I have an account with BMO Investorline from back when I dabbled in the stock market and got burned. I tried to log in to it the other day to change my address and discovered something disturbing.
When I first created the account, the password could be any length, so I chose a password which was 10 characters long. Apparently at some point since then BMO have changed their system so that passwords have to be six characters long. This is a disturbing trend that I’ve seen popping up in a few places, including where I work.
Fixed length passwords are a bad idea for one very simple reason. They are easier to guess. The number of possible combinations of six characters is much, much smaller than the number of possible combinations of random length passwords. Granted it’s still a fairly large number, but why not make it as large as possible?
So I called the bank to get my password reset. They asked me a bunch of security questions, which is good, although a determined cracker could probably find out the answers, but then they reset my password. They reset it to something very, very simple. Now I can only assume they use the same very simple password for all password resets, and I’m guessing they get more than a few password resets every day, so it’s probably a good password for those evil crackers to try.
I understand that banks are treading a fine line between making their online banking as user-friendly as possible while keeping it as secure as possible, but security has to come first. Always.