Answer:
I have not found FFIEC or regulatory requirements on what banks impose on customers. Banks themselves have some guidance, but what they require from customers is up to them.
That said, 6 characters in length, not a word, is very common. The requirement to add a numeric or symbol character to this mix is growing in popularity. But password and usernames are single-factor authentication. These are things the customer knows. Multi-tiered single-factor authentication (using more than one password) is also more common than it used to be, but less secure than multi-factored authentication such as the use of a card or passcode-generating token. These are things the customer has.
By year-end 2006, multi-factor authentication is required for most customer online access because single-factored authentication is recognized as weak. To strengthen single-factor, the passwords need to be longer and more complex. This makes them harder to remember and they get reduced to writing. That makes the system inherently weaker. Increased requirements in single-factor authentication would then be meaningless.
First published on BankersOnline.com 8/21/06
print
share