An open letter to banks
by Megan O'Brien
Many banking sites impose password restrictions and security measures that do little to increase user security, while ultimately making it more difficult for users to rely on password managers to fill their complex passwords.
These security measures include putting a limit on maximum password length and restricting the ability to paste passwords, with some banks claiming that having to memorize and enter your password regularly makes it more secure. For those of us who rely on 1Password (and other password managers) on a daily basis, this advice is cringe-worthy. Unfortunately, it’s really not all that uncommon in the banking world.
We want to help users stay safe with all of their accounts and logins, including banking. The ultimate goal would be to work hand-in-hand with banks and other financial institutions, creating passwords that meet their strict rules, and then keeping those passwords safe.
To help achieve that goal, I’ve written an open letter to banks and financial institutions everywhere to encourage them to take users’ security more seriously. I’m writing this not only as a member of the 1Password team who deals with security issues on a daily basis, but also as a concerned customer who just wants simple and secure access to her data.
I know you have my best interests at heart.
I know you’ve worked hard to put “safeguards” in place (such as disabling pasting into password fields, obfuscating usernames, spreading the login process across multiple pages and using “please input the nth character of your password” fields) to thwart various types of attacks. But the truth is that these security measures are not actually helping your users. Do you know what would really help your users? Longer, random passwords.
Using long, random, and unique passwords is the best defense that we, your customers, have against attackers. This advice is true for every site we have to sign into these days, and believe me, we sign into a lot more than just our financial sites. Keeping 100 or so strong and unique passwords memorized is not only a silly suggestion, it’s nearly impossible. Password managers help increase security by remembering these unique passwords for us, keeping them stored securely, and filling them in on websites so we don’t have to.
Many of the “security measures” you have in place serve only to make it more difficult for those of us who rely on password managers. Password managers are not your enemy here. In fact, encouraging the use of trusted password managers will do more for your users’ security than any of the measures you currently have in place.
You have an awesome opportunity here. Take the time to educate your users on the value of true security. Encourage users to adopt long, random, and unique passwords that never need to be stored in their brains. Make it easy for password managers to store and fill these secure passwords for your users in web browsers and mobile apps.
Now, it just so happens that there are a couple of very simple ways you can give your users easy access to their banking data in your mobile apps. We’ve written an App Extension API that can be added to your iOS app in 3 easy steps. The app extension will allow users to select their password manager of choice and fill their complex passwords into your form, with no typing required.
And with iOS 12, Apple is also introducing support for passwords in their QuickType Bar which will make filling passwords even easier. If you haven’t yet done so, make sure you’ve added an associated domain to your app and website so that Password AutoFill can show the best possible matches in the QuickType Bar.
1Password has been giving people control over passwords for over a decade, and it truly is a wonderful thing. We’ve been advocating for stronger, safer passwords for years, and we’d be so happy if you stood with us.
For now, passwords are a necessary evil. Remembering them shouldn’t have to be.
Please help us increase awareness of online security. Your users will be ever-so-grateful that you are taking their security seriously, and you’ll be making their lives a lot simpler too.
A hopeful user.
The good news is that some banks, like TD Canada, are already beginning to take strides that will allow them to integrate with password managers and even let users copy and paste in the password screen. These banks have a great opportunity here to set the standard for banking apps and give other financial institutions a secure example to follow. I’m excited to see what they come out with!
If you believe that banks should add 1Password (and other password managers) integration to their iOS apps, please consider sharing this open letter with your bank or other financial institution! #BanksNeed1Password
Want to keep your bank passwords and financial institution logins safe and secure? Sign up and get started with 1Password today!