An Open Letter from AgileBits

An open letter to banks

Update (2015-04-02): TD Canada Trust updated their iPhone app today re-enabling pasting in the login fields. It’s a great first step toward friendliness with security-conscious customers and password managers.

TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field. Users who embrace password managers for their online security were quick to point out their … well, ‘unhappiness’ with this decision. TD Canada’s original response to those users was unsettling:

Hi Steve, thx for stopping by. For ur security, your password should be committed to memory rather than using a password mgr. ^SB

The original tweet has since been deleted by @TD_Canada.

For those of us who rely on 1Password (and other password managers) on a daily basis, this advice is completely cringe-worthy … unfortunately, it’s really not all that uncommon in the banking world. Many banking and financial sites implement restrictions on password length, require certain special characters to be present, and put in place various ‘security theatre’ measures on their websites that do little for increasing user security, while ultimately making it more difficult for users to rely on password managers to fill their complex passwords in on the site.

With the conversation about online security and banking so fresh in everyone’s minds, I thought now would be a great time to send a message out to banks and financial institutions everywhere to encourage them to to take users’ security more seriously. I’m writing this not only as a member of the 1Password team who deals with security issues on a daily basis, but also as a concerned customer who just wants simple and secure access to her data.

Dear banks,

I know that you have my best interests at heart.

I know that you’ve worked hard to put ‘safeguards’ into place (such as disabling pasting into password fields, obfuscating usernames, spreading the login process across multiple pages and “please input the nth character of your password” fields) to thwart various types of attacks.

But the truth is that these ‘security measures’ are not actually helping your users.

Do you know what would really help your users? Long, random passwords.

Using long, random, and unique passwords is the best defense that we, your users, have against attackers. This advice is true for every site we have to sign in to these days … and believe me, we sign in to a lot more than just our financial sites. Keeping 100 or so strong and unique passwords memorized is not only a silly suggestion, it’s nearly impossible for all but the most savant-ish of us. Password managers help us increase our security by remembering these unique passwords for us, keeping them stored securely, and filling them in on websites so we don’t have to.

Many of the ‘security measures’ you have put into place serve only to make it much more difficult for those of us who rely on password managers. Password managers are not your enemy here. In fact, encouraging the use of trusted password managers will do more for your users’ security than any of the measures you currently have in place.

You have an awesome opportunity here. Take the time to educate your users on the value of true security. Encourage users to adopt long, random, and unique passwords that never need to be stored in their brains. Make it easy for password managers to store and fill these secure passwords for your users (in web browsers as well as in mobile apps).

Now, it just so happens that there is a very simple way that you can give your users easy access to their banking data in your mobile apps. We’ve written an App Extension API that can be added to your iOS app in 3 easy steps. The app extension will allow users to select their password manager of choice and fill their complex passwords into your form, with no typing required.

1Password has been giving people control over passwords for almost 10 years now, and it truly is a wonderful thing. Our team built 1Password around the idea that being secure should never be compromised for convenience. We’ve been advocating for stronger, safer passwords for years, and we’d be so happy if you stood with us.

For now, passwords are a necessary evil. Remembering them shouldn’t have to be.

Please help us increase awareness of online security. Your users will be ever-so-grateful that you are taking their security seriously, and you’ll be making their lives a lot simpler too.

Signed, a hopeful user.

Since TD’s original response last week, they seem to have had a change of heart. A tweet from @TD_Canada on Saturday indicates that they are in fact working on an update that will allow copy and paste within their app … and possibly considering integrating password managers.

Hi Rick, we're working on providing our customers w/ the option to use copy/paste & PW managers. No dates to share yet. ^SK

This is incredible news! Without seeing the update, it’s hard to know exactly what they have in store for users, but they have a great opportunity here to set the standard for banking apps and give other financial institutions a secure example to follow. I’m excited to see what they come out with!

If you believe as I do that banks should add 1Password (and other password manager) integration to their iOS apps, please consider sharing this open letter with your bank. #BanksNeed1Password

47 replies
Newer Comments »
    • Andrew Costen
      Andrew Costen says:

      We’d love to help any banks integrate with our extension so that we can help everyone be more secure online, so definitely feel free to share this with them.

    • Andrew Costen
      Andrew Costen says:

      TD did delete the tweet. I like to think it means they realize that adding copy/paste support (and possibly 1Password support) is actually a good thing, so I’m looking at it as a hopeful thing.

  1. aomind
    aomind says:

    Seems that big corporations tend to fail on security, even at the most basic level. TD and Virgin Mobile have both called me on the phone and asked to answer security questions, which I declined to do as those were outbound calls. I explained that it is a flaw in their security protocols to ask those questions on the outbound calls, and not even escalating the calls would make them understand on the breach. So anyway, maybe a letter to TD’s CTO explaining how they lack security at all levels.
    Something so basic, it’s strange they don’t realize it.

    • Andrew Costen
      Andrew Costen says:

      I’ve heard of this happening with a number of banks, and agreed, it isn’t a particularly good security. I’m glad to hear you explained their mistake to them, and hopefully somebody somewhere read a report of the call and understood.

  2. Anonymous
    Anonymous says:

    “Your password should be committed to memory rather than using a password mgr.” Wow, I can’t believe banks hire morons like that. Anyway, I don’t use mobile apps for banking.

    • Andrew Costen
      Andrew Costen says:

      Fortunately, the mobile app isn’t necessary. The TD website is usable on iOS, and it does allow pasting. Still, one hopes that more banks will realize the truth about password managers.

  3. Denis
    Denis says:

    citibank did the same about a year or so ago. After a storm of 1-star ratings, it was very quickly reversed ( I think within a couple of weeks).

    • Robert.Walter
      Robert.Walter says:

      Citibank causes iCloud keychain to stumble and offer to save the masking asterisks as a new password.

      I understand the motivation behind the 2-page login used by companies like Verizon, US Bank, etc. (as a verification that the customer has landed on he real page), but I completely agree with the author of the open letter, that such measures cause folks to reuse simple easy to remember/crack passwords.

  4. Migs
    Migs says:

    American Express doesn’t allow 1Password direct fill of passwords. You have to manually copy the password from the 1P browser extension and paste it into the field.

  5. Rick Truell (@Rick_Truell)
    Rick Truell (@Rick_Truell) says:

    “TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field”

    It’s not just the password field, it’s also the username/access card field. And while previous versions of the app (for at least a couple of years now) have allowed pasting in both fields, you couldn’t log in when doing so…they wouldn’t authenticate. This meant that I couldn’t use the app…while typing the info in manually *might* have worked, my password has always been random and unmemorizable enough that it would have been too much of a PITA to switch back-and-forth between the app and the password manager.

    “Many banking and financial sites implement restrictions … making it more difficult for users to rely on password managers to fill their complex passwords in on the site”

    To be fair to TD, since I started banking on-line with them using my desktop computer more than a decade ago, I’ve always had a fairly strong password and logged onto their web site using a password manager. It could be longer and thus stronger, but it’s a randomly-generated string of uppercase, lowercase and numbers, so it isn’t easily crackable. It’s only their mobile app that’s been a PITA.

    [PS. OMG! You used my tweet! I’m (in)famous! :-) ]

    • Andrew Costen
      Andrew Costen says:

      I’m glad we could help make you famous. :D

      I, too, appreciate that TD has allowed their EasyWeb logins to work with password managers, and I hope they bring that ability over to their mobile apps soon.

    • Andrew Costen
      Andrew Costen says:

      We’d love to help any apps integrate with our extension, not just financial institutions, so please feel free to share the article with the creators of any apps that could use our extension. The same details apply to everyone.

  6. Mike Karlesky
    Mike Karlesky says:

    I started using 1Password a year ago and slowly migrated all 200+ of my accounts over to unique, long, randomly generated passwords. It’s been a challenge but well worth it.

    I very much appreciate this open letter to banks. Financial apps and web sites are a real pain with regard to password management.

    I’ve also been burned numerous times now by websites whose account creation frontend allows a long password while the backend system includes an unpublished length limit. So an account is successfully created, but I’m unable to access it later—login limbo. It leads to multiple experiments with password resets or sometimes abandoning an account and making an entirely new one. Could you also embark on a campaign to educate developers on the practical implications of long, secure passwords in interface and systems development?

    • Marc
      Marc says:

      That ‘login limbo’ has happened to me several times too. That’s a very poorly designed and poorly tested login system. It makes one wonder what else the developers screwed up. It’s only security after all.

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.