An Open Letter from AgileBits

An open letter to banks

Update (2015-04-02): TD Canada Trust updated their iPhone app today re-enabling pasting in the login fields. It’s a great first step toward friendliness with security-conscious customers and password managers.

TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field. Users who embrace password managers for their online security were quick to point out their … well, ‘unhappiness’ with this decision. TD Canada’s original response to those users was unsettling:

Hi Steve, thx for stopping by. For ur security, your password should be committed to memory rather than using a password mgr. ^SB

The original tweet has since been deleted by @TD_Canada.

For those of us who rely on 1Password (and other password managers) on a daily basis, this advice is completely cringe-worthy … unfortunately, it’s really not all that uncommon in the banking world. Many banking and financial sites implement restrictions on password length, require certain special characters to be present, and put in place various ‘security theatre’ measures on their websites that do little for increasing user security, while ultimately making it more difficult for users to rely on password managers to fill their complex passwords in on the site. Why do they do this? Well, it’s difficult to know for sure, although our Chief Defender Against the Dark Arts does have a theory on the matter.

With the conversation about online security and banking so fresh in everyone’s minds, I thought now would be a great time to send a message out to banks and financial institutions everywhere to encourage them to to take users’ security more seriously. I’m writing this not only as a member of the 1Password team who deals with security issues on a daily basis, but also as a concerned customer who just wants simple and secure access to her data.

Dear banks,

I know that you have my best interests at heart.

I know that you’ve worked hard to put ‘safeguards’ into place (such as disabling pasting into password fields, obfuscating usernames, spreading the login process across multiple pages and “please input the nth character of your password” fields) to thwart various types of attacks.

But the truth is that these ‘security measures’ are not actually helping your users.

Do you know what would really help your users? Long, random passwords.

Using long, random, and unique passwords is the best defense that we, your users, have against attackers. This advice is true for every site we have to sign in to these days … and believe me, we sign in to a lot more than just our financial sites. Keeping 100 or so strong and unique passwords memorized is not only a silly suggestion, it’s nearly impossible for all but the most savant-ish of us. Password managers help us increase our security by remembering these unique passwords for us, keeping them stored securely, and filling them in on websites so we don’t have to.

Many of the ‘security measures’ you have put into place serve only to make it much more difficult for those of us who rely on password managers. Password managers are not your enemy here. In fact, encouraging the use of trusted password managers will do more for your users’ security than any of the measures you currently have in place.

You have an awesome opportunity here. Take the time to educate your users on the value of true security. Encourage users to adopt long, random, and unique passwords that never need to be stored in their brains. Make it easy for password managers to store and fill these secure passwords for your users (in web browsers as well as in mobile apps).

Now, it just so happens that there is a very simple way that you can give your users easy access to their banking data in your mobile apps. We’ve written an App Extension API that can be added to your iOS app in 3 easy steps. The app extension will allow users to select their password manager of choice and fill their complex passwords into your form, with no typing required.

1Password has been giving people control over passwords for almost 10 years now, and it truly is a wonderful thing. Our team built 1Password around the idea that being secure should never be compromised for convenience. We’ve been advocating for stronger, safer passwords for years, and we’d be so happy if you stood with us.

For now, passwords are a necessary evil. Remembering them shouldn’t have to be.

Please help us increase awareness of online security. Your users will be ever-so-grateful that you are taking their security seriously, and you’ll be making their lives a lot simpler too.

Signed, a hopeful user.

Since TD’s original response last week, they seem to have had a change of heart. A tweet from @TD_Canada on Saturday indicates that they are in fact working on an update that will allow copy and paste within their app … and possibly considering integrating password managers.

Hi Rick, we're working on providing our customers w/ the option to use copy/paste & PW managers. No dates to share yet. ^SK

This is incredible news! Without seeing the update, it’s hard to know exactly what they have in store for users, but they have a great opportunity here to set the standard for banking apps and give other financial institutions a secure example to follow. I’m excited to see what they come out with!

If you believe as I do that banks should add 1Password (and other password manager) integration to their iOS apps, please consider sharing this open letter with your bank. #BanksNeed1Password

45 replies
    • Andrew Costen
      Andrew Costen says:

      We’d love to help any banks integrate with our extension so that we can help everyone be more secure online, so definitely feel free to share this with them.

    • Andrew Costen
      Andrew Costen says:

      TD did delete the tweet. I like to think it means they realize that adding copy/paste support (and possibly 1Password support) is actually a good thing, so I’m looking at it as a hopeful thing.

  1. aomind
    aomind says:

    Seems that big corporations tend to fail on security, even at the most basic level. TD and Virgin Mobile have both called me on the phone and asked to answer security questions, which I declined to do as those were outbound calls. I explained that it is a flaw in their security protocols to ask those questions on the outbound calls, and not even escalating the calls would make them understand on the breach. So anyway, maybe a letter to TD’s CTO explaining how they lack security at all levels.
    Something so basic, it’s strange they don’t realize it.

    • Andrew Costen
      Andrew Costen says:

      I’ve heard of this happening with a number of banks, and agreed, it isn’t a particularly good security. I’m glad to hear you explained their mistake to them, and hopefully somebody somewhere read a report of the call and understood.

  2. Anonymous
    Anonymous says:

    “Your password should be committed to memory rather than using a password mgr.” Wow, I can’t believe banks hire morons like that. Anyway, I don’t use mobile apps for banking.

    • Andrew Costen
      Andrew Costen says:

      Fortunately, the mobile app isn’t necessary. The TD website is usable on iOS, and it does allow pasting. Still, one hopes that more banks will realize the truth about password managers.

  3. Denis
    Denis says:

    citibank did the same about a year or so ago. After a storm of 1-star ratings, it was very quickly reversed ( I think within a couple of weeks).

    • Robert.Walter
      Robert.Walter says:

      Citibank causes iCloud keychain to stumble and offer to save the masking asterisks as a new password.

      I understand the motivation behind the 2-page login used by companies like Verizon, US Bank, etc. (as a verification that the customer has landed on he real page), but I completely agree with the author of the open letter, that such measures cause folks to reuse simple easy to remember/crack passwords.

  4. Migs
    Migs says:

    American Express doesn’t allow 1Password direct fill of passwords. You have to manually copy the password from the 1P browser extension and paste it into the field.

    • Andrew Costen
      Andrew Costen says:

      We’d like all banks to eventually decide to allow password managers to log into their apps, so definitely feel free to pass this letter to your bank to promote strong security.

  5. Rick Truell (@Rick_Truell)
    Rick Truell (@Rick_Truell) says:

    “TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field”

    It’s not just the password field, it’s also the username/access card field. And while previous versions of the app (for at least a couple of years now) have allowed pasting in both fields, you couldn’t log in when doing so…they wouldn’t authenticate. This meant that I couldn’t use the app…while typing the info in manually *might* have worked, my password has always been random and unmemorizable enough that it would have been too much of a PITA to switch back-and-forth between the app and the password manager.

    “Many banking and financial sites implement restrictions … making it more difficult for users to rely on password managers to fill their complex passwords in on the site”

    To be fair to TD, since I started banking on-line with them using my desktop computer more than a decade ago, I’ve always had a fairly strong password and logged onto their web site using a password manager. It could be longer and thus stronger, but it’s a randomly-generated string of uppercase, lowercase and numbers, so it isn’t easily crackable. It’s only their mobile app that’s been a PITA.

    [PS. OMG! You used my tweet! I’m (in)famous! :-) ]

    • Andrew Costen
      Andrew Costen says:

      I’m glad we could help make you famous. :D

      I, too, appreciate that TD has allowed their EasyWeb logins to work with password managers, and I hope they bring that ability over to their mobile apps soon.

    • Andrew Costen
      Andrew Costen says:

      We’d love to help any apps integrate with our extension, not just financial institutions, so please feel free to share the article with the creators of any apps that could use our extension. The same details apply to everyone.

  6. Mike Karlesky
    Mike Karlesky says:

    I started using 1Password a year ago and slowly migrated all 200+ of my accounts over to unique, long, randomly generated passwords. It’s been a challenge but well worth it.

    I very much appreciate this open letter to banks. Financial apps and web sites are a real pain with regard to password management.

    I’ve also been burned numerous times now by websites whose account creation frontend allows a long password while the backend system includes an unpublished length limit. So an account is successfully created, but I’m unable to access it later—login limbo. It leads to multiple experiments with password resets or sometimes abandoning an account and making an entirely new one. Could you also embark on a campaign to educate developers on the practical implications of long, secure passwords in interface and systems development?

    • Marc
      Marc says:

      That ‘login limbo’ has happened to me several times too. That’s a very poorly designed and poorly tested login system. It makes one wonder what else the developers screwed up. It’s only security after all.

  7. Ben Smith
    Ben Smith says:

    Not to mention that for the longest time, passwords for TD’s EasyWeb were case-insensitive and subject to an eight-character maximum. I believe the case-insensitivity remains for users who haven’t explicitly updated their passwords recently.

  8. Julian H
    Julian H says:

    I am a member of Westpac Australia. Their login process is horrible. It assigns you am eight digit user number (which can be autofilled) but cannot be changed. User hostile because it is not easy to remember random eight digit numbers.

    The password can be a maximum of six characters, alphanumeric only, and not case sensitive. To enter it you have to move your mouse around on a virtual keyboard and click the appropriate keys. This cannot be autofilled, pasted into, and you cannot use your computer’s keyboard to enter the characters.

    I have emailed Westpac AU to complain about this, their reply was that it is for my own security and prevented keylogging. They did not take my concerns of password strength seriously at all.

    • Andrew Costen
      Andrew Costen says:

      Wow. That does not sound like an efficient way to log in when a password manager could eliminate that the risks. I hope they listen to you sometime in the future and do update their practices.

  9. Chris
    Chris says:

    On the Mac, Keyboard Maestro has a nifty feature that lets you enter characters in a field by emulated typing rather than pasting. I wonder if there is any clipboard manager for mobiles that lets you do the same thing?

  10. Alex
    Alex says:

    To a technically and security literate person, the things banks do about security sound insane, but it’s worth bearing in mind that banks are regulated industries and those regulations can hamper their efforts to offer customer-friendly features like support for password managers (I’m not saying regulation is bad, by the way – it’s very clearly needed).

    Just like the automobile industry has to (at least try to) protect people who don’t wear seatbelts, banks have to protect people that will be lax with their passwords. They have to assume all of their customers are morons. That’s not hyperbole – the bank have to actually think like someone who doesn’t think, and the bank has a duty of care to protect them.

    If someone used a password manager to protect their password, but the password manager had a password of “123”, the bank could be held liable by the regulator if the customer makes a complaint that someone accessed their account. It’s not even a matter of it standing up in court – it’s a regulatory issue and more often than not the regulator will slide with the customer.

    The banks have to control the whole process between them and the customer. This is why in the early days banks only supported specific web browsers – they needed to ensure that they didn’t allow their customers to access their accounts via a means that they could not vouch for. Over time, the landscape changed, the banks and the regulators became more understanding of the technologies involved.

    • Andrew Costen
      Andrew Costen says:

      You do raise some good points. Hopefully the landscape has changed enough by now, though, to allow password managers to fill in banks’ mobile apps. TD’s more recent responses at least make me optimistic that this might happen.

    • Matt
      Matt says:

      How does your program protect against the points above?

      Many banks choose to insure or indemnify their clients against online fraud. Specifying minimum requirements for passwords presumably reduces the risk of the passwords being broken. The banks can’t issue the clients with a random password to use, so they set some requirements to make it more difficult to guess or brute force.

      If I have one password for a password manager, does that not decrease my security because once they crack one password they crack them all? I guess that is only a problem if they have my computer (or temp access to it), a Trojan on my computer, or if the password manager includes some type of web based access or secure online storage.

      I’m not try to put down your program, I’m just curious.

    • Andrew Costen
      Andrew Costen says:

      Minimum character length requirements are great. The problem is that many banks have ridiculously low minimum character lengths (thankfully not a problem with TD Canada Trust anymore), and some have even worse practices with MAXIMUM character lengths (for instance, one major bank here in Canada has a 6 character maximum character length for their online passwords).

      The way password managers such as 1Password help is when banks do allow longer passwords, as they should, you don’t have to memorize the password, but can rather store it in a password manager. Yes, that does mean that there becomes a single point of possible failure if your password manager’s data gets cracked, which is why you want to make sure to use a good, strong Master Password to encrypt your passwords and other sensitive data.

      Now, as far as how 1Password works to keep your data safe, please see our security knowledgebase at for a comprehensive overview of the various methods we use to protect your passwords and other sensitive information.

  11. g2-ea2acadca9868474ad0b8d4d8bf4873f
    g2-ea2acadca9868474ad0b8d4d8bf4873f says:

    Funny how banks, which are 100 percent at fault for the fraud perpetrated using Apple Pay, would choose to lecture people on password security. I’m going to keep this url for sending to those institutions which are blocking pasting. And I will change my bank if they choose to go that route.

    • Andrew Costen
      Andrew Costen says:

      We’d love to help any interested banks (or other apps!) integrate with our extension so that we can help everyone be more secure online, so please do share this letter with any institutions that you think need to read it.

  12. bachya128
    bachya128 says:

    Just tweeted this great article to Charles Schwab Bank, which imposes an 8-character *maximum* password length. Freaks me out.

  13. Mike
    Mike says:

    The largest credit union in the U.S. is almost as bad. They use a Flash login! However, there is a non Flash login that they hide. The link looks like regular text but are actually hyper links to that login. But it will not work with 1P. You have to paste.
    It’s nuts.

    • Andrew Costen
      Andrew Costen says:

      Flash logins are annoying, that’s for sure. Since they have a hidden non-Flash login, though, I’d be curious if there’s any workaround that we could look into. If you’re interested, please consider contacting our support team to see if there’s anything we can do. I can’t make any promises, but we want to make 1Password work with as many sites as possible so we’d definitely look into it.

  14. Nathan
    Nathan says:

    It isn’t just limited to banks – Aetna prevents pasting passwords in their iOS app as well. The part that really sucks about it is that since they are the provider for my employer, I can’t really just use someone else. And one of their big “selling points” when we switched was their “amazing mobile app”…

    • Andrew Costen
      Andrew Costen says:

      It’s definitely frustrating when it’s an app that you have no choice but to use. This is one time when I won’t necessarily advise someone to send this letter to an app’s creator, since I don’t know what the consequences of that could be for you, professionally-speaking (although you’d know better than I could), but I certainly hope that they do come across it somehow and take it to heart.

  15. Roger
    Roger says:

    DIRECTV does this in their iOS app. So I made my password very, very simple. And hackable. I hope someone hacked in and is watching HBOgo on my account because of this idiotic practice. And, of course, I hope they’re paying my bill.

    • Andrew Costen
      Andrew Costen says:

      I suppose that’s one way to go. Fortunately, DIRECTV doesn’t have your banking information in the account (although, not having an account, I don’t know if it has any other personal information available when logged in, so it’s not something I’d generally recommend).

Leave a Reply

Want to join the discussion?
Feel free to contribute!

What's on your mind?