Santander has run into a little friction with security professionals, after the bank’s help desk tangled with customers over its lack of support for third-party password managers. “Why do you block pasting a password from a password manager? Your security advice is normally excellent” queried one user on Twitter.
He was told in no uncertain terms: “The bank would ‘never recommend using third party password managers. It is no longer possible to use these for security reasons”.
“England, this stuff is getting ridiculous”
The policy drew cries of frustration from many, including well-known information security author Troy Hunt; founder of the “Have I Been Pwned” website (which lets users see if their email account has been compromised).
He responded: “OK England, this sort of stuff was funny for a while and I appreciate the laughs, but it’s starting to get a bit ridiculous. Can one of you pop down to @santanderukhelp HQ and straighten this mess out?”
He added to Computer Business Review: “Resistance to pasting passwords is very rare these days and orgs usually end up acknowledging the shortcoming and fixing it. It’s absolutely backwards and against the advice of security pros.”
The UK’s National Cyber Security Centre agrees. In an earlier blog post, the centre’s “Emma W” responded to the question: “Shall I use a third part password manager” with a categorical “yes, password managers are a good thing.”
She added: “They give you huge advantages in a world where there’s far too many passwords for anyone to remember. For example:
- they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
- they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
- they can generate new passwords when you need them and automatically paste them into the right places
- they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet
“All these things are full of win. They reduce security friction – making security easier and more convenient. If security is difficult, tedious, appears to add no value or gets in the way of the main task we’re trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.”
Santander remained unpersuaded. The bank told Computer Business Review: “We discourage the use of any system which would allow another person to gain access to or use the customer’s password or other security details. This may include some forms of password manager such as those built into browsers”.