Password Managers and Banking?

Bobblehat

Has any one here on MSE Forum any experience of Banks attitudes towards customers using Password Managers in the specific case of the customer having to make some sort of claim about fraud or loss of funds, etc?

I am looking at installing a Password Manager and as a novice in this area wondered if it could help or hinder in the above scenario. A quick search of the Techie Stuff area tells you quite a bit about Password Managers, but not much about Banks attitude to this in the event of a claim/loss. I reckon quite a few on here might have noteworthy experience or opinion. TIA.

RG2015

The banks tell you not to write down your passwords or pins or to reveal them to anyone. They could argue that entering your security data into a password manager is in breach of this condition. IT systems are always vulnerable whatever the IT companies may claim.

Do you believe the banks would try anything to avoid paying out on a claim if they could?

Bobblehat

Thanks RG2015 … this was the sort of thing I had in mind when I asked the question. 

I wouldn't want to find out the hard way that they used PM as an excuse not to pay out!

colsten

I have never been unfortunate enough to have any money stolen from my accounts, or my cards stolen or being cloned etc. If I ever were in such a situation, the bank would have a job proving that it was due to me having used Lastpass for the last 10 or so years. It is entirely unrealistic to expect people to 

1. not use the same security credentials on more than one account (bank, email, shopping accounts, work systems etc) and
2. not write down the various bits of information somewhere

Obviously, nothing is ever 100% foolproof but IMO, a reputable password manager is a lot safer than keeping more or less cryptic information on pieces of paper somewhere.

mwarby

There's also the aspect of how you use the password manager, how secure is your master password, do you use two factor etc

Lomcevak

I've also used one for ten years or so (1Password, in my case), and provided you're using a strong master password and two-factor authentication I cannot see how the bank could claim you had not taken reasonable care of your credentials. You could also point out that the UK National Cyber Security Centre best practice recommends organizations let users use password managers ("Help users cope with password overload: 1. Allow users to securely store their passwords, including the use of password managers.").

However, password managers aren't a magic bullet, and lax practice could be seen as lack of reasonable care. The bank would have to prove that though.

One option for the paranoid - which I use occasionally for critical accounts - is to store the bulk of password in a password manager, then then prefix and/or append some additional characters that are either memorized or stored elsewhere. An attacker then not only has to compromise my master password and physical two-factor token (no SMS here) but then brute-force the remainder.

Good article here from Troy Hunt if you fancy some further reading https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

oli356

In the unlikely circumstance that someone got your password and 2fa method. 

Is the bank really going to ask how you remembered your password?
If I wrote my password down  obviously I'm not going to tell the bank I wrote it down and someone got hold of it somehow. I'm going to say I had remembered it.
Stealing a phone and finding out the 6/8? digit pin which you could see someone use in public to get access to the banking app is a more likely scenario I would think. 

gsmh

A password manager is of limited use for most online accounts I have used - they usually require specific letters/digits of a password and sometimes one of several saved responses to specific questions. A password manager is of no use in these circumstances. The only place a password manager might be useful if if there is an initial username and password before the above.

trient

There is no way the banks (or any provider) can tell if a password manager has been used for signing in, vs manually typing in the credentials. 

alanwsg

gsmh said:

A password manager is of limited use for most online accounts I have used - they usually require specific letters/digits of a password and sometimes one of several saved responses to specific questions. A password manager is of no use in these circumstances. The only place a password manager might be useful if if there is an initial username and password before the above.

The password manager I use ( https://pwsafe.org/ ) has this function.
In fact I'd find picking something like the 5th, 16th & 22nd characters out of a password rather difficult without it.

I have to fudge the 'answers-to-silly-questions' situations a bit by saving them as a group of items under each login, but it works well enough.

gsmh

alanwsg said:

The password manager I use ... has this function.
In fact I'd find picking something like the 5th, 16th & 22nd characters out of a password rather difficult without it.
I have to fudge the 'answers-to-silly-questions' situations a bit by saving them as a group of items under each login, but it works well enough.

Now that's interesting. Your bank login asks for the 5th character of your password and pwsafe supplies it? I've never heard of that! I use Bitwarden and it autofills whole passwords but there's no way it could supply a specific character.