Is anyone aware of any FFIEC or FDIC guidance on what would be the acceptable parameters for passwords (I.e., minimum of 8 characters, one being an uppercase letter, one being a lower case letter and one being a number)? If not, is anyone aware of an "industry standard"?

Thanks

You need to specify who is using the password, the banker, internally, or your Internet banking customer?

There is guidance in the FFIEC IT exam on the banker. As to the customer, we went with 7 characters, and it had to pass a dictionary test. That is somewhat weak by today's standards and tomorrow's with multi-factor authentication on the way.

I'm not aware of an industry standard, but the problem with acceptable parameters is that it varies according to the application. I have about 20 different logins and passwords for different things, and most of them have very specific requirements that contradict each other. I have some that require the use of a special character, and some that don't *allow* special characters. I have some that can be no longer than 6 characters and others that must be a minimum of 8. Those are just examples.

I personally will always make my password as complex as I can, given the parameters I have to work with. Fortunately the ones with the "weak" password schemes tend to be low risk applications anyway.

If you are asking because of the need to put something in a policy, I'm not aware of any quotes you can use. My own policies don't make reference to required parameters for the reasons I mention above, and I've never received any negative comments about it. However, I maintain a full manual including information on every application we use that describes the security controls for those apps - password parameters and expirations, time out features, etc.

Check out the SANS sample policy on passwords at:

http://www.sans.org/resources/policies/Password_Policy.pdf

I thought in the FFIEC "Authentication in an Electronic Banking Environment" dtd 8/8/2001 it stated that "the industry is moving toward use of passwords of 6 characters with a combination of letters and numbers". We use 6 characters with a combo of letters and numbers. However, we just got written up by outside auditors for not having 8 character passwords for Internet Banking. Has anyone seen where 8 character passwords are required?

This is always a fun topic. There is, as far as I can tell, no specific guidance from any agency on the issue. Yet, if you ask any external IT auditor or examiner they'll tell you to use at least 8 characters, enforce password changes every 45 days or less (preferably 30 I believe), and enforce complex passwords. The FFIEC handbook may say something about 6 characters but keep in mind that was 5 years ago.

That being said, it honestly doesn't matter much. Even with the above conditions in place a successful hacker can crack at least 30%-40% of your passwords in 5 minutes. Even some fairly complex passwords will fail during those 5 minutes.