RSS Subscribe
Using our live test accounts, we changed passwords then subsequently “forgot” the new one to test how major financial institutions handle the situation. Overall, most received good marks, although everyone has room for improvement.
Table 1
Password Scorecard
| Safe Practices | Yes | No | Unknown |
| Use a third password or challenge question | 1 | 13 |
|
| Disable Internet Explorer AutoComplete | 9 | 5 |
|
| Require 4 or more characters in passwords | 13 | 1 |
|
| Bank determines username | 6 | 8 |
|
| Require more than account number and social security number for online password reset | 4 | 4 | 6 |
| Send confirmation of password change to email address | 2 | 12 |
|
| Send confirmation of online password reset to email address | 2 | 6 | 6 |
| Send confirmation of password reset to mail address | 2 | 6 | 6 |
| Allow more than 3, but less than 11 unsuccessful password attempts* | 6 | 5 | 3 |
| Warn users in advance of account lockup | 3 | 11 |
|
Source: Online Banking Report, 4/03
*We believe users should have at least 5 login attempts, with clear instructions before and after lockout
Testing process
1. Login with existing username and password
2. Change password or username
3. Logout
4. Use online password reset if available
5. Attempt to log back in 10 times with an incorrect password
American Express
Password Scorecard
Grade: Needs improvement
Weaknesses:
(1) Browser AutoComplete function not disabled
(2) No email confirmation of password change
(3) Account lockout too quickly, after third login try
Password structure: User defined, 6 to 8 characters with at least 1 letter and 1 number
Username structure: 5 to 20 characters with
at least 1 letter
Second password/challenge: No
IE 6 AutoComplete disabled: No
Online password change: Yes, with old password
Email confirmation of password change/reset: No
Online password reset: Yes, with card number, 4-digit card ID (on face of card), work phone number, last 4 digits of soc, and 5-digit zip code
Account lockout with excessive login attempts: Yes, after third attempt; red warning issued after attempt two
Online username retrieval: Depends, certain accounts can retrieve their username online, others must call; we were in the latter group so could not test this feature
AutoComplete is not disabled on the login screen.
User friendly: American Express warns users after their second unsuccessful login that they will be locked out after one more attempt.
Password reset, step 1: Enter userid, card number, and 4-digit code from back.
Password reset, step 2:
Enter personal info for authentication.
Bank of America Credit Card
Password Scorecard
Grade: Good
Weakness: No email confirmation of password change
Username structure: User defined, 9 to 20 numbers
Password structure: 4 to 7 characters; cannot repeat 4 or more in same sequence as username; cannot be same character repeated
Second password/challenge: No
IE 6 AutoComplete disabled: Yes
Online password change: Yes, with old password
Online password reset: No, must call
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, after 4 attempts; help section carries clear warning
Online username retrieval: No
BofA provides a helpful popup screen with each unsuccessful password attempt.
Centura Bank
Password Scorecard
Grade: Fair
Weaknesses:
(1) No email confirmation of password change
(2) No warning of account lockout
(3) No customer service link or HELP available from login screen
Username structure: Social security number (with dashes)
Password structure: 6 to 15 characters
Second password/challenge: No
IE 6 AutoComplete disabled: Yes
Password change: Online with old password; but neglected to provide an on-screen confirmation that the change occurred, an annoying usability flaw
Online password reset: No, must call; password sent via postal mail
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, after sixth unsuccessful attempt; no prior warning
Online username retrieval: Unnecessary (SSN)
Centura had the best login screen “security look and feel.” It also provides a link to disclosures, but not a single mention of customer service or online help, even after making an unsuccessful login attempt. Evidently the bank’s lawyers have been through the site, but where’s customer service?
Charter One Bank
Password Scorecard
Grade: Needs improvement
Weaknesses:
(1) Browser AutoComplete not disabled
(2) No email confirmation of password change
(3) No warning prior to account lockout
(4) No message after account lockout
(5) A bit too easy to gain read-only account access for new users; requires account number and social security number. However there is a crucial safeguard for bill payment which requires mother’s maiden name, date of birth, home phone number, and a 2-day waiting period.
Username structure: Social security number
Password structure: Must be at least 6 characters
Second password/challenge: No
IE 6 AutoComplete disabled: No
Online password change: Yes, with old password
Online password reset: No, must call
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, not sure when it happens, sometime before the tenth attempt; the bank does not provide a warning of impending lockout, nor does it let you know after you’ve been locked out, you only receive a cryptic
error message.
Online username retrieval: Unnecessary (SSN)
AutoComplete has not been disabled
at account login.
New users enroll with social security number and account number. Note the excellent use of security graphics during enrollment.
Chase Bank
Password Scorecard
Grade: Good
Weaknesses:
(1) No email confirmation of password change
(2) No warning of upcoming account lockout
(3) No message after account lockout
Username structure: User defined, must include one number
Password structure: 6 to 10 characters, 1 of which must be a number
Second password/challenge: No
IE 6 AutoComplete disabled: Yes
Online password change: Yes, with old password
Online password reset: Yes, with name, account type, account number, social security number, and two user selected challenge questions
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, sometime during the first 10 attempts; no warning message and no indication when account is lockout out, a “try again” message just keeps repeating
Online username retrieval: Yes, displayed online after entering name, account type, account number, social security number
Chase is one of the few banks offering online retrieval of forgotten usernames. After correctly entering name, account number, and social security number, the username is displayed. At that point you can login if you know your password. If not, you can retrieve your password online by answering two previously selected challenge questions. This is great from a usability standpoint, but the bank should send a confirmation via email and/or snail mail.
To reset the password, users answer two
previously established challenge questions.
DeepGreen Bank
Password Scorecard
Grade: Needs improvement
Weaknesses:
(1) Browser AutoComplete not disabled
(2) No email confirmation of password change
(3) No minimum password length, can be a single letter or the same as the username
(4) No warning before account lockout
(5) No message after account locked out
Username structure: User defined, can be all alpha
Password structure: 1 to 14 characters, can be the same as the username or a single character
Second password/challenge: No
IE 6 AutoComplete disabled: No
Online password change: Yes, with old password and mother’s maiden name
Online password reset: Yes, with social security number and mother’s maiden name
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, but not sure when because the lockout is not disclosed until the user attempts to login with correct username/password.
Online username retrieval: No, must call, then wait
7 to 10 days to receive in the mail
A common security vulnerability: Failure to disable IE 6’s AutoComplete function.
Everbank
Password Scorecard
Grade: Needs improvement
Weaknesses:
(1) AutoComplete not disabled
(2) No email confirmation of password reset, even though it can be reset with info available to an identity thief, SSN and mother’s maiden name
(3) No email or on-screen confirmation of p/w change
(4) No warning before account lockout
(5) No help on login screen for the memory challenged
Username structure: Initially set as social security # (with dashes); can be changed online one time; 8 to 24 characters, not similar to current username, not same as password, not offensive, at least 2 numbers and 2 alphas
Password structure: 8 to 16 characters with at least one number and one letter, not similar to username, not similar to prior password, not the same reading backward and forward
Second password/challenge: No
IE 6 AutoComplete disabled: No
Password change: Online with old password; no confirmation of the change provided on-screen
Email confirmation of password change/reset: No
Online password reset: No, must call; new temp password given over the phone after providing SSN, name, address, date of birth, and mother’s maiden name
Account lockout with excessive login attempts:
Yes, after fifth attempt, must call to reactivate; no warning prior to lockout
Online username retrieval: No, must call
Everbank provides no help at login for users that forget username or password, just a lengthy warning written by the lawyers.
First USA Credit Card (Bank One)
Password Scorecard
Grade: Fair
Weaknesses:
(1) No email confirmation of password/username change or reset; especially important given relative ease of resetting username/password
(2) No warning before account lockout
Username structure: User defined, 7 to 16 characters, case sensitive
Password structure: 7 to 32 characters, case sensitive, must have at least 1 number, may not use the same letters consecutively, cannot match username or social security number.
Second password/challenge: No
IE 6 AutoComplete disabled: Yes
Online password change: Yes, with old password
Online username change: Yes, with old password
Online password reset: Yes, with credit card #, social security #, signature panel code, and expiration date
Online username reset: Yes, with credit card number, social security number, signature panel code, and expiration date
Email confirmation of password or username change/reset: No
Account lockout with excessive login attempts: Yes, locked out after four attempts, no warning given
First USA is the only financial institution tested which allowed usernames to be reset online; nice for usability but a confirmation of the reset should be emailed and/or mailed to the cardholder.
Harris Direct (brokerage)
Password Scorecard
Grade: Good
Weakness:
(1) No email confirmation of password change (thought there is for password reset)
(2) Only 3 login attempts allowed before lockout (but can reset online relatively painlessly)
Username structure: User defined, 6 to 15 characters
Password structure: 6 to 8 characters
Second password/challenge: No
IE 6 AutoComplete disabled: Yes
Online password change: Yes, with old password
Online password reset: Yes, a new disguised password is emailed after entering username and birth date; the new password is a created from the account holder’s mother maiden name and social security number but is not disclosed in the email, e.g. the first 2 letter of mother’s maiden name plus last 4 digits of social security number.
Email confirmation of password change: No
Email confirmation of password reset: Yes, confirmation also sent via snail mail
Account lockout with excessive login attempts:
Yes, after third attempt, but can be reset online; no warning before lockout
Online username retrieval: No, must call
HarrisDirect allows online reset after your account has been locked out for excessive login attempts. It was the only company which emails a disguised new password when resetting. For good measure, they also mail an identical confirmation.
ING Direct
Password Scorecard
Grade: Excellent
Username structure: Account number
Password structure: 4-digit number (called PIN)
Second password/challenge: Yes, one of 5 user-specified questions asked at login (see below)
IE 6 password remember disabled: Yes
Online password change: Yes, with old password
Email confirmation of password change: Yes; confirmation also sent via postal mail
Online password reset: No, must call
Account lockout with excessive login attempts:
No (not in the first 10 attempts)
Online username retrieval: Unnecessary (acct #)
ING Direct is the only bank we know of using a challenge question at login. In addition to account number and password, one of these five rotating questions must be answered correctly:
-
first 4 digits of social security number
-
zip code of mailing address (first 5 digits)
-
birth year (4 digit)
-
last 3 digits of social security number
-
last 4 digits of social security number
We like the concept, but the implementation is weak. By simply refreshing the browser screen, the would-be thief can select which question to answer, one of which is zip code, which is trivial to ascertain.
PayPal
Password Scorecard
Grade: Fair
Weakness:
(1) AutoComplete not disabled on the password reset screen (it is disabled on login page)
(2) Username (email address) known to others
Username structure: Email address
Password structure: 8 to 24 characters case sensitive; recommended, but not required that it include upper and lowercase and at least one number or special character
Second password/challenge: No
IE 6 AutoComplete disabled: Varies; yes, on main login screen, no on password reset screen
Online password change: Yes, with old password
Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail
Email confirmation of password change/reset: Yes
Account lockout with excessive login attempts:
Yes, after 10 unsuccessful attempts; a lockout warning appears after the seventh attempt
Online username retrieval: Not necessary since username is equal to email address
PayPal is one of the few financial companies using cookies to automatically insert usernames at login. The company has used this approach since inception, so they must feel that the improved usability more than compensates for the decrease in security.
PayPal’s online password reset process requires the user to have access to the email account registered with the service. If not, users answer one of four authentication questions (top screen) and the password is mailed to a one of the previously confirmed snail mail address (bottom screen).
PayPal explains after the seventh incorrect password attempt that you have 3 more tries before lockout. This is a far more reasonable approach than many banks’ three-strikes-and-you-are-out policy.
Schwab
Password Scorecard
Grade: Fair
Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too quickly, after 3 login attempts, but can be reset relatively easily online
Username structure: Account number or social security number
Password structure: 6 to 8 characters including at least one number BETWEEN the first and last characters; cannot match or be a subset of username
Second password/challenge: No
IE 6 AutoComplete disabled: Yes
Online password change: Yes, with old password
Online password reset: Yes, in one of two ways;
(a) If logging in with account number, you must provide social security number, date of birth, home phone number, and correctly pick a security in your account from a list of 10 choices including “none of the above”
(b) If logging in with a social security number, you must only provide the answer to the secret question.
Can also reset via automated phone system.
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, after 3 attempts; no warning prior to lockout
Online username retrieval: Not necessary (acct. # or soc. #)
Schwab’s unique password reset process requires the usual social security #, birth date, and telephone, plus users must correctly choose one of ten securities in the portfolio (including “none of the above”).
US Bank
Password Scorecard
Grade: Good
Weakness: No email confirmation of password change
Username structure: User defined, 8 to 24 characters
Password structure: 8 to 24 characters
Second password/challenge: No
IE AutoComplete disabled: Yes
Online password change: Yes, with old password
Online password reset: Yes, with ATM card number and ATM PIN; new password displayed online
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, after 6 attempts; can reset online or wait 24 hours; no prior warning
Online username retrieval: No, must call
Password change screen. Note the prominent placement of what happens next.
Forgotten password can be reset online with
ATM card number and PIN.
Wells Fargo
Password Scorecard
Grade: Good
Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too soon, after 3rd login try
Username structure: Social security number
Password structure: 5 to 8 characters
Second password/challenge: No
IE 6 AutoComplete disabled: Yes
Online password change: Yes, with old password
Online password reset: Yes, with statement account number and ATM PIN; those without an ATM PIN are directed to call customer service.
Email confirmation of password change/reset: No
Account lockout with excessive login attempts:
Yes, after 3 attempts; user redirected to online password reset page; no prior warning
Online username retrieval: Unnecessary (SSN)
Wells offers six options for where to go
immediately after login.
After three unsuccessful login attempts users are directed to reset their password, which can be done online with account number and PIN.
