PersonalBusinessDownloadPricingHelpBlogContact
Get Started
Log In
PersonalBusinessDownloadPricingHelpBlogContactBusiness SalesGet StartedLog In

The Bitwarden Blog

Industry Leaders Security Rankings: Banking Edition

authored by:

Bitwarden

posted on:

March 8, 2022

hashtagDoes your bank allow you to easily use strong and unique passwords?

Following an end user research-driven approach, we recently set out to answer that question. We narrowed our research list to the top 5 banks in the United States ranked by assets held, which we identified as:

  • Bank of America
  • Citi
  • JPMorgan Chase
  • U.S. Bank
  • Wells Fargo

From there, we determined criteria to evaluate password security friendliness, tested the criteria, and now present the findings with a numerical grading system.

Financial data, like other personally identifiable information such as social security numbers in the U.S., is incredibly sensitive. As consumers can attest, banking password breaches can lead to disruptive inconvenience at best and life-alerting financial loss at worst. The U.S. government has taken note.

In November 2021, U.S. banking regulators ordered banks to report ‘cybersecurity incidents’ to their primary government regulator within 36 hours. It’s likely that the parade of high-profile data breaches - JPMorgan Chase in 2014; Capital One in 2019 - helped propel this rule forward.

While it’s impossible for us individually to control cyber criminal behavior, we can control our password practices. One of the best strategies for protecting your financial information is utilizing a strong and unique password and leveraging other tools such as password managers, authenticator apps, and security keys to further enhance security. Of course, banks need to enable use of these tools as well. Read on to find out whether they’ve done so.

hashtagRanking Criteria

The criteria used to assess password security are:

Does the bank limit password length?

This is not a good thing. Experts advise passwords be strong and unique, with strength being best determined by long, random passwords, such as 14 characters or more. In our note on How secure is my password we share: "Short passwords are far more susceptible to a brute force attack, where a computer or malicious software program goes through every 8-digit combination (or more) of characters until it finds a match."

Plus, password managers - which help people generate, store, and manage passwords - can generate much longer passwords for enhanced security that may exceed the bank limit.

Does the bank allow users to paste and autofill passwords?

This is a good thing. Password pasting enables the use of password managers, and autofill enables fast and easy logins.

Does the bank offer two-factor authentication (2FA)?

This is a good thing. As we’ve said time and time again, two-factor authentication is more secure than simply using a username and password.

Does the bank allow authenticator apps? Does the bank allow authenticator hardware?

These are both good. Authenticator apps and hardware add extra levels of strong protection and are more secure than SMS text messages.

Does the bank send an email informing the user of a password reset? Does the bank require the user to log in again using the new password?

These are both practical steps. It’s prudent to alert users to a password change they may not have authorized. Requiring them to log in again is a security best practice.

hashtagPassword Security Scoring System

The assessment includes a grade for each bank. To determine the grade, we assigned either ✅ (yes) or ⛔ (no) to the seven questions articulated above. For example, 7/7 is a perfect score, or 100% (sadly, no bank received a perfect score!). A 5/7 is 71%, which is defined as Fair.

Below is a simple guide to the grading. Below that, you’ll see the grades for each bank.

hashtagGrading Guide

  • 85-100%: Good
  • 71-84%: Fair
  • 0-70%: Room for Improvement

hashtagBank of America

BOA test 5

Bank of America receives a Room for Improvement rating because it sets a password length limit between 8-20 characters. The system does not allow for use of authenticator apps or authenticator hardware. On other fronts, it is in line with best practices.

Password Security: Room for Improvement

⛔ Limits password length

✅ Allows users to paste passwords

✅ Offers two-factor authentication

⛔ Allows authenticator apps

⛔ Allows authenticator hardware

✅ Informs users of password reset

✅ Requires login using new password

PASSWORD SECURITY SCORE: 57%


hashtagCiti

citi bank scoring

Like Bank of America, Citi limits password length between 8-64 characters and does not allow authenticator apps - but unlike Bank of America, users can leverage authenticator hardware.

While it informs users of a password reset, Citi does not require users to login again using the new password.

Password Security: Room for Improvement

⛔ Limits password length

✅ Allows users to paste passwords

✅ Offers two-factor authentication

⛔ Allows authenticator apps

✅ Allows authenticator hardware

✅ Informs users of password reset

⛔ Requires login using new password

PASSWORD SECURITY SCORE: 57%


hashtagChase

chase ranking-2

Chase errs in limiting password length. The other area where it falters - similar to its competitors - is in the authenticator app and authenticator hardware arena.

Perhaps Chase will lead the way on the authentication front. Or, will Wells Fargo beat Chase to it?

Password Security: Room for Improvement

⛔ Limits password length

✅ Allows users to paste passwords

✅ Offers two-factor authentication

⛔ Allows authenticator apps

⛔ Allows authenticator hardware

✅ Informs users of password reset

✅ Requires login using new password

PASSWORD SECURITY SCORE: 57%


hashtagUS Bank

US Bank

US Bank comes in with the lowest percentage score, faltering in four categories. While the fundamentals are there - pasting, 2FA, informs users of password reset - it has some work to do and limits password length between 8-24 characters.

Password Security: Room for Improvement

⛔ Limits password length

✅ Allows users to paste passwords

✅ Offers two-factor authentication

⛔ Allows authenticator apps

⛔ Allows authenticator hardware

✅ Informs users of password reset

⛔ Requires login using new password

PASSWORD SECURITY SCORE: 42%


hashtagWells Fargo

Wells Fargo

Like Chase, Wells Fargo also delivers most of the goods. But, the company makes a fundamental mistake in limiting password length between 6-14 characters, which is something Chase does not do. Otherwise, Wells Fargo has taken a step forward with its approach to authentication hardware.

Password Security: Fair

⛔ Limits password length

✅ Allows users to paste passwords

✅ Offers two-factor authentication

⛔ Allows authenticator apps

✅ Allows authenticator hardware

✅ Informs users of password reset

✅ Requires login using new password

PASSWORD SECURITY SCORE: 71%


hashtagConclusion

There are a few patterns to note. First, all of the banks on this list allow pasting of passwords. This means that there is no good excuse to avoid using a password manager. If you are using a password manager or interested in getting started, read more on Five Best Practices for Password Management.

Next, it’s clear (and admirable) that 2FA has gone mainstream! If you haven’t already, we strongly encourage you to enable it. For more on 2FA, check out “Top 10 burning questions on 2FA”. We’re also happy to see that users are informed when their password is reset. From a security perspective, this is an easy no-brainer.

While this criteria isn’t exhaustive, it gets to the heart of how businesses can enable strong password security. And, we hope it gives you a sense of how your bank is performing, whether you need to enhance your password security with some of the capabilities offered, or even whether you need to find a new bank.

So, how did your bank perform? Follow Bitwarden on Twitter and let us know.

Ready to get started with a password manager today? Quickly get set up with a free Bitwarden account, or sign up for a 7-day free trial of our business plans so your business and colleagues can stay protected.

On this page

Back to Blog

Get started with Bitwarden today.

Create Your Free Account
Language

Products

Resources

  • Resource Center
  • Community Forums
  • Security Compliance
  • Success Stories
  • User Reviews
  • Newsfeed
  • Subscribe to Updates
©2022 Bitwarden, Inc.
Terms Privacy Sitemap