Good afternoon.

Where can I find FDIC guidance on changing passwords every 90 days. We have had several complaints from our internet bank customers that they have to change their password every 90 days. We want to quote language from the regulators. Thank you.

I don't know of any officie written guidance, but we also require 90 day password changes per recommendations from our FDIC examiners.

Check out the FFIEC's IT Examination manual. On page 22 of the manual it states:

"The length, character set, and time before enforced change are important controls for pass phrases as well as passwords".

They do not specifically require a 90 day interval, however, from all the seminars I have attended and from all the materials I have read, this appears to be an "industry standard".

FFIEC manual

In many cases these are just recommendations and sometimes I have heard them expressed for the bank's systems, not customers.

While this is a safer route to follow, I always worry that it will lead to the sticky note stuck on the monitor. I think it may also be relaxed if you have stringent controls in place on the number and variation of characters in the first place, such as the inability to use a dictionary word and the requirement to use one or more non-alphanumeric characters.

Bottom line, if it is a written rule, and it could be, I haven't seen it. So I think it is urban legend at this point.

Thank you.

We recently went through an FDIC exam and, though it was not technically in print, they did scrutinize closely the internal password controls and changes. Part of the summary of the exam were those recommendations for changes to be made based on access level of sensitive information (i.e. Administrators were recommended to change a minimum of every 30 days, loans 60 days, retail personnel 90 days, etc.) Hope this helps

Qtip,
Did they say anything about customer passwords for Internet banking?

No, but we don't have internet banking at this time. They suggested to call our field office prior to implementation for guidance on customer passwords.

I'm not aware of any requirement for customers to change their passwords periodically. BofA does not have such a requirement.

This is not unlike what I have heard in the past. The bank's internal systems require higher controls because there is more at risk.

If you ask a real IT type, they may want to apply the same rules. Often they don't like the username and password process from the very beginning. But where is it written or dictated that it has to be this way? Banks need to define the risks. And while I don't disagree with the regulator and IT types, better systems are more costly and if it is data entered by a user and not "one-time" limited use, it is potential phishing material and may be compromised easily any way. Better methods exist, but have much higher costs and require user acceptance.

It was recommended to us in an IS exam that we have our IB set up for customers to require a password change every 90 days. Before that we did not but have sinced changed it to 90 days.

And you made this change:
a) it seemed a better way (the bank and customers like it)
b) we felt that if it was "recommended" we should do it
c) they showed us a citation mandating the requirement
d) I'd rather not answer

Actually this is somewhat rhetorical unless they did show it to you in black and white in which case, please share.