We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
Security for banking login credentials
RG2015
Posts: 5,948 Forumite
I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.
I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.
Am I therefore complying with the banks' requirements to keep my login credentials secure?
Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone?
I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.
Am I therefore complying with the banks' requirements to keep my login credentials secure?
Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone?
0
Comments
-
A very strong password does not help if the bad guys have installed a key logger on your machine. A password manager does not necessarily share your password with anyone, but how do you know? Santander just requires a five digit pin to log on, but often requires you to type a code sent to your mobile phone to make payments or make changes.I make passwords up from several pieces, and keep a crib sheet to remind me what each piece is. An example of a password piece might be the name of the town where you dropped your keys down a drain. Nobody else is likely to guess that, even with a clue.Passwords are not a big problem, because they can be reset. Memorable names, like the name of your favourite film when you do not have one are the real pain.2
-
RG2015 said:I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.
I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.
Am I therefore complying with the banks' requirements to keep my login credentials secure?
Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone?People are either going to reuse the same simple passwords and question/answers across multiple services (bad), or opt for a password manager (better). Regardless of how banks 'might' view password managers, they are pretty much a necessity these days for generating and maintaining unique, complex login credentials. What more banks should be focusing on, is providing customers with an option for strong 2fa (SMS is inferior to something like Google's Authenticator app on Android - slight tangent but worth mentioning that the in-built iOS password manager recently received support for generating 2fa authentication codes).Anyway, what matters more is the password manager that you do choose - who are the people behind it, how is it implemented, how secure is the code, what about any online storage/syncing component? There have been various issues with several providers over the years - most recently with LastPass. Personally, I am far more likely to trust Apple or Google's own in-built closed-source implementations than some random smaller developer, and while I do make extensive use of the password manager on iOS, I have no need to store banking credentials on there. When it comes to dektop/laptop, I have a preference for Keepass, or one of its variants (KeePassXC on my main Linux Mint system). It's open source, well established and the database is stored locally.1 -
A good way to generate a strong password that you can remember rather than having to write it down or store it is to use the first letters from a phrase that you can memorise easily. For example 'This is the password to log on to my bank account' would give you a password of 'Titptlotmba' - or in leet, 'T1tptl0tmb4'1
-
GeoffTF said:A very strong password does not help if the bad guys have installed a key logger on your machine.1
-
RG2015 said:I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.
I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.
Am I therefore complying with the banks' requirements to keep my login credentials secure?
Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone?
Note that that is a recommendation to use password managers generally, not Google password manager specifically. I wholeheartedly agree with the discussion in your other thread about using dedicated password manager software, particularly open source password managers such as BitWarden, rather than the tacked on afterthought that is a browser-based password manager.
Ultimately, if your internet banking was somehow breached and the bank decided that you didn't take enough care of your banking credentials they could deny any refund. When you ultimately complained about it and escalated it to the FOS, I'm not sure how the banks could justify recommending against following industry best-practice regarding cybersecurity.
1 -
GeoffTF said:Memorable names, like the name of your favourite film when you do not have one are the real pain.These can be made up.... and don't necessarily have to be the thing asked for. To some extent not naming (say) your favourite film give a marginal improvement in security as guessing something which isn't a film name is harder than guessing a real film name.E.g. Favourite film name = "Gaumont" (the cinema chain where I watched my first film without my parents)
1 -
PRAISETHESUN said:Ultimately, if your internet banking was somehow breached and the bank decided that you didn't take enough care of your banking credentials they could deny any refund. When you ultimately complained about it and escalated it to the FOS, I'm not sure how the banks could justify recommending against following industry best-practice regarding cybersecurity.
1 -
I use a password manager (1Password) for all my logins. I think your login credentials would be considered secure. To access your banking passwords, they would need to know the password for your phone or laptop, the password for your password manager, and somehow get through 2 factor authentication with the password manager.
If you use a reputable password manager (such as 1Password or Bitwarden) and create unique, random, and long passwords for different websites, this is far more preferable than using the same password over several websites.1 -
PRAISETHESUN said:RG2015 said:I started a new thread today titled Google Password Manager but this was moved from this board to the techie stuff board. I guess this is fair enough although my main concern is protecting my financial data hence I originally posted here.
I do not believe that my banking passwords are easy to guess and I keep my apps and software up to date. A very strong password is impossible to remember without a password manager.
Am I therefore complying with the banks' requirements to keep my login credentials secure?
Wasn't there once a suggestion that using a password manager was in breach of the requirement not to reveal passwords to anyone?
Note that that is a recommendation to use password managers generally, not Google password manager specifically. I wholeheartedly agree with the discussion in your other thread about using dedicated password manager software, particularly open source password managers such as BitWarden, rather than the tacked on afterthought that is a browser-based password manager.
Ultimately, if your internet banking was somehow breached and the bank decided that you didn't take enough care of your banking credentials they could deny any refund. When you ultimately complained about it and escalated it to the FOS, I'm not sure how the banks could justify recommending against following industry best-practice regarding cybersecurity.Use a different, strong password for each account you have. You can use your browser to help you remember them all.
Your browser settings should let you save each password. Browser security is very good, so it’s a safe thing to do and makes it easier to log in.
0 -
Section62 said:GeoffTF said:Memorable names, like the name of your favourite film when you do not have one are the real pain.These can be made up.... and don't necessarily have to be the thing asked for. To some extent not naming (say) your favourite film give a marginal improvement in security as guessing something which isn't a film name is harder than guessing a real film name.E.g. Favourite film name = "Gaumont" (the cinema chain where I watched my first film without my parents)0
Categories
- All Categories
- 345.8K Banking & Borrowing
- 251K Reduce Debt & Boost Income
- 450.9K Spending & Discounts
- 237.8K Work, Benefits & Business
- 612.7K Mortgages, Homes & Bills
- 174.3K Life & Family
- 251K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards