How paranoid should a online banking customer be? More paranoid than you think. “Your piece on password security interested me,” writes Mark. “As a network administrator with a part-time computer consulting and repair business, I see every day how hard the black hats are working to steal from honest people. Most of my repair work anymore is removing bots and Trojans, and I sometimes suspect that 90 percent of the computers in use are pwned and we just don’t know it.“The last part of your article, on how Steve has changed all his passwords to 14-digit, computer-generated strings, caught my attention. I have switched to using passphrases rather than passwords. They’re easier to remember and generally longer than 14 characters. But why do the most important Web sites I use prevent me from using a secure password? My bank, for example, limits password length to six characters. The state Web site where I am required to file my sales tax limits me to eight characters and prohibits punctuation! I want to be paranoid, and they won’t let me. Why?”[ Learn how to secure your systems with Roger Grimes’ Security Adviser blog and newsletter, both from InfoWorld. ] Great question, Mark. I asked some security experts for an answer.When it comes to password length, the answer is, initially anyway, a technical one. “Most banks,” explains John Kindervag, senior analyst in security and risk management at Forrester Research, “use Unix mainframes, and the original software on those was designed to support only six characters. It is a very large development effort to take that password beyond six characters. One of my clients spent 4,000 man hours to upgrade resources so they could support eight characters.”But it is not just these legacy systems that cause a bank to leave log-in procedures as they are. “This is a great example of an individual wanting more security than his bank is providing,” says Jon Brody, VP at strong authentication company TriCipher, makers of the tool MyOneLogin.com, which logs you on to all your cloud accounts from one site. “Analysts have long advocated stronger methods of authentication. And there are a wide range of options available to banks. But they have steadfastly held onto the user name and password. The primary reason is that if they do something more complicated, it creates more calls to the help desk than the bank wants. No bank wants to make it harder for their users, even in the name of security, to get in than their competitors do because people do what is convenient before what is secure. It is the rare individual — Mark is one of those — who wants more security than the bank provides.” Also, says Brody, “Passphrases are notoriously painful for organizations — and people — to manage.” People can’t remember them. They have to get all the punctuation and capitalization exactly right every time. “A passphrase usually ends up in a bunch of resets,” says Brody. “That is frustrating for the user.”But even if banks could easily move to passphrases tomorrow, they probably wouldn’t. “If you look at what has happened in password cracking,” contends Kindervag, “I would say that no password that can be generated on a keyboard is completely safe at almost any key length. The longer it is, the longer it will take someone to do a brute force attack on it but no password is secure enough.” Increase your security factor Passwords should be, for real security, only one factor in a two-factor authentication system. Two-factor authentication should include (two of) something you know (password, passphrase), something you are (biometrics), or something you have (some sort of key). But most bank sites stop at that one factor. “The bank lobby and the Financial Services Round Table have argued against two-factor authentication,” says Tom Kellermann, who is now vice president of security awareness at Core Security Technologies and commissioner and chair of the Threats Working Group on the Commission on Cyber Security for the 44th Presidency and was previously senior data risk management specialist for the World Bank Treasury Security team. “They have argued against it because of cost. Also they have argued that beyond the cost, consumers are not sophisticated enough for it. But it is mostly about cost.“Anything you know,” says Kellerman, “whether passwords or even clicking on images can be defeated by the modern Trojan horse because it takes screenshots of everything you’re doing.” What’s worse, he says, is that “the privacy policies at most of these banks state that if you lose your name and password, they aren’t liable.” These privacy policies may be one part of why banks feel one-factor authentication is good enough, but the other part is simply that no one is forcing the issue. “Why aren’t these same banks that provide two-factor authentication to clients in Singapore and South Korea,” asks Kellerman, “providing it here in the U.S.? Regulators haven’t enforced the issue. They have been building our vaults out of wood instead of steel.”Even if your bank does offer two-factor authentication, that may not yet be good enough. Banks should also be doing regular penetration tests to be sure they can’t be hacked as well as monitoring customer behavior for unusual activity, such as emptying the entire bank account. “Banking systems need to have some sort of fraud detection software,” says Kindervag. Fraud detection software watches customer behavior and sends up an alert when a customer is doing something unusual. “In my experience, banks often find out that someone has got in fraudulently when a customer calls and says his bank account is empty.”In order to be truly paranoid, Mark may need to shop for another bank — one with a privacy policy that doesn’t make him liable if someone hacks his account and one that offers two-factor authentication. His new bank should also advertise the fact that it does fraud detection and penetration testing on its own systems and that of all third parties. “If you plan to bank online,” advises Kellerman, “regularly change your password — monthly — and frequently update your operating system and make sure it is as secure as possible.” And to outwit the hackers, he says, “change your mother’s maiden name on record with your bank to another password.” Your mother’s maiden name is the fifth identifier when you set up a line of credit — one thing hackers are after — and it is within your rights to go into your bank and change it.Would Mark then be too paranoid? Probably not. “I do enough work in this town, D.C. that is,” says Kellerman, “to know we are losing this war.”Got gripes? Send them to christina_tynan-wood@infoworld.com. Technology Industry