Brendan Hopper, general manager of the Commonwealth Bank of Australia's (CBA) cybersecurity centre, wants to see better security in place than a general rotation of conventional passwords, but as the bank is dependent on software from other vendors, that nirvana is further away than he would like.
Pointing to the work of Bill Burr -- the man who in the 1980s wrote the rules of passwords, dictating they be eight characters, contain at least one capital letter, and have a number and a symbol -- Hopper said he would prefer to do away with this approach.
See also: Why most of what we know about passwords is wrong, and how businesses should respond (TechRepublic)
"He spent a long time after that trying to tell people it was bad advice," he said, speaking at the University of New South Wales (UNSW) and CommBank Australian Cybersecurity Education Summit last week.
"It's very easy for computers in certain situations to guess and break passwords like that, passwords like that are very hard for a human to remember."
Despite acknowledging this approach isn't the best way to protect systems, Hopper said CBA still enforces mandatory password rotation, comprised of the letter and number character combination.
"That's because it's a complex, technical ecosystem -- at CommBank we have lots of systems that do lots of different things, as you can imagine, Australia's largest bank has lots of computers with lots of different software made by different manufacturers," he explained.
"We actually have people who are trying to do away with the conventional password model, but we've had to follow these standards and rotations -- lots of the applications that plug into some of our central systems would stop working."
According to Hopper, this makes it less of a policy issue and more of a compatibility one.
"We need the whole industry to move together on some of these points," he said.
"Because we have a lack of scientific fact around what we're doing, this is still an argument where you can't prove you're right, you can present lots of evidence, but we don't yet have basic -- we're doing physics in a pre-Newton society when it comes to cybersecurity ... we just can't prove it, we can't make widespread industry change."
The GM of the yellow bank's cybersecurity centre wants the nation to take advantage of its current position, and export cyber talent and innovation to the rest of the world.
The batch of customers that are responding to a simple notification are actually helping the bank train its 200-plus machine learning models.
The bank continues to focus on divestment opportunities and investments in new technologies to lift customer experience.
The yellow bank goes live with its new app that is 'personalised like Netflix'.