View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Santander Locks Horns with Security Pros, NCSC Over Password Managers

Security professionals described the bank's resistance to third-party password managers as "absolutely backwards”.

By CBR Staff Writer

Santander has run into a little friction with security professionals, after the bank’s help desk tangled with customers over its lack of support for third-party password managers. “Why do you block pasting a password from a password manager? Your security advice is normally excellent” queried one user on Twitter.

He was told in no uncertain terms: “The bank would ‘never recommend using third party password managers. It is no longer possible to use these for security reasons”.

“England, this stuff is getting ridiculous”

The policy drew cries of frustration from many, including well-known information security author Troy Hunt; founder of the “Have I Been Pwned” website (which lets users see if their email account has been compromised).

He responded: “OK England, this sort of stuff was funny for a while and I appreciate the laughs, but it’s starting to get a bit ridiculous. Can one of you pop down to @santanderukhelp HQ and straighten this mess out?”

He added to Computer Business Review: “Resistance to pasting passwords is very rare these days and orgs usually end up acknowledging the shortcoming and fixing it. It’s absolutely backwards and against the advice of security pros.”

The UK’s National Cyber Security Centre agrees. In an earlier blog post, the centre’s “Emma W” responded to the question: “Shall I use a third part password manager” with a categorical “yes, password managers are a good thing.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

She added: “They give you huge advantages in a world where there’s far too many passwords for anyone to remember. For example:

  • they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
  • they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
  • they can generate new passwords when you need them and automatically paste them into the right places
  • they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet

“All these things are full of win. They reduce security friction – making security easier and more convenient.  If security is difficult, tedious, appears to add no value or gets in the way of the main task we’re trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.”

Santander remained unpersuaded. The bank told Computer Business Review: “We discourage the use of any system which would allow another person to gain access to or use the customer’s password or other security details.  This may include some forms of password manager such as those built into browsers”.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU