Identity Security and Password Policies
In spite of security concerns, many users still choose passwords that are easy to guess, write down their passwords, and share them with others. They also re-use their passwords on multiple sites and use the same passwords on sites that do not house sensitive or personal information, (Social Media, Lifestyle), and ones that do, (Financial Services, E-mails, Retail Shopping) sites. This type of password usage makes the users’ identities much more vulnerable to theft and fraud.
There is, of course, another approach to password policy that would reduce concerns about guessable or shared passwords. Sites that house or provide access to sensitive personal or financial information could implement two-factor authentication. This would greatly reduce the sites’ vulnerability to password attacks, because without the one-time passcode, hackers could not access the accounts.
The National Institute of Standards and Technology (NIST) recommends different password strengths for Level 2 (user name and password only) authentication, depending on how long a user may keep a password before changing it and how long a user must wait after three failures before trying again. For example, if a web site’s policy is to permit re-try after one minute and to allow users to keep their passwords for five years, a password would need 37 bits of “guessing entropy” to qualify as Level 2. However, if a password must be changed every 90 days and a user must wait a full day before trying to log in after three failures, a 22-bit password would provide Level 2 assurance level.
Since many sites allow e-mail addresses as user names, the only thing between the attacker and account compromise is the password.
Recent studies on passwords have found that password strength varies for different types of sites. Median password policy strength for dot-com sites is 19.9 bits, 31 bits for banks and other financial institutions, 43.7 for dot-edu sites, and 47.6 for dot-gov sites. Dot-com sites often have less sensitive information to protect and want to keep usability high, so they do not need login complexity. Banks, dot-edu, and dot-gov sites, have much sensitive information to protect and often must meet regulatory requirements for more complex passwords.
Low-hassle out of band two-factor authentication is the best practice for the sensitive information kept inside financial institutions. How are you protecting your customers from themselves?
If you want to learn more about two factor authentication and other fraud solutions, let us know.
Recommended For You
Online consumers can make their purchase with various payment options, like credit card, Apple Pay or PayPal. As a result, […]
A Two-step Authentication Approach Consumers are always on the go, using digital devices to make purchases, check account balances and […]
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
On February 9, 2016, the President implemented the Cybersecurity National Action Plan (CNAP) designed “to enhance cybersecurity awareness and protections, protect […]