Ask HN: What banks don't have cartoonishly bad password practices?

4 points by curuinor ↗ HN
Chase and Wells Fargo passwords are case insensitive....

11 comments

[ 541 ms ] story [ 1033 ms ] thread
Any Bank that uses passwords in preference to two-factor authentication?
Simple.com is pretty solid from a security standpoint from my limited observations as a consumer, although they only offer two factor via SMS (not TOTP likely google, etc)
It's a financially motivated decision. Banks have a high percentage of people who are tech illiterate. Many of these people don't use the password reset when they forget their password, they call tech support, which costs banks a lot of money. Banks realized they could reduce this call volume by making their passwords case insensitive and simply refund people if their accounts get breached.

Most banks also have a mandatory security question, which makes it marginally more difficult to get brute forced.

Source: Used to work at a bank. Would not recommend.

The username and password are case insensitive btw :)
Case insensitive isn't necessarily insecure. It just means you'll want a password roughly twice as long for equal security. Now, if they do that and also limit passwords to, say, 8 chars.... argh!
Is case insensitive really a bad thing? Bank logins aren't exactly brute forceable.
We even have a local bank which only allows numeric passwords... They have two-factor authentication though.
When I moved back to the UK after having had US and Canada bank accounts for several years it made me realize how much bad service British people are willing to put up with in comparison. Logging into a UK bank account online (the worst imo is HSBC) is a total nightmare. You need to know 4 passwords/pins, and have either a security code generator device or phone app that will generate one for you. For my North American banks, including one Canadian account I still have, it's simply the number on your debit card and a password, about as hard as logging into email.
In the UK the challenger banks like Monzo, Starling, etc are pretty good. Monzo just emails you a "magic link" to login, Starling uses a proper password you can use your password manager to remember.