Skip to content

Number of Characters Required for Passwords

Answered by: 

Question: 
What is the regulatory requirement regarding the minimum number of characters required on passwords used for online banking?
Answer: 

I have not found FFIEC or regulatory requirements on what banks impose on customers. Banks themselves have some guidance, but what they require from customers is up to them.

That said, 6 characters in length, not a word, is very common. The requirement to add a numeric or symbol character to this mix is growing in popularity. But password and usernames are single-factor authentication. These are things the customer knows. Multi-tiered single-factor authentication (using more than one password) is also more common than it used to be, but less secure than multi-factored authentication such as the use of a card or passcode-generating token. These are things the customer has.

By year-end 2006, multi-factor authentication is required for most customer online access because single-factored authentication is recognized as weak. To strengthen single-factor, the passwords need to be longer and more complex. This makes them harder to remember and they get reduced to writing. That makes the system inherently weaker. Increased requirements in single-factor authentication would then be meaningless.

First published on BankersOnline.com 8/21/06

First published on 08/21/2006

Filed under: 
Filed under technology as: 

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics