I just happened to change my password recently on my online banking. I found out that Branch Banking and Trust (BB&T) limits the maximum password length to 12 characters, cannot contain any special characters like an exclamation point, and the passwords are not case sensitive. Screenshots are below of the online banking interface.

New password screen for BBT

Putting such restrictive limits on passwords seems to be very common. Multiple listeners of Security Now! have written in saying that their bank also has poor password policies. Mostly due to legacy requirements or compatibility with disparate systems.

Security Now! 162

Leo: Good luck. Jon Kuhn in Ann Arbor, Michigan has discovered that Wells Fargo is in bad company. Oh, boy. After hearing about Wells Fargo on the Security Now! podcast, I decided to try out all of my GRC Perfect Password-derived passwords, all of them alphanumeric with upper and lower case. I found that Chase, Citibank, Vanguard, and my credit union all have non-case-sensitive passwords. Just thought you might find that interesting.

Steve: So Wells Fargo is sharing the doghouse with these other people. But given that they’ve got lockout provisions, and I imagine that our listeners may now be curious to poke at their – deliberately log in incorrectly and see what it takes, verify in fact that anyone trying to guess their passwords will be shut down very quickly and then have to go through the extra reauthenticating hoop-jumping in order to get their account reactivated. Which, again, it certainly does mitigate the problem of passwords being non-case sensitive.

Leo: There’s got to be a reason they’re doing this. Is it possible that some older computers or older…

Steve: Matter of fact, if you keep reading, we will come to the reason.

Leo: Ah. I like it. I like it. Steve is always way ahead of me. Brent McLaren in Ajax, which is near Toronto in Ontario, Canada, brings up a very good point. It’s a point about case-insensitive banking passwords.

Steve: Speak of the devil.

Leo: He says: Hi, Steve. Been listening to Security Now! since Episode 1. I really enjoy the show. Me, too. Even though I work in IT and spend my days working with security and networking technology, I’ve found your insight and ability to explain complex topics very valuable. So I just wanted to pipe in on the topic of case insensitivity for Wells Fargo’s online banking log-in. I know that for my bank the password used for online banking is shared with telephone banking. As a result the password has to be limited to alphanumeric passwords with no case sensitivity. It’s also limited to six characters. I believe this is one of those tradeoffs between security and usability that is necessary. Having separate passwords for the different channels would be beyond confusing to people. That’s a very good point.

Steve: Isn’t that a good point? I liked that because you could imagine trying to explain to somebody that you’ve got, you know, what a circumflex is or…

Leo: I don’t think there’s a circumflex on my phone. Yeah, you’re right.

Steve: Or the pound sign. What? Well, it’s that number sign, the thing, you know, I mean, so if passwords were really complex, it could be difficult for them to be used, the same password to be used, essentially repurposed through different venues with the same institution. And so it’s like, okay, that makes some sense. You could imagine that trying to explain your password over the phone to somebody could be a problem, much more so than you typing in some strange concoction with shift keys and so forth on your keyboard.

Leo: And I actually remember that I got started in online banking with Bank of America in 1984 or something with phone banking. And so I think that probably it’s the same system it’s been all along. In fact, and this is what made me ask the question earlier, I remember it was almost a TTY the first time I started doing online banking. A black screen would come up with white letters on it, all uppercase. The menu structure would be, you know, type “1″ for this item, type “2.” I mean, it was very primitive. And I bet you it’s the same back end.

Steve: It may very well be that they just stuck a web server on the front of it.

On a positive note, BB&T is slowly improving it’s security because my original password only had six characters and now the minimum is eight. In the future, there is the possibility of implementing two-factor authentication because they recently launched BB&T Mobile and BB&T Alerts. Both of these systems can interact with your phone via text messaging.