Bank Password Security

TL;DR

Your bank’s password policy is weak. Here’s how to complain effectively and what they *should* be doing to protect your account.

1. Understand the Current Weaknesses

Most banks have historically had poor password policies. Common problems include:

• Short Password Length: Passwords less than 12 characters are easily cracked.
• Lack of Complexity Requirements: Not forcing a mix of uppercase, lowercase letters, numbers and symbols.
• No Multi-Factor Authentication (MFA): Relying solely on passwords for login.
• Secret Questions: These are often easily guessed or found online.
• Password Reuse Allowed: Letting you use the same password across multiple accounts.

Check your bank’s terms and conditions, FAQs, or security pages to see what their current policy is.

2. Document Your Concerns

Before contacting the bank, write down exactly *why* you’re worried. Be specific:

• “I’m concerned that a password length of 8 characters isn’t strong enough in today’s threat landscape.”
• “I want to enable multi-factor authentication for my account, but the option isn’t available.”
• “The security questions are too easy to guess and don’t provide adequate protection.”

Having a clear list will help you explain your concerns calmly and effectively.

3. Contact Your Bank – Start with Customer Service

1. Phone: Call the bank’s customer service number. Be polite but firm. Explain your concerns clearly, referencing the documentation you prepared.
2. Online Chat: If available, use the online chat feature. This allows you to keep a written record of the conversation.
3. Email: Send an email outlining your concerns. Keep it concise and professional.

Ask specifically about their plans for improving password security. Note the date, time, and name of the representative you spoke with.

4. Escalate if Necessary

If customer service isn’t helpful:

1. Speak to a Supervisor: Ask to speak to a supervisor or manager.
2. Contact the Security Department: If your bank has a dedicated security department, contact them directly.
3. Write a Formal Letter: Send a formal letter (registered post is best) outlining your concerns and requesting a response within a specific timeframe (e.g., 14 days). Address it to the Head of cyber security or equivalent.

5. What Banks *Should* Be Doing

Here’s what a good password policy looks like:

• Minimum Password Length: 12 characters (preferably more).
• Complexity Requirements: Require a mix of uppercase and lowercase letters, numbers, and symbols.
• Multi-Factor Authentication (MFA): Offer MFA options like SMS codes, authenticator apps (Google Authenticator, Authy), or biometric verification. This is the most important step!
• Password History: Prevent password reuse for a reasonable period (e.g., at least 12 months).
• Regular Password Updates: Encourage (but don’t force) regular password changes. Forced frequent changes can lead to weaker passwords.
• Breach Monitoring: Monitor for compromised credentials and alert users if their passwords appear in data breaches.

6. Consider Switching Banks

If your bank is unwilling to address your concerns, consider switching to a financial institution with stronger security practices. Your financial safety is paramount.