Is there any way to use a password manager with bank websites?

« Other questions
0
0

Like many banks, the ones I use have multi-step security for online banking, which seems to defeat the use of secure passwords. Do any p/w managers have a workaround for this? E.g.

Santander – requires a Personal Account ID (unique) followed by a Passcode (8-16 character password) and a Registration number (5 digits)

Societe Generale uses a “Client code” (10 digits) then a 6 digit PIN.
Others use a selection of numbers from a PIN or a characters from a password and lots of variants, while others have code generating hardware gadgets.

None of these seem to be capable of use with a P/W manager so we are thrown back to the most primitive techniques for arguably the most important online security when we can use sophisticated ones for the marginal ones.

Incidentally the Societe Generale one seems best as the PIN is entered via an on-screen pop-up keypad that you mouse-click on, which appears at (1) random positions on the screen and (2) with the keys in random positions on the “keypad”. So no keystrokes or pointer positions are ever repeated.

  • stevelast
    As a PS, I was astonished to find that my Bank of America account DOES allow completely automatic log-in from the Dashlane PM, so their system appear more vulnerable than the European ones I mentioned.
  • You must to post comments
0
0

The Societe Generale login procedure reminds me of one I was associated with a few years ago. In that case, the web page javascript contained the table that translated screen position to input character in plain text, and did the translation before sending the secret, rendering it useless against key loggers. Worse, and common to such procedures even when they are well implemented, is that the variable placement of the characters or digits, combined with the requirement for mouse selection, slows input dramatically compared with use of the keyboard and makes it far more vulnerable to shoulder surfing when done in a public place. None of that, of course, is needed when the login is done from a private place. In general, such gimmicks are likely to provide the look and feel of security while degrading it in fact or not improving it in the least.

Input from a decent password manager, whether by autotyping or copy and paste, is likely to be more secure than most alternatives, in most circumstances. The Santander procedure appears suitable from the description if you use a 16 character randomly generated passcode and memorize the five digit registration number.

  • You must to post comments
0
0

Thank you for that, very informative! I don’t have any knowledge of what’s happening “under the hood” on the SocGen site, but as you say it APPEARS more secure.

  • You must to post comments
Showing 2 results
Your Answer

Please first to submit.