Back to Blog

LastPass VP on the Bare Minimum of Password Security for Banks

LastPass VP on the Bare Minimum of Password Security for Banks

Passwords are as frustrating as they are essential, especially in financial services. We chatted with LastPass VP of Product Management Dan DeMichele to get an idea of how banks and fintechs can protect themselves, what the future of passwords looks like, and how digital identity is dictating changes.

In his role at LastPass, a password manager that offers secure password storage for millions of users, DeMichele is responsible for leading LastPass’ overall product and strategy teams. We caught up with him to get some insight on the intersection of banking, cybersecurity, passwords, and digital identity.

How are cyber threats impacting the banking industry? Is the situation improving or worsening?

Dan DeMichele: Cyber threats are decisively impacting the banking industry as attackers are constantly eyeing sensitive information. It’s a heavily targeted industry given the volume of highly sensitive data being produced and stored within it and the insider vulnerabilities that plague it. Made worse by the growing population accessing banking networks, the industry is seeing an increase in touchpoints that give hackers more opportunities to attack.

Knowing attacks have been made easier by the digitization of the sector, which was fast-tracked by the pandemic, it’s clear the situation is worsening. A recent LastPass report revealed that while 68% of individuals would create stronger passwords for financial accounts, 8% believe a password shouldn’t have ties to personal information. This means most users are creating passwords with ties to potentially public details, making it easier for hackers to access their information. To take it a step further, these credentials are being leaked on other websites through which bad actors then attempt credential stuffing, particularly into financial networks.

What are easy steps banks can take to mitigate these threats?

DeMichele: It’s critical that private banks, wealth managers, and clients themselves protect online banking sign-on and practice proper password hygiene to minimize attacks that are on the rise. The industry can work to combat threats in a number of ways, including requiring multi-factor authentication (MFA) during the login process, setting up dark web monitoring alerts, addressing general password hygiene needs and implementing password management tools, installing solutions such as anti-phishing web browsing software, and implementing policies for location and devices staff can log in from and the type of access allowed.

Beyond these basic protection measures, what should banks do to fully protect themselves?

DeMichele: The private banking and finance sectors need to focus on how they store and share sensitive data and information. By identifying weak spots and knowing how to reduce risks, banks can make attacks more difficult to accomplish and essentially less attractive to potential hackers in the first place. Cybersecurity also needs to be a concern beyond the IT department. Staff with network access need to be properly informed and trained in their role in keeping the organization secure against attacks. Organizations should also weigh the option of implementing automated solutions. With the rise of the digitization of the sector, tools that automate cybersecurity and compliance are now available to help mitigate risk.

Do you envision we’ll ever see a world without passwords as we know them today? What would that look like?

DeMichele: Over the next year, I anticipate a simplification of the tool set for administrators and the end user experience that enables efficient password hygiene. Today’s password solutions were built for the more tech-savvy crowd, but looking ahead, password management will become more intuitive for end users. In addition, within the next five years or so, VPNs will likely be obsolete and replaced by zero trust. It offers a different perspective on how devices are connecting to networks, which is critical as organizations remain remote or shift to a hybrid workforce. There will likely be one vendor that comes to market and makes it simple to implement, which is when every company will look to adopt it. I also see passwordless authentication with strong security standards such as FIDO 2.0 being adopted and triggering a slow phasing out of traditional passwords. It will be a long journey to get to that point, and password management solutions that are tackling both challenges will help users keep secure profiles.

What role does digital identity play in all of this?

DeMichele: We’re in the midst of a revolution of how individuals interact online as a result of digital identities. Unfortunately, the more we digitize ourselves without the proper protections in place, the easier it becomes for cyber criminals to learn about us and use our digital identities to their advantage. With the rise of digital wallets, vaccine codes, digital driver’s licenses, biometrics and credentials, connected homes, smart airports and much more, we’re likely going to experience more calls for supervision of these digital ID systems along with more global ID initiatives in the future. With more access to the internet via mobile, a pandemic-induced accelerated shift to all things digital-first, and an increase in demand for security, digital identity is definitely a feature of modernization processes to come.


Photo by Miguel Á. Padriñán from Pexels