Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


What today’s password threats mean for financial institutions

Nov 03, 2020

By David Rich and Krishna Mandava

Using a user ID and password as your only authentication control in protecting access to your workstation as well as your financial institution’s network is no longer as secure as it once was. By and large, people struggle to come up with passwords that are secure from computerized password cracking tools. 

 It used to be very difficult to quickly run a brute force attack through all the possible combinations for an eight-character password. Back in 2000, it might have taken three years to hit on the correct one. However, since 2017, it’s taken about half a day to do the same work. Keeping that in mind, back in the ’90s it was recommended that passwords with eight random characters, changed every three months, would keep you safe from brute force attacks. 

The same cannot be said today. In 2000, a 10-character password might have taken 800 years to crack and a 15-character password billions of years. Today’s password crackers are specialized machines that can guess 100 trillion combinations per second. With this much computing power, they can crack that same eight-character password in a matter of seconds. However, the 15-character password still takes millions of years to be guessed.

Creating a complex, 15-character password with uppercase, lowercase, numbers and symbols could cause some of your financial institution employees to write it down on a sticky note because it isn’t easy to remember. This completely negates the idea of security and could be picked up by anyone within the financial institution. This is where the argument for the passphrase comes in. This complex, 15-character password that you have to painfully type throughout your workday has a search space size of 4.68 x1029

While a 22-character, all-lowercase passphrase, “welovesausagepizzabest,” is much easier to remember because it has all lowercase letters, is much easier to type, and in addition, has a search space size of 1.40 x 1031. This will keep you safe from password crackers, even if you only change your password once or twice a year.

This 22-character, lowercase passphrase idea is still new, and it is not without its own share of problems. For instance, many software programs do not support password lengths of 22 characters. Moreover, many regulatory bodies are still not comfortable with increasing password expirations to six months or a full year. 

Considering that your username and password are “what you know,” many financial institutions are leaning toward multi-factor authentication (MFA) to maintain security during both the workday and outside of the institution.  MFA takes the “security in layers” approach and adds an additional layer, or authentication step — “what you have.” It requires a one-time PIN or code to be entered from a token, or very commonly the code is generated in an app on your smartphone or is texted to your smartphone. At this stage, even if the password is compromised, it would require access to the user’s phone, or the hardware token. This greatly increases the strength and effectiveness of your authentication controls.

Following the big Equifax breach in July 2017 — and countless other major breaches since — we have come to realize our passwords are not as secure or secret as they once were.

MFA and passphrases are two very good solutions. In its Cybersecurity Assessment Tool, the FFIEC has stated that MFA is a baseline requirement for any remote connection originating from outside a financial institution’s network. In years to come, we assume these eight-character passwords will be replaced with more secure passphrases and MFA will be configured on most systems.

Other than MFA, financial institutions should also consider implementing other up-and-coming security measures. Roaming profiles, proximity cards and biometrics appear to be a part of our move away from passwords in the foreseeable future. For example, many financial institution apps have begun to implement sign-on with fingerprints for both ease of access and increased security for customers and members on the go.

Another example of the importance of password security in your financial institution includes breaches in data. Every year Verizon releases a report that focuses on data breaches across 16 major industries, one of which, is financial institutions.  What makes this report unique, it is written and presented in a way non-technical people can understand and relate. 

The report shows us that in 2020 for the 1,509 financial institutions that reported data, Hacking was the number 1 action performed by the cyber criminals.  There are three distinct groups included in the term “Hacking”, one of which is: “Those utilizing stolen or brute-forced credentials.”  In a shocking statistic Verizon reports that 80% of all hacking breaches reported, 80% involve brute force or the use of lost or stolen credentials.  Verizon also reports that of all the cloud breaches that occurred in 2020, 77% of them involved breached credentials.  

What do the bad guys do with these credentials?  Verizon reports that denial of service attacks clearly top the charts in the financial Industry.  With 80% of bank transactions now performed through online banking.  Denial of Service attacks are more detrimental than ever. With this in mind it shows the real-world threat to financial institutions, and why is it very important for senior management and the IT department to have honest conversations with each other to discuss our authentication controls. 

Learn more about securing your financial institution and bolstering password protection among your employees and financial institution-related apps on our web page.


David T. Rich
Master Consultant
View Profile