We all have seen Web Sites which are very conscious about security of their user’s account and they force users to change passwords frequently in every few days (interval can be from 15 days to 45 days).
Questions here is that how much this approach is correct and how much security increases by implementing this kind of strict security policy. Other side of the same question is that how much those Web Sites are insecure which never ask users to change their password.
After investigating this issue and discussing it with a number of users, we found very surprising facts. The information we got was very much opposite of what these sites are trying to achieve.
For our observation purpose we used three different accounts – RBS India Bank Account, ICICI India Bank Account and Indiabulls Securities Demat account.
Out of these 3 accounts, RBS Bank and Indiabulls requires you to change password in every few weeks, highest frequency is of Indiabulls Securities which expires your login and trading password in every 14 days.
On the other hand ICICI Bank of India never asks you to change your password.
We found that changing passwords very frequently was not just very cumbersome it also exposed many serious security issues –
1) Frequent Password changes cause waste of time. Many people complained that there were instances when they needed to transfer funds quickly and the Web Site forced them to change their Login Password, Transaction Password and then asked them to re-login using their new Passwords.
2) Changing Passwords very often made users to start using weak password patterns. Users can not spend time every week in thinking about a very strong login password. It makes passwords easy to guess and easy to crack.
3) Most serious issue we found is that after few changes, users start to note down the Password. After changing Password for 10 times, it becomes very difficult for any users to remember what password was set last time. Therefore chances of users noting down password at some other vulnerable places increases significantly.
4) Frequent password changes make it impossible for users to memorize the password after some time. So users who do not note-down their password, forget their password very frequently. It results that they frequently need to call Customer Care and ask them to reissue or reset the password. This problem can easily bar any user from using Online facilities of their bank.
If any site is forcing users to change password in every 15 days, users are left with only two options. Either they will start to note down the password or they will start to forget it frequently and will need it to be reset by the Web Site. The third option here is that user will get so frustrated that they will stop using services of that site.
On the other hand when we tried to see how ICICI Bank account is trying to achieve security of their Online Accounts without forcing users to change their passwords –
1) Most of the users felt that ICICI Bank Web Site made them feel very secure even if they do not change their passwords frequently. Because of use of industry level security mechanisms on Web Site like SSL and Virtual Keyboard.
2) Addition layer of security is implemented by ICICI Bank while logging in by use of OTP (One Time Password). Which is sent to the users registered mobile number through SMS. User needs to enter that OTP before they could access their account.
3) All money transfers on ICICI Bank web site requires more than just a login Password and a transaction password. They ask for six digits of numbers printed on the back side of their Bank Debit card. This ensures that the person who is doing online Transaction has physical access to Bank Debit Card also.
Therefore as we can see, implementing additional security does not always requires to force users to do something which may cause more trouble than benefit. Always a better alternative approach can be found which will achieve the same and will increase the confidence of user on Web Site.