules generally detract from the security of an account, rather than add to it," Pascual added. Banks try to enforce policies that are more rigid than those for Amazon or Facebook, Pascual said, but they establish requirements without giving customers the tools to help them comply.
As long as the password remains a requirement, banks should educate customers about secure password creation and management, applying recall mechanisms for passwords to secure online financial accounts, the report recommends.
Two-factor authentication is superior to traditional passwords and should be used whenever possible, the report said.
"Criminals use blacklists of passwords they have stolen and run them on hundreds of sites, trying to gain access," Pascual said. Banks should prohibit the use of common words by instituting their own blacklist. Essentially, a policy could prohibit use of any words in a dictionary, Pascual advised.
Customers don't like being forced to update their passwords, but it is an approach that reduces the chance that compromised passwords from one website can be used to access accounts on other sites.
Using password ciphers, or a formula for creating multiple passwords that are unique to every site, can help customers come up with a formula for creating stronger passwords, Pascual said.
"You remember the formula and remember passwords," he added. "It's a pretty easy system with a little bit of experience."