current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 47 down vote favorite
12

Consider a user who wants to use a password manager for their banking passwords. Advice from banks usually says they should never write down their password. The user would be concerned about going against that advice, as it could mean their bank would refuse to accept liability for any fraud that may occur on their account.

So, can they use a password manager? Does storing the password encrypted count as writing it down?

This is a legal and policy question; I am already aware of the technical risks and benefits of using a password manager. Answers may be country specific (and even bank specific). I'm in the UK but I am interested in answers from anywhere in the world.

share|improve this question
29  
I wonder if some day, people will be asking whether it's okay to store their authentication information in their brainmeats instead of using a secure electronic record. – user2357112 Jun 4 '14 at 1:32
1  
Can you give a specific citation or quotation to exactly what the bank says? Have you looked in their terms of service and the rest of the contractual agreement? (where many banks give the fine print on what promises they are making and what your responsibilities are) This sounds like a case where a vague or imprecise "game of telephone" could easily cause the requirement to be misunderstood, so it's important to look at specifics. – D.W. Jun 4 '14 at 16:52
1  
@d-w from what I've seen wording varies but some examples of what paj is talking about from halifax.co.uk/aboutonline/security/protect-yourself "Never let your passwords be known to anyone and don't write them down". From santander.co.uk/csgs/… "Keep your personal Passcode and Registration number safe, and avoid writing them down" – Rоry McCune Jun 4 '14 at 19:56
1  
Why even use a password manager when it relies on machinery? Paper doesn't require batteries. Even if you write them down, you can obfuscate web site names. So if someone were to steal them, they would just see username and passwords. I think paper and storing in a safe is probably the best in this regard. – Brian Jun 5 '14 at 17:20
6  
Banks also cap the length of your password at 16 characters when they feel like it, and still use 4-digit PINs for important operations. They're not the word of god on security matters. – Superbest Jun 5 '14 at 17:33
up vote 15 down vote accepted

I'm a lawyer in Germany. Here the special conditions between customer and bank are part of the contract. So we are talking about a clause in these special conditions prohibiting the use of a password manager.

I went to the site of my bank, drew the conditions and really, it says, the customer is not allowed to store the password on his PC.

So this clause forbids to store my pw on the PC. The question is, do I really store the password inside the password manager, or do I "store" something like 23%%4l5ksa0ß90ßv9w6&!? And is this a legal clause?

I appreciate your question!

Edit: How to solve the problem? -- As pai28 asks. I'm not even sure that the people who wrote those conditions are aware of the progress we, the users, made during the last years. We use pw-managers, because an existence online is impossible without.

So the clause should be altered: The customer is not allowed to store the password unencrypted on any IT-device. Or something like this.

I'll write to the association of my bank and ask. If I ever get a serious answer (not blabla,dear customer we very much appreciate, but mucho complicado...), I'll report on the outcome.

share|improve this answer
2  
Can a client argue that limits enforced by the bank (eg: min 6, max 8 letters, no special chars, at least one uppercase, one lowercase and one digit) are preventing him from using a password that is both secure and easy to remember? – Agent_L Jun 4 '14 at 13:39
3  
@Agent_L This is a completly different question. – Keks Dose Jun 4 '14 at 16:30
    
Yeah, but this is what compels clients to use password manager. – Agent_L Jun 5 '14 at 12:25
    
Good points... do you have any idea how you (and considering you are a lawyer) would resolve the questions in your third paragraph? Is this something there could be legal precedent for? – paj28 Jun 6 '14 at 8:40
    
What if I store password except one last symbol? – ShadowsInRain Mar 16 at 11:05
up vote 28 down vote

I am not a laywer, but a properly constructed password manager stores passwords approximately as securely as any modern banking system.

I can't speak to the legality of using a password manager, but I can say that on a philosophical level, anywhere a personally provided password is acceptable as identification, a (properly constructed) password manager password is acceptable.

(Edit: Adding a password to a properly constructed password manager is not equivalent to simply writing them down.)

share|improve this answer
8  
A password manager is in no way as secure as the banking system. A key function for a password manager is that it is in some way capable of reconstituting the original password. A properly designed password hashing system is incapable of ever reconstituting the required password without computing effort so enormous it's functionally impossible. – Fake Name Jun 4 '14 at 4:02
30  
@FakeName which is totally irrelevant because the password manager itself is protected by a pure hashed password which can also never be reworked. So, it is exactly as safe as any other login system. – Florian Peschka Jun 4 '14 at 6:37
15  
@FakeName I've done consultancy work for a couple of large banks. I would say that their systems are typically slightly less secure than the best password managers. The banks often use older systems with slightly dated algorithms - I've never seen them use PBKDF2 for example. – James_pic Jun 4 '14 at 9:57
3  
"[...]stores passwords [...] securely as any modern banking system." - except that the bank does not store the password? – Volker Siegel Jun 4 '14 at 23:39
3  
@VolkerSiegel see security.stackexchange.com/questions/10938/… - this is common in the UK, my bank will ask me for the third and fifth letters of my password (for example) if I call them on the phone, which implies strongly that they are using encryption rather than hashing. – moopet Jun 6 '14 at 8:39
up vote 16 down vote

I have never heard of this so I can't say for sure, but I would guess that the original premise is flawed: I don't think any bank would have a policy stating they will not insure your account against fraud if you store your password somewhere outside of your own head. Enforcing that rule would require passwords to be easy to remember, and consequently easy to guess. The most secure passwords are long random character strings, which most humans would have to write down or store somewhere. The bank may "advise" you not to write down your password on a piece of paper where others can see it, but asking you not to record it anywhere would reduce security, not enhance it. Of course, I'd have to read the particular bank's conditions to know for sure.

Furthermore, it seems pointless for a bank to have a rule like this because you could always lie and say you didn't store it anywhere. It would be a nearly unenforceable rule.

Edit: despite what I think, here's a bank that has the rule you are referring to, although it is somewhat vague: http://www.amp.com.au/accountacessandoperatingconditions (See page 7). The short of it is: "Memory Aids" are allowed but you must take "reasonable" measures to ensure it is not compromised. I would interpret that to mean an encrypted password manager is more than adequate.

share|improve this answer
4  
'The most secure passwords are long random character strings, which most humans would have to write down or store somewhere.' - True, but banks aren't always with the times on these things. My bank (one of the four largest in Australia) had a maximum password length of 8 characters until a few years ago... – sapi Jun 3 '14 at 23:23
4  
My bank's advice is to "never write down your passwords - or store them on your computer" (natwest.com/global/security/security-advice/protect-yourself/…). OTOH, that's just their user facing advice. Their actual legal terms are different: "You must not disclose your Security Details to any other person or record your Security Details in any way that may result in them becoming known to another person". That "may" is troubling. Anything you do with your password may result in somebody else knowing it, at least at a theoretical level. – Jules Jun 4 '14 at 0:00
2  
@sapi - you just reminded me of perhaps my favorite stack exchange answer of all time: security.stackexchange.com/questions/33470/… – TTT Jun 4 '14 at 2:17
2  
@jules - I agree. "May" leaves the door open for the lawyers. For example, if you are held at gunpoint and you reveal your password, well you just "disclosed your security details to another person" and that's not allowed! I hope reason and good sense will prevail. – TTT Jun 4 '14 at 2:26
    
@TTT: not allowed is not exactly right. The bank is not going to sue its customers, who were the ones losing their money anyway. They are, however, going to do their best to avoid having to cover the damage... – thkala Jun 4 '14 at 16:30
up vote 3 down vote

Well really the point of this advice is more along the lines of "Don't put your password anywhere". As otherwise stated, this is a legal statement intended to cover the bank's asses in case the password gets stolen.

In the sense of a password manager, it's really nothing more than writing your password in a book and storing it in a safe.

If someone were to find the key to your safe, open it, find your password in the book and use it to empty your bank account, then the bank couldn't be held liable at that point because it was your fault for having it available.
In the same sense then, your password manager is the safe. In the event that someone manages to breach the security of your password manager, then any information that can be obtained by said password manager is still the liability of the person who put the information there.

tl;dr: I would have to say no, in the legal sense it wouldn't matter what kind of superstitious protection you're using, you've still written your password down in such a way that it can be retrieved.

share|improve this answer
1  
There are many kinds of password managers. Eg some are taking website url AND typed-in password to create a hash that's send to bank as password - in this case the password is not stored anywhere except user's memory. (But it is processed by potentially malicious third-party tool) – Agent_L Jun 4 '14 at 13:42
    
Regardless, that's still a point of access to the bank account that a potentially malicious individual could exploit. In that case, the bank can still maintain that it isn't liable if this was used as an attack vector. – Thebluefish Jun 4 '14 at 15:40
    
I agree that this is a question of liability. It is possible to start a brute force attack on a password manager. However, in almost all cases it is impossible to attack a four-to-eight-digit-pin on a bank card in the same way because after +/- three trials the card will be locked. – Claude Jun 11 '14 at 13:34
up vote 1 down vote

In many cases it's not advice, banks are putting it in their terms and conditions that users do not write their passwords down or divulge them in any way, or forfeit any credit and payment protection. So admitting to using a password manager would be a bad idea as banks could use that as an excuse not to help.

Can people still use password managers? Sure, as long as they remember not to mention it if the worst happens. The thing is, most people have only one bank, so one password - why should they need a password manager for that?

share|improve this answer
1  
Could you provide a link to a bank's terms and conditions stating this? I'd love to attempt to dissect it because it seems like a bad precedent to me... – TTT Jun 3 '14 at 21:24
    
I found one- I added a link in my answer. – TTT Jun 3 '14 at 21:55
    
Another is here, and somewhat less reasonable than the ones you found: nwolb.com/TermsAndConditions.aspx – Jules Jun 4 '14 at 0:06
6  
"The thing is, most people have only one bank, so one password - why should they need a password manager for that?" - I already have dozens/hundreds other passwords stored in a password manager - why should I make an exception and store this one somewhere else? – user11153 Jun 4 '14 at 12:01
5  
"one bank"? This assumption is just that, an assumption. Most people that I know use more than one bank. The reasons vary from past employers using another bank to the person having chosen a loan, insurance or banking program with better terms. Not to mention having to also memorize a bunch of different passwords and PIN numbers even for products of one bank... – thkala Jun 4 '14 at 16:21
up vote 1 down vote

Banks would advice not to write down your password as it would make it accessible to everyone who is able to get his hands on whatever notebook/paper/note you used to write it down and able to read. In analogy, using password manager would make password accessible to anyone who is able to use machine with password manager and know how to use it (which i would call as accessible skill as reading).

Should you use password manager and how safe it is? Well, it mostly comes to your personal culture of regulating access to your computer and overall security of system. If you're not letting strangers to use your machine, have user account password and master-password for password-manager, i see no problem in utilizing password manager. It's not safer then memorizing your password by any means, but in case if unauthorized access to your account would happen because of someone taking advantage of password manager most banks (or at least those which i happened to work with) won't just put whole blame on you and would help to recover damage especially if you would be able to prove that your password wasn't easily accessible and you've done required minimum of precautions.

share|improve this answer
1  
The point of a password manager, is to secure passwords in encrypted format that requires a strong "master password" to access. "Other people" are not able to read passwords, even if they know how to use password manager, or mount cryptographic attacks on the password store. Store is designed to resist all reasonably plausible cryptographic attacks. – Thomas W Jun 4 '14 at 3:44
1  
@ThomasW: except when your computer is compromised the master password is easily obtained via keylogger. I'd argue that it's in practice much less secure than the plaintext password written down on a piece of paper you keep in your home. – Michael Borgwardt Jun 4 '14 at 11:37
    
@ThomasW: Lots and lots of password managers (especially those which build-in to browsers, such as pretty popular LastPass) by default would type password for you on demand without requirement to provide master password. Then you don't even have to know password in the end of a day to gain access to bank's web application. – JagdCrab Jun 4 '14 at 13:46
1  
@Michael Borgwardt: Some password managers like KeePass have security features to protect against keyloggers. The master password can be entered on the secure desktop and the stored passwords can use two-channel auto-type obfuscation. I won't claim that these measures will work against all keyloggers but typing the plain text password from a piece of paper while there is a key logger running on your system is certainly less secure. – mgronber Jun 4 '14 at 14:10
1  
I would argue that if the machine is compromised then whether the password is copied/pasted from a password manager or typed in by the user from memory is irrelevant... – thkala Jun 4 '14 at 16:25
up vote 1 down vote

Storing the password in a decent password manager is likely more secure than whatever method most of the people complying with the policy is using.

It may be that a typical password manager is violating the word of the policy, but probably not the spirit of the policy, since the password manager is more secure. What the implication of that is in an actual case is a question for a lawyer - not a security expert.

Storing an encrypted version of the password is the most obvious way to implement a password manager, but it is not the only way. A password manager does not necessarily have to store the password at all.

A password manager could generate passwords based on the following inputs:

  • Master password
  • Name of site the password is for
  • Which month was the password generated
  • What is the password policy of the site

If you feed all of the above as seed to a PRNG and use that to generate a uniformly random password among all of the passwords permitted by the policy, then the password should be just as secure. The only information you need to store is when the password was created plus some information which is not secret.

The real purpose of an approach like this would be to avoid losing passwords due to lack of backups. But as a side effect it would work around policies that do not allow storing the password.

share|improve this answer
    
Good point. I've generally felt that storing a set of password encrypted is a better approach for a password manager, as it allows you to change the master password, and prevents individual sites brute forcing your master password. However, you are right that the hashing approach avoids storing anything! – paj28 Jun 6 '14 at 8:36
up vote 1 down vote

Its a technicality, but, when I type my password into a website, the browser is "capable" of being a password manager. Therefore, if they request that you never write down your password, and include a password manager, entering into a browser would be a violation of the terms. Now since they have you to use the "website" which primary means of access is a browser, they are forcing you to break the terms of service.

At that point, it really becomes a question of if they are forcing you to use a password manager, can they say that you violated the terms of service?

also, just because something is in the terms of service, does not mean it can be upheld if its not reasonable see here and here

share|improve this answer
    
All online banking systems I've seen set autocomplete=off on the login form for exactly this reason. +1 because of your last paragraph which is a good point! – paj28 Jun 6 '14 at 8:34
    
@paj28 autocomplete=off is a false sense of security. with Current Chrome, FF, safari, IE10 and bellow, that is fair. IE11 for some strange reason changed everything. according to msdn.microsoft.com/en-us/library/ms533486%28VS.85%29.aspx "As of Internet Explorer 11, the autocomplete property is no longer supported for input type=password fields." But there one and only example of how to use autocomplete: "<input type="password" autocomplete="off"/>". To me this makes no sense, and there is no good justification for this either. but it goes to show, that you cant trust a browser. – Jdahern Jun 7 '14 at 4:38
up vote 0 down vote

In my experience, in the U.S., banks accept little to no responsibility for fraud resulting from a stolen password. It is typically right in the terms of service that you are responsible for anyone accessing your account using your credentials. That is WHY they advise you not to write them down. They may assist you depending on the circumstances, but I'm pretty sure that they are under no obligation to do so.

That being said, I use a password storage tool (1Password) all the time and am quite content with the level of security it provides me in keeping my 800+ passwords safe. (Obviously, those aren't all banking passwords... ;-) It also keeps each entry in it's own file for easy/quick syncing with Dropbox or similar cloud sharing services.

The only protection banks usually guarantee to provide is for credit card fraud, (or outright theft, of course, as in a bank hold-up.)

share|improve this answer
    
I didn't know that (and I'm not convinced you're correct) but in Europe it is completely different, at least for consumers. Your bank covers fraud in almost all circumstances, unless you have been negligent. – paj28 Jun 6 '14 at 8:35
    
@paj28 - In response to your comment, I reviewed my bank's (Chase) terms of service looking for any guarantees of protection and found none. They mention things like 'you should promptly notify us in the case of suspected fraud' so they can 'assess how best to help you.' Lots of things like that, but no stated liability for anything. They may work with you, at their discretion, to restore your balances, but, again in my opinion, that would be most likely if they can recover the funds inappropriately removed. Or perhaps if you are a long-term/favorite/highly-desirable customer. – MrWonderful Jun 6 '14 at 17:49
    
@paj28 - I also updated my answer accordingly. Thanks! – MrWonderful Jun 6 '14 at 17:50
    
@MrWonderful, Thankfully in the US, Federal laws (and State laws) still do supersede a bank's own Terms of Services and a bank's own judgement. For instance, The Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA) have precise requirements for limiting a bank's liability vs. a client's liability for fraud, but they make no mention of stolen passwords or stolen pins. consumer.ftc.gov/articles/0219-disputing-credit-card-charges consumer.ftc.gov/articles/0218-electronic-banking – Stephan Branczyk Jun 8 '14 at 2:59
    
In the case of debit cards, take a look at the second link I provided regarding the Electronic Fund Transfer Act (EFTA). That Act is more relevant to debit cards than the other Act. And as long as you report the fraud promptly, it doesn't matter if someone captured your pin with a photo-lens/shoulder-surfing, or if you have a malicious keylogger installed on your computer, your liability is limited based on how much time you take to reasonably discover and report the fraud to your bank. – Stephan Branczyk Jun 8 '14 at 3:11

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.