We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

Security for banking login credentials

I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.

I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.

Am I therefore complying with the banks' requirements to keep my login credentials secure?

Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone? 
«1

Comments

  • GeoffTF
    GeoffTF Posts: 1,601 Forumite
    Second Anniversary 1,000 Posts Name Dropper Photogenic
    edited 25 August 2023 at 9:02AM
    A very strong password does not help if the bad guys have installed a key logger on your machine. A password manager does not necessarily share your password with anyone, but how do you know? Santander just requires a five digit pin to log on, but often requires you to type a code sent to your mobile phone to make payments or make changes.
    I make passwords up from several pieces, and keep a crib sheet to remind me what each piece is. An example of a password piece might be the name of the town where you dropped your keys down a drain. Nobody else is likely to guess that, even with a clue.
    Passwords are not a big problem, because they can be reset. Memorable names, like the name of your favourite film when you do not have one are the real pain.
  • datz
    datz Posts: 165 Forumite
    Fifth Anniversary 100 Posts Name Dropper
    edited 25 August 2023 at 9:49AM
    RG2015 said:
    I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.

    I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.

    Am I therefore complying with the banks' requirements to keep my login credentials secure?

    Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone? 

    People are either going to reuse the same simple passwords and question/answers across multiple services (bad), or opt for a password manager (better). Regardless of how banks 'might' view password managers, they are pretty much a necessity these days for generating and maintaining unique, complex login credentials. What more banks should be focusing on, is providing customers with an option for strong 2fa (SMS is inferior to something like Google's Authenticator app on Android - slight tangent but worth mentioning that the in-built iOS password manager recently received support for generating 2fa authentication codes).

    Anyway, what matters more is the password manager that you do choose - who are the people behind it, how is it implemented, how secure is the code, what about any online storage/syncing component? There have been various issues with several providers over the years - most recently with LastPass. Personally, I am far more likely to trust Apple or Google's own in-built closed-source implementations than some random smaller developer, and while I do make extensive use of the password manager on iOS, I have no need to store banking credentials on there. When it comes to dektop/laptop, I have a preference for Keepass, or one of its variants (KeePassXC on my main Linux Mint system). It's open source, well established and the database is stored locally.

  • p00hsticks
    p00hsticks Posts: 13,425 Forumite
    10,000 Posts First Anniversary Photogenic Name Dropper
    edited 25 August 2023 at 12:20PM
    A good way to generate a strong password that you can remember rather than having to write it down or store it is to use the first letters from a phrase that you can memorise easily. For example 'This is the password to log on to my bank account' would give you a password of 'Titptlotmba' - or in leet, 'T1tptl0tmb4'
  • p00hsticks
    p00hsticks Posts: 13,425 Forumite
    10,000 Posts First Anniversary Photogenic Name Dropper
    GeoffTF said:
    A very strong password does not help if the bad guys have installed a key logger on your machine.
    Many banks get round that by only asking you to enter certain characters from your password, often using drop down menus
  • PRAISETHESUN
    PRAISETHESUN Posts: 4,018 Forumite
    Sixth Anniversary First Post Name Dropper Photogenic
    edited 25 August 2023 at 2:08PM
    RG2015 said:
    I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.

    I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.

    Am I therefore complying with the banks' requirements to keep my login credentials secure?

    Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone? 
    I think the banks have moved on from that, especially in light of all the recommendations from cybersecurity experts these days about the advantages of password managers. Lloyds bank for example encourages you to "Use a different, strong password for each account you have. You can use your browser to help you remember them all." (https://www.lloydsbank.com/help-guidance/protecting-yourself-from-fraud/bank-safely-protect-your-passwords.html#:~:text=Use a different, strong password,it easier to log in.).

    Note that that is a recommendation to use password managers generally, not Google password manager specifically. I wholeheartedly agree with the discussion in your other thread about using dedicated password manager software, particularly open source password managers such as BitWarden, rather than the tacked on afterthought that is a browser-based password manager.

    Ultimately, if your internet banking was somehow breached and the bank decided that you didn't take enough care of your banking credentials they could deny any refund. When you ultimately complained about it and escalated it to the FOS, I'm not sure how the banks could justify recommending against following industry best-practice regarding cybersecurity.




  • Section62
    Section62 Posts: 8,201 Forumite
    Third Anniversary 1,000 Posts Name Dropper
    GeoffTF said:

    Memorable names, like the name of your favourite film when you do not have one are the real pain.
    These can be made up.... and don't necessarily have to be the thing asked for.  To some extent not naming (say) your favourite film give a marginal improvement in security as guessing something which isn't a film name is harder than guessing a real film name.

    E.g. Favourite film name = "Gaumont" (the cinema chain where I watched my first film without my parents)

  • GeoffTF
    GeoffTF Posts: 1,601 Forumite
    Second Anniversary 1,000 Posts Name Dropper Photogenic
    Ultimately, if your internet banking was somehow breached and the bank decided that you didn't take enough care of your banking credentials they could deny any refund. When you ultimately complained about it and escalated it to the FOS, I'm not sure how the banks could justify recommending against following industry best-practice regarding cybersecurity.
    I do not believe that is an issue. The bank is not going to know whether you have used a password manager. They might strongly suspect it if you used one that was very widely used and it was hacked, but they would have no proof. If someone else succeeds in logging into your account and syphoning off money, they have to prove that you have been negligent. It would be difficult for them to prove that. Nonetheless, you do not want that situation to arise. Banks can be very difficult even if they do compensate you in the end.
  • jbrassy
    jbrassy Posts: 793 Forumite
    Sixth Anniversary 500 Posts Name Dropper
    I use a password manager (1Password) for all my logins. I think your login credentials would be considered secure. To access your banking passwords, they would need to know the password for your phone or laptop, the password for your password manager, and somehow get through 2 factor authentication with the password manager. 

    If you use a reputable password manager (such as 1Password or Bitwarden) and create unique, random, and long passwords for different websites, this is far more preferable than using the same password over several websites.
  • RG2015
    RG2015 Posts: 5,948 Forumite
    Eighth Anniversary Photogenic First Post Name Dropper
    RG2015 said:
    I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.

    I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.

    Am I therefore complying with the banks' requirements to keep my login credentials secure?

    Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone? 
    I think the banks have moved on from that, especially in light of all the recommendations from cybersecurity experts these days about the advantages of password managers. Lloyds bank for example encourages you to "Use a different, strong password for each account you have. You can use your browser to help you remember them all." (https://www.lloydsbank.com/help-guidance/protecting-yourself-from-fraud/bank-safely-protect-your-passwords.html#:~:text=Use a different, strong password,it easier to log in.).

    Note that that is a recommendation to use password managers generally, not Google password manager specifically. I wholeheartedly agree with the discussion in your other thread about using dedicated password manager software, particularly open source password managers such as BitWarden, rather than the tacked on afterthought that is a browser-based password manager.

    Ultimately, if your internet banking was somehow breached and the bank decided that you didn't take enough care of your banking credentials they could deny any refund. When you ultimately complained about it and escalated it to the FOS, I'm not sure how the banks could justify recommending against following industry best-practice regarding cybersecurity.

    Although Lloyds do talk about browsers which I do find interesting.

    Use a different, strong password for each account you have. You can use your browser to help you remember them all.

    Your browser settings should let you save each password. Browser security is very good, so it’s a safe thing to do and makes it easier to log in.

  • PRAISETHESUN
    PRAISETHESUN Posts: 4,018 Forumite
    Sixth Anniversary First Post Name Dropper Photogenic
    Section62 said:
    GeoffTF said:

    Memorable names, like the name of your favourite film when you do not have one are the real pain.
    These can be made up.... and don't necessarily have to be the thing asked for.  To some extent not naming (say) your favourite film give a marginal improvement in security as guessing something which isn't a film name is harder than guessing a real film name.

    E.g. Favourite film name = "Gaumont" (the cinema chain where I watched my first film without my parents)

    Additionally, using "fake" information makes it much harder for someone to use social engineering to figure out answers to these questions - think all those quizzes on social media and the like that want to know your mother's maiden name other personal information. Even better if you use a secondary password as the answer to your secret questions - you might not have heard about the small indie film called L"$G*iJ(2_!, but it's one my favourites!
Meet your Ambassadors

Categories

  • All Categories
  • 345.8K Banking & Borrowing
  • 251K Reduce Debt & Boost Income
  • 450.9K Spending & Discounts
  • 237.8K Work, Benefits & Business
  • 612.7K Mortgages, Homes & Bills
  • 174.3K Life & Family
  • 251K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.