>As someone who works in finance/banking, I can assure you that this is not uncommon. Almost everyone is engaging in not-so-best practices with
Are there any standards that doing this violates, and if so do banks have a person in the org (or external to the org) that violations of said standard can report to?
> We are talking about password security in a system domain where there are arguably far more valuable assets to secure.
My worry is that because this is such a simple thing, if we allow ourselves to not do the best practice, where does it end? Especially since large organizations have many parts that don't communicate.
I agree we should think critically about risk, but I've also met lots of people who seem to backdate their logic - first they decide it's too onerous/costly to do a thing, then game out a reasonable enough reason why.
The problem with the latter is eventually your focus on compliance and handwaving will bite you hard, and you may not get a chance to be reactive because the breach will be so bad.
Look at it this way - banks will continue to support check payments for the foreseeable future, and checks violate every single security best practice by today's standards. The infrastructure to support checks without fraud burning everything to the ground was built up over centuries and works fairly well, this infrastructure works and has been extended to deter electronic fraud - so why waste time on technological navel gazing?
Are there any standards that doing this violates, and if so do banks have a person in the org (or external to the org) that violations of said standard can report to?
> We are talking about password security in a system domain where there are arguably far more valuable assets to secure.
My worry is that because this is such a simple thing, if we allow ourselves to not do the best practice, where does it end? Especially since large organizations have many parts that don't communicate.
I agree we should think critically about risk, but I've also met lots of people who seem to backdate their logic - first they decide it's too onerous/costly to do a thing, then game out a reasonable enough reason why.
The problem with the latter is eventually your focus on compliance and handwaving will bite you hard, and you may not get a chance to be reactive because the breach will be so bad.