A recent study at the University of New Haven shows that six of seventeen US banks have weaker password policies than most social networking sites. The University of New Haven Cyber Forensics Research and Education Group investigated seventeen major US banks and found a prominent weakness in some of their password policies: they don’t enforce case-sensitive passwords. This means that when users enter their password to enter an online bank account, any combination of upper and lower case letters could work to give them access. The access control mechanisms would accept the passwords BobIsAGreatGuy and bobisagreatguy as one and the same. 

Not enforcing case-sensitivity for passwords reduces the potential complexity of passwords. It also makes it easier for hackers to perform brute force password cracking attempts, a method that uses a computer program to enter and re-enter passwords for an account using a method of trial and error to guess the right one. The banks identified in the study include Wells Fargo, Capital One, BB&T, Webster First Federal Credit Union, Chase Bank, and Citibank. Collectively, these banks serve over 350 million customers. 

After discovering this lapse in password policy, the researchers attempted to contact the banks to investigate the issue. They found that “It is almost impossible to contact and notify them about a security issue – we couldn’t find any e-mail address or phone number to report this security issue.” They turned to the customer service contacts and found that one customer service representative wasn’t aware of the issue (and adamant they had a case-sensitive password policy), one was not aware of the existence of an IT department, and one simply said this was their policy without further explanation. 

At least most of the banks in question require users to use numbers and symbols as part of their passwords, allowing users to dictate greater complexity for their passwords. As noted by a researcher, “One can easily argue that a bank account is way more important than a Twitter account,” referring to Twitter’s case-sensitive passwords. Your humble blogger would suggest that both are important and when possible, users should use a combination of letters, numbers, symbols, lower- and uppercase characters in their passwords. And while recycling is great, never recycle your passwords across different websites.