Feeds

Most consumers reuse banking passwords on other sites

Password recycle fail leaves consumers ripe for harvesting

Protecting against web application threats using SSL

The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity.

Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, around half (47 per cent) use the same online banking username and password for other website logins.

This dismal password security practice means that if cybercrooks trick a user into giving away his login credentials for a social networking site, for example, they stand a very good chance of getting into webmail and online banking accounts for the same person, potentially bringing about crippling financial losses as a result.

Trusteer's findings are pulled from a sample of users of its Rapport browser security service. This is offered through online banks in Europe and North America to their customers as a defence against phishing attacks. Web users outfitted with Trusteer's Rapport browser security plug-in are prevented from sending login details to fraudsters, even if they visit and attempt to enter data into a known phishing site.

The survey (PDF) also found that when a bank permits users to pick their own user ID, 65 per cent will re-use this username with a non-financial website, a figure that drops to 45 per cent even if a bank chooses the user ID for its customers.

Trusteer expressed surprise that consumers were so lax on password security, even when it comes to online banking websites. Here at El Reg, we'd be surprised if anyone produced a survey or research indicating that password security among consumers and enterprise users was anything better than dreadful.

"Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users re-purpose their financial service usernames and passwords," explained Amit Klein, CTO of Trusteer. "Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites."

Trusteer advised consumers to keep at least three sets of credentials: one that's only used with financial websites, the second for websites that hold information about a user's identity, and the third set for other less sensitive websites. That's certainly a start, but web users also need to think about using hard-to-guess passwords able to withstand brute force dictionary password cracking attacks commonly used by even minimally-skilled cybercroooks.

Top tips from Microsoft (here) and Sophos (here) outline tactics for coming up with hard-to-break but straightforward enough to remember website login credentials. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.