Natwest Online: Password Rules
Jul '0922nd
9
If you run an online banking service, surely the most important feature on the site should be security. However, we all know that your data is only as secure as the password you use to protect it. This is why I find it so shocking that Natwest online banking has such a strange policy on what your password can and can’t contain.
Here’s a screenshot I took from their site of their rules when my choice of password was rejected:
Rule Number One: Your password must be between 6 and 8 characters. No more, no fewer. Surely when you’re protecting your finances from hackers you’d want the option to have a longer password. My FTP password is around 20 characters with a mixture of capitals, lowercase, numbers and symbols. A little obsessive perhaps, but as this article on InfoWorld states “Character-for-character, password length is more important for security than complexity”. The longer you make your password, the harder it is to crack.
Natwest’s argument may be that by forcing a password under 9 characters, they are making it easier for people to remember it. But so what? I want the option to use my ridiculously long password because I value my security.
Rule Number Two: Your password is not case sensitive. So I guess that means if I add a mixture of capitals and lowercase, the password field will treat them all as lowercase, making my password easier to crack. Great.
Rule Number Three: Your password must contain both alpha and numeric characters, as you’d expect. It’s obviously a good idea to force people to do this on a site such as this, as this makes their password more secure.
Rule Number Four: No symbols, spaces or special characters. Umm, why? C’mon Natwest, you’re trying to teach people to treat their security seriously. How is preventing people from making their passwords secure going to help?
Rule Numbers Five and Six: Characters or digits cannot occur more than twice in a row, or contain ascending or descending values. Good, a gold star.
What annoys me most about this is that as a bank, Natwest should be educating their users about security, and encouraging them to use really secure passwords. You’re probably familiar with the little red, amber and green progress-style bars that email clients like Hotmail and Gmail display when you start typing a password – why not have something like that? I regret that I’m slating just Natwest for doing this when it’s probably the same across all online banking systems. I wrote them this letter about it in February:
“I was just wondering if the Natwest online site is scheduled for a redevelopment. I find it really confusing and frustrating to use, and there are big security issues like it won’t let me use a password with symbols, or over a certain number of characters.”
And here’s the automated response I got back:
“Thank you for your message received via the feedback section of the
natwest.com website. Thank you for taking the time in forwarding this information, which we have passed on to the relevant department.”
If you use online banking, do they do things differently, or are they all just as bad?
9 Comments on “Natwest Online: Password Rules”
July 22nd, 2009 at 9:43 pm
Nationwide is a bit mad, you need a customer number which is 10 complete random digits, you need to answer 1 of 3 security questions you’ve set up and then get 3 digits of a 6 digit number. I think NatWest is as secure as it could be and easy to use, it is conviently simple and people still suffer to use it and to remember their details. The fact you need the PIN as well makes the password more secure anyway.
July 23rd, 2009 at 12:04 pm
That truly is terrible. Their security department should be replaced.
July 24th, 2009 at 7:56 pm
That’s strange – I use Natwest Online Banking and my password is 9 letters long and it’ll let me change it (although not without using my card reader) to a combination of 16 random letters without mentioning anything about not being case sensitive etc.
Where are you seeing this?
July 24th, 2009 at 8:00 pm
It’s in the Business section of the website, where you pay credit card bills.
July 24th, 2009 at 8:39 pm
Yes, mine is longer than 8 characters too. I cannot find this advice. Anna, can you post a link to it?
July 24th, 2009 at 8:50 pm
Yes, it’s here http://www.natwest.com/cardsonline (specifically https://cardsonline-commercial.com/RBSG_Commercial/Login.do?promoCode=NatWest ) – it’s a portal that lets you register your business credit card so you can pay your bills online.
The main Natwest Online site will accept longer passwords, but when I tried to register mine at the bank, it wouldn’t accept symbols. I’m not sure whether this is still the case.
July 25th, 2009 at 5:08 pm
On the subject of security within online banking: when I signed up with the Halifax’s online banking service in 2004, I had several problems with my first log-in and ultimately had to call their helpdesk to find out what was going on. They soon figured out that the reason I couldn’t log in was because I was using Firefox, and they instructed my to switch to IE. When I commented that I’d switched from IE to Firefox in the first place because I valued security, and asked whether the Halifax were planning on making the service available to people using more secure browsers, there was a long silence on the line followed by what I can only describe as a hostile attitude while we went through the log-in procedure in IE.
July 25th, 2009 at 5:10 pm
Hmm. Do you know your ‘Submit Comment’ button isn’t available viewing this page in Chrome? Had to copy/paste my comment over to IE… gah!! :)
July 25th, 2009 at 5:16 pm
Thanks Rachel, yeah, banks have a really weak attitude to browsers other than IE.
Sorry about the hassle with adding your comment. I’m very ashamed. I built this site years ago before Chrome existed and before I really knew a lot about web design :p
You’ll be pleased to hear I’m redesigning it right now to fix things like that.
Leave a Reply