Why password rules don't matter for online banking

Tony Yoo
A worried woman sitting in front of her notebook computer.
(Image: Getty)

Many Australians would be familiar with the frustrations faced when setting passwords and passcodes for their online banking.

Is it not long enough? Is it too long? Do you need an uppercase letter? A punctuation mark? At least one digit? Why is it only four digits?

Incredibly, this annoyance and stress is all in vain, according to one cybersecurity expert.

"Arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter," Australian data breach expert Troy Hunt wrote on his blog on Wednesday.

"Let's keep pushing banks to do better, but not lose our minds about it in the process."

Financial institutions these days are well aware of their security responsibilities in handling people's money, and already have other measures in place that make painful password rules unnecessary.

Hunt listed five of these security features that make annoying password rules redundant:

Account lockout after failed login attempts

The original reason for forcing people to create passwords with weird characters, a mix of upper and lower case, punctuation, and numbers and letters is simple.

It makes it harder for criminals to just guess millions of combinations of characters until they get it correct, which is called "brute force" hacking.

But banks these days automatically lock accounts after a certain number of failed attempts.

"They have to because there's money at stake... Yes, a 5-digit PIN only gives you 100,000 attempts, but you're only allowed two mistakes," said Hunt.

"As an attacker you're going to get very few bites at that cherry."

Westpac's policy on the number of incorrect password attempts before lockout.
(Image: Yahoo Finance screenshot of Westpac's website.)

Hackers need to know username

The password is not the only information a potential thief needs to know. They also need your username.

And banks will often not allow you to choose your own, which you might recycle from other sites.

"That's not to say there aren't ways of discovering someone's banking username, but it's a significantly higher barrier to entry than the typical 'spray and pray' account takeover attempts," said Hunt.

SMS authentication at certain stages

Many banks will ask for a code sent to the customer's phone via text message when the user asks to do certain tasks on online banking.

"For example, one of the banks I regularly use sends me a challenge via SMS whenever setting up a new payee," Hunt said.

While SMS as a security medium is far from hack-proof, having this in addition to the online bank login ensures a double-check that it's the actual customer using the system.

"What we're talking about now is not just needing to successfully authenticate to the bank, but also to prove control of a phone number at a key stage - and that will always be more secure than authentication alone."

Background security checks

Banks also have sophisticated security checks that we never know about as the user logs into online banking.

MBNA tweet telling a customer that login is only the first line of security and that there are many other hidden security features.
(Image: Twitter/MBNA)

"You won't ever see a bank telling you how they do it, but those ‘hidden security features’ make a significant contribution to the bank's security posture," said Hunt.

"It goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioural and heuristic patterns used to establish legitimacy."

Money back guarantee

This is not so much a security feature, but insurance.

Hunt said that some banks, like ING Australia, have a policy of returning any money lost to customers that are affected by a cyber-theft:

Screenshot of ING Australia online security guarantee.
(Image: Yahoo Finance screenshot of ING Australia website.)

Make your money work with Yahoo Finance’s daily newsletter. Sign up here and stay on top of the latest money, news and tech news.