Can users make use of a password manager when banks tell them never to write passwords down?

Question

Consider a user who wants to use a password manager for their banking passwords. Advice from banks usually says they should never write down their password. The user would be concerned about going against that advice, as it could mean their bank would refuse to accept liability for any fraud that may occur on their account.

So, can they use a password manager? Does storing the password encrypted count as writing it down?

This is a legal and policy question; I am already aware of the technical risks and benefits of using a password manager. Answers may be country specific (and even bank specific). I'm in the UK but I am interested in answers from anywhere in the world.

I wonder if some day, people will be asking whether it's okay to store their authentication information in their brainmeats instead of using a secure electronic record. — user2357112, Jun 04 '14 at 01:32
Can you give a specific citation or quotation to exactly what the bank says? Have you looked in their terms of service and the rest of the contractual agreement? (where many banks give the fine print on what promises they are making and what your responsibilities are) This sounds like a case where a vague or imprecise "game of telephone" could easily cause the requirement to be misunderstood, so it's important to look at specifics. — D.W., Jun 04 '14 at 16:52
@d-w from what I've seen wording varies but some examples of what paj is talking about from http://www.halifax.co.uk/aboutonline/security/protect-yourself/ "Never let your passwords be known to anyone and don't write them down". From http://www.santander.co.uk/csgs/Satellite?c=Page&canal=CABBEYCOM&cid=1237899888304&empr=Abbeycom&leng=en_GB&pagename=Abbeycom%2FPage%2FWC_ACOM_TemplateA1 "Keep your personal Passcode and Registration number safe, and avoid writing them down" — Rory McCune, Jun 04 '14 at 19:56
Why even use a password manager when it relies on machinery? Paper doesn't require batteries. Even if you write them down, you can obfuscate web site names. So if someone were to steal them, they would just see username and passwords. I think paper and storing in a safe is probably the best in this regard. — Engineer2021, Jun 05 '14 at 17:20
Banks also cap the length of your password at 16 characters when they feel like it, and still use 4-digit PINs for important operations. They're not the word of god on security matters. — Superbest, Jun 05 '14 at 17:33
What clause have you seen that prohibits the user from writing down the bank password? Does it also preclude the bank's website itself? If not, then we need to see the clause to interpret it. — user541686, Jun 06 '14 at 02:09
@Mehrdad - a number of such clauses are linked from other answers and comments. I don't have a particular bank in mind - this is a general question. — paj28, Jun 06 '14 at 08:14

score 31 · Answer 1 · edited Jun 04 '14 at 12:57

31

I am not a laywer, but a properly constructed password manager stores passwords approximately as securely as any modern banking system.

I can't speak to the legality of using a password manager, but I can say that on a philosophical level, anywhere a personally provided password is acceptable as identification, a (properly constructed) password manager password is acceptable.

(Edit: Adding a password to a properly constructed password manager is not equivalent to simply writing them down.)

edited Jun 04 '14 at 12:57

40XUserNotFound

219
2
9

answered Jun 03 '14 at 20:26

Williham Totland

411
1
3
4

8

A password manager is in no way as secure as the banking system. A key function for a password manager is that it is in some way capable of reconstituting the original password. A properly designed password hashing system is **incapable** of *ever* reconstituting the required password without computing effort so enormous it's functionally impossible. – Fake Name Jun 04 '14 at 04:02
34

@FakeName which is totally irrelevant because the password manager itself is protected by a pure hashed password which can also never be reworked. So, it is exactly as safe as any other login system. – F.P Jun 04 '14 at 06:37
20

@FakeName I've done consultancy work for a couple of large banks. I would say that their systems are typically slightly less secure than the best password managers. The banks often use older systems with slightly dated algorithms - I've never seen them use PBKDF2 for example. – James_pic Jun 04 '14 at 09:57
4

"[...]stores passwords [...] securely as any modern banking system." - except that the bank does not store the password? – Volker Siegel Jun 04 '14 at 23:39
@VolkerSiegel: In an ideal world, this is true. The world we live in is not ideal; and the world of banking is even less so. – Williham Totland Jun 05 '14 at 06:53
@WillihamTotland that's so true... but being an optimist, I still hope that banks do not save plain text passwords. – Volker Siegel Jun 05 '14 at 06:59
@VolkerSiegel: In any case, that's why I used the word "approximately": most banks probably hash the password and store the hash, so that's (in theory) more secure than the password manager, some banks don't, which is far less secure, and some banks do, but use bad hashes, which is a little less secure. On average, approximately as secure. – Williham Totland Jun 05 '14 at 07:02
3

@VolkerSiegel see http://security.stackexchange.com/questions/10938/is-my-bank-storing-my-password-in-plain-text - this is common in the UK, my bank will ask me for the third and fifth letters of my password (for example) if I call them on the phone, which implies strongly that they are using encryption rather than hashing. – moopet Jun 06 '14 at 08:39
1

Wait, did you just say that a bank openly *asks* people on the phone to **spell out their online banking password**? (even if not all at once) – Volker Siegel Jun 06 '14 at 10:35
1

@VolkerSiegel, Notionally there is a difference between the 'on-line' passwords and the 'customer service' (telephone) passwords. No individual service agent (or whatever they are called) gets to hear your full telephone password. The banks use layered security of varied quality, and (most) do payout on mistakes. Any use of a password manager by an individual should also be part of their layered security so you/they don't have all the eggs in one basket. My work bans password managers because of that, but does permit/suggest using reminder phrases. – Philip Oakley Jun 06 '14 at 16:01
@PhilipOakley That's much better indeed! Yes, I have seen something like this - they used an extra password explicitly for this identification on the phone. The interesting part was, that they took great length to not make the customer see it as "the other password" about "some other kind of security" - more like "By the way, that line of the form is for the id word of the hotline, can be something simple like red or so." I expect they did really manage to not confuse the non-technophile customers. (It somewhat relies on brute-force-hacking passwords over a clerk is hard.) – Volker Siegel Jun 06 '14 at 17:35
1

Perhaps the bank stores credentials in a non-recoverable form, but that doesn't make it more secure as an end-to-end *system*. You have to consider what that password hash is actually protecting - generally, that would be unencrypted, queryable transaction data. So the bank has unencrypted transaction data protected by a hash; throw in a password manager, and the system becomes unencrypted transaction data protected by a recoverable password protected by what is probably a stronger hash (master password). The latter scenario usually provides equal if not stronger protection. – Aaronaught Jun 07 '14 at 03:29
@VolkerSiegel I used to work for a bank that stored its customers passwords in a totally reversible manner (using a home-made encryption algorithm). They got hacked once and the user passwords database leaked. Fortunately, they anticipated this kind of problem and acted preemptively by buying a lot of press companies, making sure the information never went public. – ereOn Jun 07 '14 at 07:26
Interesting - that security risk mitigation strategy creates something like an inverse monopoly (!) - assuming one needs more than half of the press companies that can be bought to suppress it. At least not all can use it - some need to encrypt! (Did I say I'm an optimist?) – Volker Siegel Jun 07 '14 at 09:21
@FakeName, whether or not the bank's server-side security is better than the password manager, it seems that your password is more at risk of exposure on the wire (from vulnerabilities in TLS and in the CA system) than in your password manager. – Peter Taylor Jun 07 '14 at 10:20
I asked Santander (UK) and got "Our terms and conditions advise you should not write down your passwords, however if you wish to use a password manager this would have to be your own choice, and you could do so if you wish and this will be at your own risk." So you can use one but... – Philip Oakley Jun 08 '14 at 11:51

score 20 · Accepted Answer · edited Jun 16 '20 at 09:49

I'm a lawyer in Germany. Here the special conditions between customer and bank are part of the contract. So we are talking about a clause in these special conditions prohibiting the use of a password manager.

I went to the site of my bank, drew the conditions and really, it says, the customer is not allowed to store the password on his PC.

So this clause forbids to store my pw on the PC. The question is, do I really store the password inside the password manager, or do I "store" something like 23%%4l5ksa0ß90ßv9w6&!? And is this a legal clause?

I appreciate your question!

Edit: How to solve the problem? -- As pai28 asks. I'm not even sure that the people who wrote those conditions are aware of the progress we, the users, made during the last years. We use pw-managers, because an existence online is impossible without.

So the clause should be altered: The customer is not allowed to store the password unencrypted on any IT-device. Or something like this.

I'll write to the association of my bank and ask. If I ever get a serious answer (not blabla,dear customer we very much appreciate, but mucho complicado...), I'll report on the outcome.

Finally ! Storing passwords encrypted will be ok (2019!)

In June 2019 I got new terms & conditions from my bank and one of the clauses says, that the customer of the bank ( = me ) is not allowed to store the authentication secrets unsecured on my computer. So storing passwords, transaction numbers, whatever using a password manager or encryption finally is ok!

The bank (a »Volksbank« in Germany) has a record of caring about the customer's side of encryption. They offered even gpg-encrypted e-mails, which I really appreciated. It is a local bank and I won't swap them for an internet based bank.

Can a client argue that limits enforced by the bank (eg: min 6, max 8 letters, no special chars, at least one uppercase, one lowercase and one digit) are preventing him from using a password that is both secure and easy to remember? — Agent_L, Jun 04 '14 at 13:39
Yeah, but this is what compels clients to use password manager. — Agent_L, Jun 05 '14 at 12:25
Good points... do you have any idea how you (and considering you are a lawyer) would resolve the questions in your third paragraph? Is this something there could be legal precedent for? — paj28, Jun 06 '14 at 08:40
I know it's been three years, but did you ever get a serious answer? — Williham Totland, Jun 02 '17 at 00:30

TTT · Answer 3 · 2014-06-03T21:55:16.730

16

I have never heard of this so I can't say for sure, but I would guess that the original premise is flawed: I don't think any bank would have a policy stating they will not insure your account against fraud if you store your password somewhere outside of your own head. Enforcing that rule would require passwords to be easy to remember, and consequently easy to guess. The most secure passwords are long random character strings, which most humans would have to write down or store somewhere. The bank may "advise" you not to write down your password on a piece of paper where others can see it, but asking you not to record it anywhere would reduce security, not enhance it. Of course, I'd have to read the particular bank's conditions to know for sure.

Furthermore, it seems pointless for a bank to have a rule like this because you could always lie and say you didn't store it anywhere. It would be a nearly unenforceable rule.

Edit: despite what I think, here's a bank that has the rule you are referring to, although it is somewhat vague: http://www.amp.com.au/accountacessandoperatingconditions (See page 7). The short of it is: "Memory Aids" are allowed but you must take "reasonable" measures to ensure it is not compromised. I would interpret that to mean an encrypted password manager is more than adequate.

edited Jun 03 '14 at 21:55

answered Jun 03 '14 at 21:19

TTT

9,132
4
19
32

4

'The most secure passwords are long random character strings, which most humans would have to write down or store somewhere.' - True, but banks aren't always with the times on these things. My bank (one of the four largest in Australia) had a maximum password length of 8 characters until a few years ago... – sapi Jun 03 '14 at 23:23
4

My bank's advice is to "never write down your passwords - or store them on your computer" (http://www.natwest.com/global/security/security-advice/protect-yourself/stay-safe/passwords.ashx). OTOH, that's just their user facing advice. Their actual legal terms are different: "You must not disclose your Security Details to any other person or record your Security Details in any way that may result in them becoming known to another person". That "may" is troubling. Anything you do with your password *may* result in somebody else knowing it, at least at a theoretical level. – Jules Jun 04 '14 at 00:00
2

@sapi - you just reminded me of perhaps my favorite stack exchange answer of all time: http://security.stackexchange.com/questions/33470/what-technical-reasons-are-there-to-have-low-maximum-password-lengths – TTT Jun 04 '14 at 02:17
2

@jules - I agree. "May" leaves the door open for the lawyers. For example, if you are held at gunpoint and you reveal your password, well you just "disclosed your security details to another person" and that's not allowed! I hope reason and good sense will prevail. – TTT Jun 04 '14 at 02:26
@TTT: *not allowed* is not exactly right. The bank is not going to sue its customers, who were the ones losing their money anyway. They *are*, however, going to do their best to avoid having to cover the damage... – thkala Jun 04 '14 at 16:30

score 3 · Answer 4 · answered Jun 03 '14 at 23:51

Well really the point of this advice is more along the lines of "Don't put your password anywhere". As otherwise stated, this is a legal statement intended to cover the bank's asses in case the password gets stolen.

In the sense of a password manager, it's really nothing more than writing your password in a book and storing it in a safe.

If someone were to find the key to your safe, open it, find your password in the book and use it to empty your bank account, then the bank couldn't be held liable at that point because it was your fault for having it available.
In the same sense then, your password manager is the safe. In the event that someone manages to breach the security of your password manager, then any information that can be obtained by said password manager is still the liability of the person who put the information there.

tl;dr: I would have to say no, in the legal sense it wouldn't matter what kind of superstitious protection you're using, you've still written your password down in such a way that it can be retrieved.

There are many kinds of password managers. Eg some are taking website url AND typed-in password to create a hash that's send to bank as password - in this case the password is not stored anywhere except user's memory. (But it is processed by potentially malicious third-party tool) — Agent_L, Jun 04 '14 at 13:42
Regardless, that's still a point of access to the bank account that a potentially malicious individual could exploit. In that case, the bank can still maintain that it isn't liable if this was used as an attack vector. — , Jun 04 '14 at 15:40
I agree that this is a question of liability. It is possible to start a brute force attack on a password manager. However, in almost all cases it is impossible to attack a four-to-eight-digit-pin on a bank card in the same way because after +/- three trials the card will be locked. — Claude, Jun 11 '14 at 13:34

score 1 · Answer 5 · answered Jun 03 '14 at 20:39

1

In many cases it's not advice, banks are putting it in their terms and conditions that users do not write their passwords down or divulge them in any way, or forfeit any credit and payment protection. So admitting to using a password manager would be a bad idea as banks could use that as an excuse not to help.

Can people still use password managers? Sure, as long as they remember not to mention it if the worst happens. The thing is, most people have only one bank, so one password - why should they need a password manager for that?

answered Jun 03 '14 at 20:39

GdD

17,321
2
41
63

1

Could you provide a link to a bank's terms and conditions stating this? I'd love to attempt to dissect it because it seems like a bad precedent to me... – TTT Jun 03 '14 at 21:24
I found one- I added a link in my answer. – TTT Jun 03 '14 at 21:55
Another is here, and somewhat less reasonable than the ones you found: https://www.nwolb.com/TermsAndConditions.aspx – Jules Jun 04 '14 at 00:06
8

_"The thing is, most people have only one bank, so one password - why should they need a password manager for that?"_ - I already have dozens/hundreds **other passwords** stored in a password manager - why should I make an exception and store this one somewhere else? – user11153 Jun 04 '14 at 12:01
@user11153, because storing your bank password may violate the bank's T&Cs and expose you to liability. – GdD Jun 04 '14 at 12:20
5

*"one bank"*? This assumption is just that, an assumption. Most people that I know use more than one bank. The reasons vary from past employers using another bank to the person having chosen a loan, insurance or banking program with better terms. Not to mention having to also memorize a bunch of different passwords and PIN numbers even for products of *one* bank... – thkala Jun 04 '14 at 16:21
I don't feel comfortable advising people to lie, or even just lie by omission. If I'm going to advise people to use a password manager, I want them to feel confident this is a good thing to do. – paj28 Jun 06 '14 at 08:39

score 1 · Answer 6 · answered Jun 03 '14 at 21:02

1

Banks would advice not to write down your password as it would make it accessible to everyone who is able to get his hands on whatever notebook/paper/note you used to write it down and able to read. In analogy, using password manager would make password accessible to anyone who is able to use machine with password manager and know how to use it (which i would call as accessible skill as reading).

Should you use password manager and how safe it is? Well, it mostly comes to your personal culture of regulating access to your computer and overall security of system. If you're not letting strangers to use your machine, have user account password and master-password for password-manager, i see no problem in utilizing password manager. It's not safer then memorizing your password by any means, but in case if unauthorized access to your account would happen because of someone taking advantage of password manager most banks (or at least those which i happened to work with) won't just put whole blame on you and would help to recover damage especially if you would be able to prove that your password wasn't easily accessible and you've done required minimum of precautions.

answered Jun 03 '14 at 21:02

JagdCrab

111
1

1

The point of a password manager, is to secure passwords in encrypted format that requires a strong "master password" to access. "Other people" _are not_ able to read passwords, even if they know how to use password manager, or mount cryptographic attacks on the password store. Store is designed to resist all reasonably plausible cryptographic attacks. – Thomas W Jun 04 '14 at 03:44
1

@ThomasW: except when your computer is compromised the master password is easily obtained via keylogger. I'd argue that it's in practice much less secure than the plaintext password written down on a piece of paper you keep in your home. – Michael Borgwardt Jun 04 '14 at 11:37
@ThomasW: Lots and lots of password managers (especially those which build-in to browsers, such as pretty popular LastPass) by default would type password for you on demand without requirement to provide master password. Then you don't even have to know password in the end of a day to gain access to bank's web application. – JagdCrab Jun 04 '14 at 13:46
1

@Michael Borgwardt: Some password managers like KeePass have security features to protect against keyloggers. The master password can be entered on the [secure desktop](http://keepass.info/help/kb/sec_desk.html) and the stored passwords can use [two-channel auto-type obfuscation](http://keepass.info/help/v2/autotype_obfuscation.html). I won't claim that these measures will work against all keyloggers but typing the plain text password from a piece of paper while there is a key logger running on your system is certainly less secure. – mgronber Jun 04 '14 at 14:10
1

I would argue that if the machine is compromised then whether the password is copied/pasted from a password manager or typed in by the user from memory is irrelevant... – thkala Jun 04 '14 at 16:25
It appears that with a _good_ password manager, user is more secure on a compromised machine using password manager than typing directly. Thanks @mgronber. – Thomas W Jun 04 '14 at 23:06

score 1 · Answer 7 · answered Jun 05 '14 at 09:59

Storing the password in a decent password manager is likely more secure than whatever method most of the people complying with the policy is using.

It may be that a typical password manager is violating the word of the policy, but probably not the spirit of the policy, since the password manager is more secure. What the implication of that is in an actual case is a question for a lawyer - not a security expert.

Storing an encrypted version of the password is the most obvious way to implement a password manager, but it is not the only way. A password manager does not necessarily have to store the password at all.

A password manager could generate passwords based on the following inputs:

Master password
Name of site the password is for
Which month was the password generated
What is the password policy of the site

If you feed all of the above as seed to a PRNG and use that to generate a uniformly random password among all of the passwords permitted by the policy, then the password should be just as secure. The only information you need to store is when the password was created plus some information which is not secret.

The real purpose of an approach like this would be to avoid losing passwords due to lack of backups. But as a side effect it would work around policies that do not allow storing the password.

Good point. I've generally felt that storing a set of password encrypted is a better approach for a password manager, as it allows you to change the master password, and prevents individual sites brute forcing your master password. However, you are right that the hashing approach avoids storing anything! — paj28, Jun 06 '14 at 08:36

score 1 · Answer 8 · answered Jun 06 '14 at 00:16

1

Its a technicality, but, when I type my password into a website, the browser is "capable" of being a password manager. Therefore, if they request that you never write down your password, and include a password manager, entering into a browser would be a violation of the terms. Now since they have you to use the "website" which primary means of access is a browser, they are forcing you to break the terms of service.

At that point, it really becomes a question of if they are forcing you to use a password manager, can they say that you violated the terms of service?

also, just because something is in the terms of service, does not mean it can be upheld if its not reasonable see here and here

answered Jun 06 '14 at 00:16

Jdahern

121
2

All online banking systems I've seen set autocomplete=off on the login form for exactly this reason. +1 because of your last paragraph which is a good point! – paj28 Jun 06 '14 at 08:34
@paj28 autocomplete=off is a false sense of security. with Current Chrome, FF, safari, IE10 and bellow, that is fair. IE11 for some strange reason changed everything. according to msdn.microsoft.com/en-us/library/ms533486%28VS.85%29.aspx "As of Internet Explorer 11, the autocomplete property is no longer supported for input type=password fields." But there one and only example of how to use autocomplete: "". To me this makes no sense, and there is no good justification for this either. but it goes to show, that you cant trust a browser. – Jdahern Jun 07 '14 at 04:38

MrWonderful · Answer 9 · 2014-06-06T17:45:11.653

0

In my experience, in the U.S., banks accept little to no responsibility for fraud resulting from a stolen password. It is typically right in the terms of service that you are responsible for anyone accessing your account using your credentials. That is WHY they advise you not to write them down. They may assist you depending on the circumstances, but I'm pretty sure that they are under no obligation to do so.

That being said, I use a password storage tool (1Password) all the time and am quite content with the level of security it provides me in keeping my 800+ passwords safe. (Obviously, those aren't all banking passwords... ;-) It also keeps each entry in it's own file for easy/quick syncing with Dropbox or similar cloud sharing services.

The only protection banks usually guarantee to provide is for credit card fraud, (or outright theft, of course, as in a bank hold-up.)

edited Jun 06 '14 at 17:45

answered Jun 04 '14 at 23:42

MrWonderful

115
2

I didn't know that (and I'm not convinced you're correct) but in Europe it is completely different, at least for consumers. Your bank covers fraud in almost all circumstances, unless you have been negligent. – paj28 Jun 06 '14 at 08:35
@paj28 - In response to your comment, I reviewed my bank's (Chase) terms of service looking for any guarantees of protection and found none. They mention things like 'you should promptly notify us in the case of suspected fraud' so they can 'assess how best to help you.' Lots of things like that, but no stated liability for anything. They may work with you, at their discretion, to restore your balances, but, again in my opinion, that would be most likely if they can recover the funds inappropriately removed. Or perhaps if you are a long-term/favorite/highly-desirable customer. – MrWonderful Jun 06 '14 at 17:49
@paj28 - I also updated my answer accordingly. Thanks! – MrWonderful Jun 06 '14 at 17:50
@MrWonderful, Thankfully in the US, Federal laws (and State laws) still do supersede a bank's own Terms of Services and a bank's own judgement. For instance, The Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA) have precise requirements for limiting a bank's liability vs. a client's liability for fraud, but they make no mention of stolen passwords or stolen pins. http://www.consumer.ftc.gov/articles/0219-disputing-credit-card-charges http://www.consumer.ftc.gov/articles/0218-electronic-banking – Stephan Branczyk Jun 08 '14 at 02:59
In the case of debit cards, take a look at the second link I provided regarding the Electronic Fund Transfer Act (EFTA). That Act is more relevant to debit cards than the other Act. And as long as you report the fraud promptly, it doesn't matter if someone captured your pin with a photo-lens/shoulder-surfing, or if you have a malicious keylogger installed on your computer, your liability is limited based on how much time you take to reasonably discover and report the fraud to your bank. – Stephan Branczyk Jun 08 '14 at 03:11

Can users make use of a password manager when banks tell them never to write passwords down?

9 Answers9

Finally ! Storing passwords encrypted will be ok (2019!)