With many US banks, what you see in your password field may not be what you get.
That’s according to recent research by student researchers at the University of New Haven’s Cyber Forensic Research and Education Group (UNHcFREG).
The study’s developers created a fairly simple test: Are the financial institutions’ passwords case-sensitive? Eleven US banks passed their test. Six failed.
In other words, MyPass2015, mypass2015 and myPAss2015 are all treated as if you’d typed MYPASS2015.
With 10-character passwords, the total number of different possible passwords, known as the password space, shrinks. If you choose 10 characters from A-Z, a-Z and 0-9, you have 62x62x62…x62 (6210) possibilities. But with A-Z and 0-9, it’s 3610, about 250 times fewer.
That may not sound terribly significant, but it does mean that the password you type isn’t actually the password that’s used, and isn’t quite as strong, which gives rather a false sense of security.
The study’s authors found it tricky to query this matter with some of the banks:
…we attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue – we couldn’t find any email address or phone number to report this security issue.
Working through regular bank hotlines, UNHcFREG found one institution unsure of how its own passwords actually worked:
One organization was adamant that they have a case-sensitive password policy, but our testing showed otherwise.
We can’t see the need for pre-conditioning passwords in this way, and we advise you not to do it, especially if you allow your users to enter a mixed-case password without any warning that it’s not actually the password they’ll be using in practice.
We suggest if users are willing to put some additional complexity into the their paswords, welcome it!
(Oh, and please offer your users two-factor authentication as well if they’re going to be sharing important personal information with you.)
LEARN MORE ABOUT 2FA