Password protection best practices for lending and risk management solutions
Across personal and professional platforms, bankers have experience with managing passwords to online services. Yet given the confidential nature of data often stored in web-based lending, credit risk and portfolio risk solutions, bankers have to pay special attention to potential weaknesses in password management.
This post aims to share general best practices that can be used to optimize security through password management and also to share how bank and credit unions that leverage Sageworks’ web based solutions use enhanced password functionalities to highlight their institution’s commitment to information security.
Managing Online Passwords
“Treat your password like your toothbrush….”advised American author Clifford Stoll, which teaches to keep passwords to oneself and to change them out frequently. Stoll goes on to recommend changing passwords every six months, but best practice is to update passwords at least every 90 days. For some legacy systems, banks and credit unions may have shared logins that are used institution-wide, which circumvents Stoll’s recommendation to not share passwords. Shared logins should be updated in favor of single-user access points that allow for an audit trail and user-specific access levels so the right people have access to the right functionalities and data but nothing more.
Even if users frequently update their passwords, the selected passcodes also need to be strong or complex enough that they prevent unauthorized access. Strong passwords typically include a minimum of eight characters, including a mix of upper and lowercase characters as well as numbers and special characters. Some weak password patterns to avoid include
• Using the word “password” or other words found in a dictionary
• Using a series of the same number or character, like “11111”
• Relying on an easily guessed word or phrase such as the bank’s name or address or
• Repeating the user’s username as the password.
To strengthen passwords, some common best practices suggest exchanging numbers for similar letters or vice versa and combining short yet unrelated phrases (e.g., eAt42peN). The FFIEC provides similar recommendations within its policies for Authenticating e-Banking Customers as part of the IT Examination Handbook.
In addition to setting strong passwords and changing them frequently, best practices for managing passwords in lending and risk management platforms also dictate that users should create dedicated logins for different systems. The user’s workstation, email, voicemail, web-based programs and password-protected files would all use unique phrases to avoid unauthorized access in the event that one access point is compromised.
Even after strong passwords have been established, there are ways to ensure they are used securely. Firstly, never share passwords via email communication. Phishing emails will often come from individuals posing as support personnel that need access to the user’s credentials, so even if someone inside the institution is asking for access, it’s best to communicate it in person and verify access is truly necessary.
Similarly, it is common for users to “Remember My Login” for programs or sites across the web, and while it may afford users expediency in logging in, it sacrifices security. In the event that machine (laptop, desktop, tablet or mobile device) is compromised, saved usernames and passwords could compromise all sorts of password-protected programs accessible from that workstation.
Managing Passwords within Sageworks
Keeping in mind these best practices, Sageworks offers banks and credit unions a number of enhanced features that ensure staff across the institution abide by the institution’s password administration policies.
The Sageworks Information Security and Product Development teams have built in the following capabilities that can be enabled for Sageworks’ solutions for banks and credit unions:
1. Password reset periods, e.g., every 90 days
2. Password challenge question and answers to increase security during password resets
3. Minimum character lengths for passwords in Sageworks
4. Minimum requirements for alphabetic, numeric and special characters
5. Password history requirements to prevent users from re-using previous passwords
6. Restrictions around the number of login-attempts and enforced lock-out periods
7. Two-factor authentication using the Google Authenticator Application
With two-factor authentication, financial institutions can enforce an extra layer of password protection through which users are required to provide an additional piece of information to gain access to the platform. Along with a username and password, the user has to provide data that’s unique to them – typically a verification code that is provided to the contact information associated with that account.
Sageworks added two-factor authentication earlier in 2016 to continue providing clients with leading edge information security options.
To find out more about how Sageworks helps banks and credit unions proactively manage password policies, contact us at [email protected].