The Password Impasse

We each have dozens of online accounts, and let’s face it: Sometimes it’s just too hard to remember unique passwords for all of them. But security is important, so how can community banks help outsmart “password fatigue”?

By Colleen Morrison

I get tired of remembering my username and passwords.” “It is up to the banks to make sure they protect your information.” Sound familiar?

A National Institute of Standards and Technology (NIST) study, published in the September/October 2016 issue of IEEE’s IT Professional, recorded these statements from participants, leading researchers to conclude that respondents had reached a “saturation point,” where security no longer is a priority.

This finding amplifies a growing conundrum for financial institutions: How can banks help customers protect themselves against cyberattacks when security measures—passwords in particular—induce a near-apathetic state?

The number of online accounts with passwords the average person manages

This security exhaustion gives rise to “password fatigue,” which occurs when faced with an overabundance of passwords to remember, protect and use. In 2016, the average person had upward of 27 unique online accounts with passwords to manage, according to an Intel Security survey. “Password fatigue is a tough nut to crack,” says William Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center. “Consumers want to feel their information is protected, but they still want ease of use. So users select ‘easy’ passwords or use the same ones over and over. The result is that passwords no longer really protect information.”

When passwords, which in the past served as first-line security measures, no longer offer a safeguard, cybercriminals have the upper hand. The 2016 Norton Cyber Security Insights Report found that 35 percent of the global population uses at least one unprotected device. And criminals are taking advantage: The same research found that about 689 million people in 21 countries were victims of online crime in the past year.

Information overload

Despite regular reports of cyberattacks and the many password-specific security tips available, the average person’s behavior falls short of meeting recommendations. For example, the 2015 Norton report found that more than one-third (36 percent) of Americans who share passwords with others have shared the passwords to their banking accounts.

“In many instances, the hardest thing for banks to do is to protect our customers from themselves,” says Philip Picillo, head of the Treasury & Payment Solutions division of Webster Bank, a $26.1 billion-asset bank headquartered in Waterbury, Conn. “We strive to educate and storytell, but it’s hard to get customers to respond. They think, ‘It won’t happen to me; why should I worry about it?’”

“We have to use multiple solutions to foil the bad guys and keep investing in technology to stay
one step ahead.”
—Larry Selnick, Webster Bank

According to Brian Stanton, cognitive scientist and coauthor of the NIST study, this behavior is an example of cognitive dissonance. He reasons that people, by nature of their wiring, have limited energy to devote to computer security. Stanton and his research partner, computer scientist Mary Theofanos, found that people have reached the stage where they can no longer process additional security information. So they use pretenses, like the rationale that cyberattacks won’t happen to them, to justify their inaction.

How to help your customers
If users have reached a point of no return with security fatigue, what can banks do to help them? They can implement three steps that lead to practical, near-term solutions but cast an eye toward emerging technologies. Here, we look at what this plan might comprise—and what might come after passwords.

1.Be specific and give examples
Larry Selnick, senior vice president and director of treasury and payment solutions consultative sales at Webster Bank, provides customers with an analogy to guide their security decisions. “I tell our customers that I carry three credit cards: two in one wallet and the other in a backup wallet. One card I only use for in-person purchases; one I use for online purchases; and the third is used only if one is stolen. This creates controls that help limit the impact if I get breached.”

2. Rethink password complexity
As they explore new solutions, banks should not assume that requiring longer or more complex passwords increases security. On the contrary, in 2011, the White House issued the National Strategy for Trusted Identities in Cyberspace, which concluded: “The complexity of this approach is a burden to individuals, and it encourages behavior—like the reuse of passwords—that makes online fraud and identity theft easier.”

New studies expand on this point, explaining that relaxing password requirements may have better results. Theofanos cites a soon-to-be-released report that recommends organizations move away from complex password structures that instead should allow users to choose the length of their passwords.

“We believe the system ought to provide other mitigations such as blacklists, secure hashed storage and rate throttling. You don’t need to put the security burden on the user,” she says.

3 Move beyond passwords
Banks are attempting to strengthen systems as they pilot technologies from eye scans and voice recognition to geolocation and beyond (see “What comes after passwords?” opposite). Financial industry service providers are expanding authentication solutions to allow banks of all sizes to move from a model that makes users do all the legwork to one that makes them more passive participants.

“The mantra around here is to make it easy for the users to do the right thing,” says Theofanos. “Make it hard for them to do the wrong thing. Help the users to make good choices that help them protect themselves.”

The bottom line? Community banks must plan for the worst-case scenario, assuming their customers’ password fatigue has led to unsafe security practices. Then they can direct their customers to safer environments by leveraging forward-looking solutions—like multifactor authentication and out-of-band verification—while exploring a better future, one that takes the work out of the customer’s hands

Colleen Morrison is a writer in Virginia.