Katie Kuehner-Hebert looks at the issue of mandating consumer password changes in today’s American Banker. She cited only a single bank doing it, West Georgia National Bank <www.wgnb.com>, which recently began requiring new passwords every 45 days. None of the financial institutions we are familiar with force password changes, although NextCard did when it first launched in 1997, but later it did away with the annoying requirement.
Analysis
This is one of the least effective ways to improve security. In fact, it may have exactly the opposite effect for two reasons:
- Customers cannot memorize a new password every 45 days, so they will have to write it down somewhere near their PC where it can be seen by others.
- Once users begin to realize what a hassle it is logging in to your website, they will forgo online access altogether or use it much less frequently, therefore reducing the frequency of account monitoring which can reduce the impact of identity theft and other fraud.
And even the method did reduce fraud, it’s unlikely to be cost effective due to the increased burden on customer service and decreased customer satisfaction.
Offer choice
Some customers do like the idea of periodic password changes, but forget about mandatory changes. We like the M&T Bank <www.mandtbank.com>. The Buffalo-based banks allows customers to choose whether to have mandatory password changes at either 30, 60, 90, 180 or 365 days. They can also choose NOT to have a mandatory password change (click on inset for a closeup).
An even simpler way to give customers the choice is to allow customers to program an alert reminding themselves to change their password. The alert should NOT have a link back to the bank, otherwise it will look like a phishing message.
—JB