BID Daily Newsletter
January 13, 2015

BID Daily Newsletter

January 13, 2015

The Burning Issue Of Password Safety

During 2007-2011, home structure fires killed an estimated 2,570 people and caused an average of 13,210 reported civilian (non-firefighter) injuries per year. That's according to data from the National Fire Protection Association (NFPA), which also reports that 3 out of 5 home fire deaths resulted from blazes in properties without working smoke alarms. Notably, the risk of dying in reported home structure fires is cut in half in homes with working smoke alarms, the advocacy group reports. It seems like a no-brainer to have one as smoke alarms play a critical role in helping to protect families from fire-related disasters.
Nowadays, it seems banks too are spending an inordinate amount of time putting out fires. These are more caused by data security breaches though than the hotter variety. Various studies have shown that in a large number of cases, cyber thieves are gaining entry through weak or stolen passwords. Recently, Sony became the latest company in the hot seat after reports surfaced that it had stored thousands of passwords in a folder labeled "Password." We don't have verification, but if so - whoops.
We've written before about the importance of having strong passwords, but in light of recent events, we think the banking industry could use a refresher. Passwords are annoying, good ones can be difficult to remember and they are even harder to keep track of. Consequently, people tend to pick passwords that are easy to remember and then reuse them for multiple applications. This is a really bad idea, but people are people so what can really be done about it?
Consider a case in point: Trustwave performed an analysis to see how easily it could crack a sample of 626,718 passwords it collected during 2013 and early 2014. The security company was able to crack more than 50% of the passwords within the first few minutes of trying and ultimately recovered about 92% of the sample within 31 days. Passwords are still just too simple.
Eventually this password discussion may become a moot point. If and when advanced authentication tools such as biometrics really take off, the financial services industry's heavy reliance on passwords is likely to diminish. That is good, but what happens when someone steals your biometric identity we wonder.
The FIDO Alliance - an open industry consortium whose 150 or so members include major technology and financial services bellwethers such as Google, Samsung, Microsoft, Bank of America, Wells Fargo, Visa, Discover, MasterCard, and PayPal - continues to champion that goal. Recently the group published a set of technical specifications for password-free secure online communications called the Universal Authentication Framework (UAF) and the Universal 2nd Factor. In theory, these new standards ensure any app or website can depend on devices like a USB key or biometric data like fingerprints in order to authenticate users. The announcement is expected to open doors for a spate of additional product launches as well.
For its part, Apple (which is not a member of the consortium) already offers fingerprint scanning technology with its iPhone 6 and iPhone 6 Plus smartphones, so changes are happening.
Given these initiatives and others underway, we may well be a step closer to the death of passwords. However, for the foreseeable future they are still alive and kicking. At least for now, banks should continue to focus on password safety to help keep their reputations from going up in flames.