Silicon Shecky

Infosec Practitioner

Connect

The one about banking passwords…

By Leave a Comment

The world of cybersecurity understands the need for secure passwords. While passwords with special characters, numbers and both capital and lower case letters help make them more secure, length is a factor. These reasons, alongside with using unique passwords are why we recommend password managers. It has been a long running feud with sites to get them to allow some of these factors, especially Banking sites. The most common things they have issues with is long passwords and special characters, and some of this stems from legacy systems that might still be in production. Mainframes that do the actual work tend to have less secure requirements (I have seen this in many companies that have mainframe systems for specific things).

There is now another issue into the mix, and that is financial software. I recently was trying out Quicken, which I had used years before, to see if I could recommend it to someone I know after they had asked about it. My prior experiences with it had been positive, and I was glad to see that things looked pretty much the same, but updated and a bit easier to use. That was until I went to enter one financial institutions password to get transactions. Quicken itself has decided that you should use only up to a 12 character password (I use much longer ones), and will not work with longer passwords. Not only do they do this, but the error message puts the blame on the financial institutions, which is an outright lie.

When I talked to support they apologized and said there is nothing that can be done at this time to correct the issue. That is their choice, and I will tell the person who asked me about it, not to use it for security reasons at this time. What worries me is the every day person who will believe the lies coming from Quicken on this. The amount of breaches, and security of online accounts, especially financial, is awful, and many banking sites still have issues with MFA (and those that do have MFA force SMS and do not allow for authenticators or Hardware dongles). Having a third party dictate less secure passwords is wrong for overall security.

We have a difficult enough time with security, we do not need companies forcing us to be less secure than we need to be.