Here’s a screenshot I took from their site of their rules when my choice of password was rejected:

Rule Number One: Your password must be between 6 and 8 characters. No more, no fewer.  Surely when you’re protecting your finances from hackers you’d want the option to have a longer password.  My FTP password is around 20 characters with a mixture of capitals, lowercase, numbers and symbols. A little obsessive perhaps, but as this article on InfoWorld states “Character-for-character, password length is more important for security than complexity”.  The longer you make your password, the harder it is to crack.

Natwest’s argument may be that by forcing a password under 9 characters, they are making it easier for people to remember it.  But so what?  I want the option to use my ridiculously long password because I value my security.

Rule Number Two: Your password is not case sensitive. So I guess that means if I add a mixture of capitals and lowercase, the password field will treat them all as lowercase, making my password easier to crack.  Great.

Rule Number Three: Your password must contain both alpha and numeric characters, as you’d expect.  It’s obviously a good idea to force people to do this on a site such as this, as this makes their password more secure.

Rule Number Four: No symbols, spaces or special characters.  Umm, why?  C’mon Natwest, you’re trying to teach people to treat their security seriously.  How is preventing people from making their passwords secure going to help?

Rule Numbers Five and Six: Characters or digits cannot occur more than twice in a row, or contain ascending or descending values.  Good, a gold star.

What annoys me most about this is that as a bank, Natwest should be educating their users about security, and encouraging them to use really secure passwords.  You’re probably familiar with the little red, amber and green progress-style bars that email clients like Hotmail and Gmail display when you start typing a password – why not have something like that?  I regret that I’m slating just Natwest for doing this when it’s probably the same across all online banking systems.  I wrote them this letter about it in February:

“I was just wondering if the Natwest online site is scheduled for a redevelopment.  I find it really confusing and frustrating to use, and there are big security issues like it won’t let me use a password with symbols, or over a certain number of characters.”

And here’s the automated response I got back:

“Thank you for your message received via the feedback section of the
natwest.com website.  Thank you for taking the time in forwarding this information, which we have passed on to the relevant department.”

If you use online banking, do they do things differently, or are they all just as bad?