Password management best practices for financial services firms

While there have been advances in authentication technologies, ... the password remains as the primary key for accessing the vast majority of systems and services.   Tony Bradley

Oversight and compliance
Businesses in general have come under increasing scrutiny to ensure they protect the interests of their shareholders, as well as their customers' personal and confidential information. Companies in the financial services sector also face additional oversight from various government agencies and must comply with mandates from a variety of sources.

For example, most financial institutions are subject to the mandates set forth in the Sarbanes-Oxley Act (SOX) and the Gramm-Leach-Bliley Act (GLBA), as well as the requirements put in place by the Payment Card Industry Data Security Standard (PCI DSS). In addition, the Federal Financial Institutions Examination Council (FFIEC) has umbrella responsibility over a variety of government agencies that monitor and maintain the financial sector. Password policies are not necessarily dictated by each of these, but as a primary component of data security, password management is still crucial to all of them.

Managing passwords
There are some general password practices that should be followed by any business, financial or otherwise, in order to secure and protect network resources and data. Some of the primary considerations for managing passwords are detailed below, but this list is by no means comprehensive:

Define policy -- Any password-management policy should begin by defining password requirements. Passwords must be complex enough to provide adequate protection, and yet not so complex that they result in locked-out users or increased help desk calls.

Shared accounts -- In addition to password complexity, the policy should also require that no two users share a single user ID or password. When multiple users share an account, it is more difficult to maintain the confidentiality of the password, or determine who might be responsible when a security event occurs.

Secure storage -- A dedicated attacker may be able to crack even the most complex passwords when given access to the password files and enough time and computing power. Password storage must be restricted to only those users with the authority and need to access them. For added security, the passwords should be stored in an encrypted format.

Auditing -- The password management policy should take auditing requirements into account as well. One of the keys to maintaining passwords and protecting data is the ability to audit the passwords to ensure they meet policy requirements. In addition, there should be an audit trail detailing when and where each password is used. The details will provide forensic evidence in the case of any data compromise.

Learn more about password management Out-of-band authentication: Methods for preventing fraud Pros and cons of multifactor authentication technology GLBA risk assessment steps to success

Password compliance
The general password-management considerations described above will generally help to protect data and network resources, but there are a couple additional password requirements related specifically to the financial industry.

The PCI DSS guidelines require that any business that accepts, processes, transmits or stores credit card information follow certain password restrictions. As with much of the PCI DSS, the restrictions are fairly logical and should be in place in most organizations, PCI DSS notwithstanding. Specifically, PCI DSS requires passwords that are a minimum of seven characters long, meet basic complexity requirements (such as using both upper and lower case letters, numbers and special characters), and that they be changed at least every 90 days.

In addition, the FFIEC has determined that weaknesses in single-factor authentication have been a root cause of many incidents of compromised accounts, identity theft and fraud. To ensure customer banking information is protected, the FFIEC requires that banks use some sort of two-factor authentication. The FFIEC does not specify any particular technology or product; it simply requires banks to use a minimum of two methods of authentication in order to provide increased protection for customer data.

Summary
Companies in general are entrusted with a variety of sensitive information about their customers. Businesses in the finance sector are entrusted with information of the most private and confidential nature, and have an even greater burden to ensure it is protected. Passwords are the key to ensuring that only authorized users gain access to data, and regulatory mandates spell out requirements for how passwords should be managed and protected. Financial institutions need to ensure that their password policies are compliant with the regulations that apply to them, and, more importantly, that they ensure the integrity and confidentiality of the data entrusted to them.

About the author:
Tony Bradley is a CISSP, and a Microsoft MVP. He is a Director with Evangelyze, a Microsoft Gold Certified and Voice Premier Partner focused on unified communications technologies. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of Web and print publications, and has written or co-written eight books. In addition, Tony is the face of the About.com site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.