Advertising Disclosure

Featured Savings Rates

Popular Posts

Featured Accounts

Billion Web Passwords Stolen by Russian Gang - Safety of Online Banking?


For those who have been worried about the safety of online banking, today’s news will only reinforce those worries. Yet another new massive data breach has been uncovered. According to this New York Times article:

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

Another New York Times article provides steps for people to take to stay safe. There’s currently no information on which websites have been affected. Thus, the article recommends that people change their passwords on all websites that contain your financial or other sensitive information. The new passwords should be strong passwords that are unique to each website.

The article recommends the use of a password manager program which generates a unique password for each of your websites and stores them in a database protected by a master password that you create. Of course the danger of this is if that master password is compromised, all of your passwords will become compromised. The risk of your master password being compromised may be higher than you think. Just recently, the password management company LastPass had a potential security breach which may have affected many of its users.

So if we can’t trust software tools to simplify password management, how can we maintain strong and unique passwords for all of our bank accounts? One method of creating a strong password that continues to be recommended is described by the security expert Bruce Schneier at his website:

Combine a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password.

This is one example he provides (Note, never use public examples for your passwords).

WIw7,mstmsritt = When I was seven, my sister threw my stuffed rabbit in the toilet.

The problem I have is when websites force us to change passwords after a certain period of time. Some banks force changes every 90 days or less. It’s not easy to think of new memorable sentences. It’s interesting to note that Schneier disagrees with the usefulness of regularly changing passwords:

Don't bother updating your password regularly. Sites that require 90-day—or whatever—password upgrades do more harm than good. Unless you think your password might be compromised, don't change it.

Unfortunately, we don’t have a choice in this matter for several banks. They require you to change your password after a certain period of time in order to get access to your account. Many also require that the new password be substantially different than the last few passwords.

Finally, Schneier recommends using any two-factor authentication that your websites offer. Most banks now offer this. An example is a login process that requires that you receive a text or email with a code. That code must then be entered during login in addition to your user name and password. You can typically configure this type of two-factor authentication to only request the additional code when you’re logging in from a different computer.

If you are one of those who still worry about online banking, you should not let today’s news scare you. Online banking has many benefits for consumers. By taking some reasonable precautions, you can keep banking online with very little risk of losing any of your money due to fraud.

Thanks to DA member Pearlbrown for first reporting on this news and NYT articles in the forum.

Related Posts

me1004   |     |   Comment #1
Yes, I agree, constantly changing passwords makes it so even I can't access my account. I will not write down any password -- because I consider that a very serious security breach. But as such, I can't keep changing passwords and be expected to remember what it was changed to last month or two months ago, what with endless numbers of passwords for everything on the Web.

Two-step login is much better than changing passwords. 
Gaelicwench   |     |   Comment #7
Changing passwords is one thing, but not being able to use up to three past passwords for some websites... I can understand the need for security, but speaking for myself, I find it rather daunting after a while.

It's all about staying one step ahead of the hackers....that is very challenging.
Anonymous   |     |   Comment #2
If a hacker can get to the password servers, the strong and unique passwords are irrelevant. You may have a million character password, if I can get to it, it meabs nothing.
Our password is intercepted when it leaves the password server to match the entered password at the bank site. That is the weakest point for passwords, not the passwords by themselves.
Unless that is addressed, this hacking will continue for long time.
Anonymous   |     |   Comment #3
I agree, password length or complexity has nothing to do with security.
The passwords and user names are stored at secure sites, but eventually they have to be matched with our online entry, that is the weakest point for now.
Prepare for more hackings in future. I will not change my passwords, it will not help at all because they are being intercepted on a minute by minute bases or every time you log on with a new password or not.
Anonymous   |     |   Comment #4
And, everyone that conducts ebanking, ACH transfers, etc. must luv this thread! 
alpha   |     |   Comment #8
Actually, no. It doesn't have anything to do with hackers breaking into servers, assuming that the server operators aren't clueless enough to store passwords in plaintext (hashes provide much better protection). It's far more likely that passwords are intercepted by a keylogger-type program on your computer instead.
moneysaver   |     |   Comment #6
There are a couple of other security measures not mentioned above:

1. Some of the major U.S. brokerages are now making available so-called security tokens for their customers to use as part of the log-on process. It's a little, battery powered keychain device that generates a unique 6-digit code every time you press its button. In order to log-in, you have to enter your regular ID, password and then add the 6 digit code onto the end of your regular password. Thus, even if someone hacked your ID and password, they'd never be able to access your account because they'd never be able to know the 6-digit security code, which is different every time you press its button.

2. Some of the non U.S. banks I deal with have taken to requiring the use of mobile phone delivered One Time Passwords (OTP) in order to confirm any online transactions. So you still log in with a regular ID and password as usual. But in order to do any transactions like transferring money or paying a bill, etc, the bank's system sends a code to you mobile phone via SMS, and you have to enter the correct SMS code in order for the transaction to proceed. And of course, the codes are random and also change every time.

Both approaches are a hassle to some extent. You have to have the keychain token with you in order to access your accounts, and likewise have to have a mobile phone available to receive SMSs. But at least with those two systems, I don't have to worry too much when I read articles like the one above.
Anonymous   |     |   Comment #9
Too much? The ultimate proof of working needs to be provided by all security systems eg metrics to measure success and then the numbers/results speak for themselves

The financial institution, product, and APY (Annual Percentage Yield) data displayed on this website is gathered from various sources and may not reflect all of the offers available in your region. Although we strive to provide the most accurate data possible, we cannot guarantee its accuracy. The content displayed is for general information purposes only; always verify account details and availability with the financial institution before opening an account. Contact to report inaccurate info or to request offers be included in this website. We are not affiliated with the financial institutions included in this website.