Banks failing with password management, but why?
A recent study shows some terrifying results: banks in the U.S. often have less secure password policies in place than do social media websites. Specifically, the study found that 35 percent of the test group appear to have a significant weakness in their password policies used by their customers to access their accounts and manage their money.
The list of banks mentioned are highly known and possess assets in the billions of dollars, meaning they are not small organizations with budgets lacking the ability to create or enforce much stronger policies or the use of technology to secure user accounts.
Password policies
Password management can be hard to manage, and trends often run deep. Password requirements mandated for customer use may translate to the same rules that internal users – bank employees – must follow. Thus, if these password policies are used by some of the world’s biggest banks for their customers there’s a very good chance that these policies are the same for employees; these organizations likely do not require highly secure methods for password security throughout the back end of their organizations if such flimsy requirements are used on the front end.
What do bank leaders or those in other organizations in other industries think when they read something like this? They might suggest: “Why don’t the banks just increase the complexity for each password?” While increasing password complexity can improve security, of course, but doing so can also lead to other issues if this type of policy is the only ones implemented.
One of the issues that banks face is that even while they want to ensure security of their systems they also do not want to make these processes inefficient or time consuming for employees. Bank employees are working either in person or on the phone with customers who need quick service. For example, at one bank in the U.S., employees log into anywhere from between three and 10 applications each day.
Each of these applications require different passwords that contain differing complexity rules, which are nearly impossible for employees to remember. Because of these issues, problems often arise, leading to security problems because employees frequently write down their access credentials on a piece of paper, posting them near their workstation, an obvious and major security issue.
Advancements
As the password landscape has changed, there have been advancements in password management to ensure security while also not interfering with employee efficiency. This is achieved by reducing the number of passwords that a user must manage, usually through the use of single sign-on (SSO) solutions that work seamlessly with all applications that a bank employs, both in house and in the cloud. This simple solution allows employees to have a single set of complex credentials they can use to access all their applications across the entire network, not only improving efficiency, but enhancing security, too, by drastically reducing the need to write down or remember countless credentials.
The next step would be to increase the security of this single set of credentials. Since the employees do not have to remember multiple sets of complex credentials, that single set can now be made more complex without comprising security.
Password complexity solutions can be paired with single sign-on allowing the organization to create its own complexity rules and not just follow the Windows pre-established guidelines. For example, organizations can require a certain length and symbols be used, while preventing sequences. The user can then easily see if they met the password requirements with whatever password they choose; this process also can be rolled out to customer users, too.
If bank leadership wants to go one step further with security, a two-factor authentication solution can be implemented. Doing so, then, requires that the employee uses something they own, as well as something that they know, to verify their identities to access internal information, improving security.
These password protocols should be used across the entire organization for both in house employees as well as customers logging into the banks systems to manage their accounts. By ensuring the employees are using one single set of secure credentials security is drastically increased. These solutions also ensure additional efficiency for bank employees as these solutions don’t interfere with customer service and, if anything, improve it.