What is wrong with banks asking to make passwords i cant remember

RakaKaKaka

Well-Known Member
Adept
Jun 28, 2016
814
202
56
They force one to use upper and lower cases, numbers, minimum 8 words, symbols and egyptian hieroglyphs for every password. And every few months you are supposed to make a new one and cant even use the older passwords. How exactly is this secure when one is bound to note it on a paper or somewhere which can easily land in wrong hands. Few wrong attempts and one gets those captchas that look like modern art and leave it to users to intrpret.

If its my money i should be allowed to use pass123 or whatever i wish to. Every time i need to reset passwords to login.
 

nRiTeCh

If you can see the green dot, I'm online ;-)
Veteran
Which bank?
Usually its a mandatory policy.
Using of old pwds is restricted as your pwds might be known to your family friends wife gf etc.

My sbi pw is not changed ever since year 2k5 when I opened my account. It kept prompting me to change until few yrs ago it actually gave up as I refrained from changing my pw.:D Though it wasn't a mandate unlike other banks especially hdfc where you are unable to proceed further to a successful login unless you change the pw.

Same with Axis & ICICI. Using same pwds since many yrs now.

Only when I login through app they ask to change the login pin every 6 months and I can't use last 6 pins.

So I have already made a list of pins to use using some common combinations so as to memorize them in case.
 
Last edited:

6pack

Well-Known Member
ex-Mod
Sep 19, 2005
7,484
1,515
302
I use KeepassX (on linux) to generate and keep log of password expiry. You can set password to expire in x days and it will crossout the name. I just add all the websites with login id and passwords into one root account in keepassx and save them with just one master password as a 256bit encrypted kdbx file. This file can then be copied to android and opened in an app Keepass2Android Offline and you can see the passwords etc in the android app if you just put in the master password.

All these password managers have a random password generate function which you can use to generate such 15 day or 1 month passwords.

For windows and mac i think its keepassxc. There is an exe or standalone portable version in a zip file.

KeepassXC - https://keepassxc.org/download/

Keepass2AndroidOffline - https://play.google.com/store/apps/details?id=keepass2android.keepass2android_nonet
 
  • Like
Reactions: ch@ts

RakaKaKaka

Well-Known Member
Adept
Jun 28, 2016
814
202
56
Which bank?
Usually its a mandatory policy.
Using of old pwds is restricted as your pwds might be known to your family friends wife gf etc.

My sbi pw is not changed ever since year 2k5 when I opened my account. It kept prompting me to change until few yrs ago it actually gave up as I refrained from changing my pw.:D Though it wasn't a mandate unlike other banks especially hdfc where you are unable to proceed further to a successful login unless you change the pw.

Same with Axis & ICICI. Using same pwds since many yrs now.

Only when I login through app they ask to change the login pin every 6 months and I can't use last 6 pins.

So I have already made a list of pins to use using some common combinations so as to memorize them in case.
HDFC and Yes gbank. Both are tormenting me every few weeks
 

blr_p

Well-Known Member
Veteran
Apr 11, 2007
5,819
1,214
301
They force one to use upper and lower cases, numbers, minimum 8 words, symbols and egyptian hieroglyphs for every password. And every few months you are supposed to make a new one and cant even use the older passwords.
haha, i thought the same thing

How exactly is this secure when one is bound to note it on a paper or somewhere which can easily land in wrong hands. Few wrong attempts and one gets those captchas that look like modern art and leave it to users to intrpret.
If the bank finds out you did that they will refuse any claim in case of fraud.

If its my money i should be allowed to use pass123 or whatever i wish to. Every time i need to reset passwords to login.
They want to protect themselves
 

mathrisk

.: deleted :.
Adept
Mar 17, 2008
790
550
182
35
Bangalore
www.pankajnath.in
They force one to use upper and lower ...... to login.
Strategy I follow, I have some specific password, that I can remember (satisfying all conditions), to which I add the month+year at the end.
Like [P@ssw0rd@0419] which for next month [P@ssw0rd@0519]
Never repeats, easy to remember, easy to backtrace if any month is missed.
 

RakaKaKaka

Well-Known Member
Adept
Jun 28, 2016
814
202
56
Strategy I follow, I have some specific password, that I can remember (satisfying all conditions), to which I add the month+year at the end.
Like [P@ssw0rd@0419] which for next month [P@ssw0rd@0519]
Never repeats, easy to remember, easy to backtrace if any month is missed.
Strategy is nice. I will use it too. Since they change passowrds every 2 months il do same by adding month in end. like Securefinance*01
 

Sands

Member
Disciple
Nov 8, 2017
36
5
11
They force one to use upper and lower cases, numbers, minimum 8 words, symbols and egyptian hieroglyphs for every password. And every few months you are supposed to make a new one and cant even use the older passwords. How exactly is this secure when one is bound to note it on a paper or somewhere which can easily land in wrong hands. Few wrong attempts and one gets those captchas that look like modern art and leave it to users to intrpret.

If its my money i should be allowed to use pass123 or whatever i wish to. Every time i need to reset passwords to login.
It's ur money right, But if someone hacks into your account and fly away with your money you will blame it on bank, Right ? That's one of the reason they ask you to use strong password.
 

RakaKaKaka

Well-Known Member
Adept
Jun 28, 2016
814
202
56
It's ur money right, But if someone hacks into your account and fly away with your money you will blame it on bank, Right ? That's one of the reason they ask you to use strong password.
how exactly does a strong password help ? surely all their dbs are highly encrypted that whatever password i use does not even matter right. When i can use a simple word as password on google and noone has ever been able to hack that yet why do the banks do so ? Issue isnt a stronger password but making users use a password they cant even memorise is. People have to depend on either old fashioned pen and paper to store them or use some online service which manages it. Both are the weaker links than having the user memorise the password.
 

nRiTeCh

If you can see the green dot, I'm online ;-)
Veteran
how exactly does a strong password help ? surely all their dbs are highly encrypted that whatever password i use does not even matter right. When i can use a simple word as password on google and noone has ever been able to hack that yet why do the banks do so ? Issue isnt a stronger password but making users use a password they cant even memorise is. People have to depend on either old fashioned pen and paper to store them or use some online service which manages it. Both are the weaker links than having the user memorise the password.
Ok then lets do one trial. Set your password to abcd1234 and post here or in public with your login id. Lets see what happens at the very next minute.
I will answer your query after that.
 

RakaKaKaka

Well-Known Member
Adept
Jun 28, 2016
814
202
56
Ok then lets do one trial. Set your password to abcd1234 and post here or in public with your login id. Lets see what happens at the very next minute.
I will answer your query after that.
My techenclave and gmail one is a password veryy similar to that.
 

Sands

Member
Disciple
Nov 8, 2017
36
5
11
how exactly does a strong password help ? surely all their dbs are highly encrypted that whatever password i use does not even matter right. When i can use a simple word as password on google and noone has ever been able to hack that yet why do the banks do so ? Issue isnt a stronger password but making users use a password they cant even memorise is. People have to depend on either old fashioned pen and paper to store them or use some online service which manages it. Both are the weaker links than having the user memorise the password.
No point discussing this with a guy who comes with a thread like this, Tells the exact state of ur mind. Take care.
 

mathrisk

.: deleted :.
Adept
Mar 17, 2008
790
550
182
35
Bangalore
www.pankajnath.in
I suppose, what OP's logic is, even if we set a relatively less complex password, which can be easily(!) cracked via brute force, but most online services normally lock down the account in case of 3 or 5 incorrect attempts, hence kind of safe to use.

Btw, why don't banks implement 2-factor auth. Or does any ?
Our social media, spam mails are safe with 2FA, bank relies on 4 digit PIN (UPI, ICICI app). :D
 
  • Like
Reactions: RakaKaKaka

Lord Nemesis

Overlord
Veteran
Jun 3, 2005
5,936
2,403
377
Overzealous security/password policies tend to be counter productive. There are studies and reports on it.

The tendency of programmer when pressured to implement over zealous security policies is to lose sight of the actual goal while focusing on adding layers and complexity that serve no real purpose while also possibly introducing some loop holes.

The tendency of users in the wake of over zealous password policies is to chose the weakest passwords that comply with the policy.

abcd@1234, abcd@2345, bcde@1234, bcde@2345 etc are examples of a passwords chosen by users when a password policy requires alpha numeric and symbols and prevents recycling. And guess what, majority of users would be using the same set of passwords as well. If I were brute forcing a system with such user unfriendly policies, I know that all users would be using passwords form the same weak pool and target those fist. I might even be lucky enough to break a bunch of them at once.

Read this some where in the wild, but it its totally true.

Security at the expense of usability, comes at the expense of security.

Its far better to to have a password policy that lets users chose a set of unique, but strong passwords and keep recycling them.
 
  • Like
Reactions: RakaKaKaka

nRiTeCh

If you can see the green dot, I'm online ;-)
Veteran
Users are lazy and they seldom know what is a Strong password hence banks or any such authority forces to use complexities. Now even in these complexities if the user chooses to use anil@21031980 his name and birthdate then god save him. They never read the disclaimer as well what words or characters are to be avoided when creating a strong password.
Another eg: sapna@meriJaan, januil0v3you. These passwords are already known by their gfs bfs or friends.
So rip complexities and rip the user when they come crying stating their password were Too Strong to break. Really?
 

Lord Nemesis

Overlord
Veteran
Jun 3, 2005
5,936
2,403
377
Many banks have policies that prevent users from using parts of their name in the password.

Asking user to choose a password with alphanumeric and symbol combination is also fine. The problem starts with expiry and recycling restrictions. That is what forces users to chose weak passwords.

As far as symbols go, I can guarantee that in most passwords, it would be among @, $ and #. so, its up to the alphanumeric part of the password. The more restrictive the policy is, the more simple the pattern used will be.

It is far worse for the system to have a bunch of users using the same pool of passwords than using more unique passwords for far longer period.

Here is an interesting piece on analysis of 10 million passwords.

https://wpengine.com/unmasked/
 

RakaKaKaka

Well-Known Member
Adept
Jun 28, 2016
814
202
56
Users are lazy and they seldom know what is a Strong password hence banks or any such authority forces to use complexities. Now even in these complexities if the user chooses to use anil@21031980 his name and birthdate then god save him. They never read the disclaimer as well what words or characters are to be avoided when creating a strong password.
Another eg: sapna@meriJaan, januil0v3you. These passwords are already known by their gfs bfs or friends.
So rip complexities and rip the user when they come crying stating their password were Too Strong to break. Really?
But when brute force does not work how will be a weak password be compromised? That can be done only if the bank was storing the passwords in a weak unencrypted hash and some hacker managed to hack into the banks systems. So how will it be the users fault ?

Also due to this people are forced to use one password for many services which is not recommended or use a password manager which if compromised leads to loss of everything.
 

nRiTeCh

If you can see the green dot, I'm online ;-)
Veteran
I myself used to use a single complex password across all services be it simple portal, emails, banks or enterprise logins. And it worked great for all these years as I use LastPass. But last year when heard that LastPass was compromised the first thing I did was changed all banking passwords to a very complex level. Then changed my LastPass password to another level. Then email ids and finally forum, the least bothered.
Now the issue is I only recall my regular forum passwords but noway I'm able to memorize any banking or even my LastPass password.
Else life was too easy for me even with complex passwords before I recently changed them all.
 

Futureized

Well-Known Member
Adept
Feb 11, 2013
350
57
67
Mumbai
www.wikipedia.org
Every week? You kidding? Its quarterly.
Also the most sucky thing is LastPass doesn't work on these 2 banks.
I can save each and every site, though how much tough combination is.
(try to save it manually)

And when you open the target site, click on lastpass icon in browser (if on desktop) and click autofill, works like a charm.
Except for sites which also require captcha or sms or any third party combinations
 

nRiTeCh

If you can see the green dot, I'm online ;-)
Veteran
And when you open the target site, click on lastpass icon in browser (if on desktop) and click autofill, works like a charm.
I'm already aware about that but it no longer works for Sbi, yes and hdfc and few more.
LP doesn't fill Sbi fields at all.
For Yes bank it will ask for LP master password and yet fails.
Hdfc, it will simply fill-up all the fields yes hdfc itself will reject login using those populated fields as they sense it is coming from some password manager.
Same goes for irctc too now a days.
All these sites have curbed the use of lastpass or other managers.