VIDEO: Good password advice from NatWest? Don't bank on it

NatWest Bank has a seemingly new section on its website where it has posted a number of videos about computer security.

A noble effort, and one which I'm sure they did with the right intentions - but I'm afraid that their advice around online passwords is flawed.

As I explain in my video response, their advice on how people can remember lots of different passwords for different websites is fundamentally flawed.

The problem? They're telling people to use a formula to create their password. Yes, that does mean that users will end up with different passwords, but it also means that if someone finds out your password in one place and also determines your formula, then they will be able to unlock your accounts anywhere else online too.

Not a great solution, especially when the person trying to crack your accounts might be a former partner who you once shared one of your passwords (and your formula) with.

Instead, use a password manager. Then you will have truly unique, hard-to-crack passwords for all of your online accounts.

If you enjoyed my video, please consider subscribing to my YouTube channel so you don't miss anymore in future.

Hat-tip: Thanks to IT consultant Paul Moore for first bringing NatWest's contentious video to my attention, and came up with the great title for the video.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

6 Responses

  1. Neil

    November 6, 2015 at 9:21 am #

    Good advice. But which password manager(s) do you recommend?

    • Marco Fiori in reply to Neil.

      November 6, 2015 at 4:29 pm #

      Was going to ask the same thing. Starting to think it's worth considering one moving forward.

  2. Andrew G

    November 6, 2015 at 11:09 pm #

    I'm afraid I have to disagree, I think NatWest's advice is good advice for most people.

    Password managers undoubtedly create strong & truly unique passwords, and we should definitely be promoting their use as much as possible in preference to any other method, however they're not practical for everyone. They're confusing for some non-technical people, and also don't work with Microsoft Edge at the moment which makes them much less convenient (it might be easy for us to use a different browser but many technophobes don't even know what a browser is – they think the big blue "e" icon *is* the internet).

    In terms of hackers discovering their rule, a single letter in their password won't indicate to a hacker that they've used a rule to modify a static password; the password simply won't work on whatever site the hacker is trying it on and they'll just move on to trying the next set of user credentials in their list without a second thought (this obviously doesn't apply to anyone who's being specifically targeted, eg celebrities).

    In terms of a jealous ex-lover scenario, if a user has previously told them their password and rule then they'd no doubt also be happy to share their password manager master password with them if they ever needed to share a password. Ok so that's only one password they'd then need to change if required, but a vindictive ex-lover would probably have misused a password before the victim ever thought to change their master password.

    So the benefits that NatWest's advice would bring if people followed it far outweigh the downsides of a few limited scenarios in my opinion. Personally I don't see any real reason why most people shouldn't follow the advice?

    Happy to hear counter arguments to this though, and alternative suggestions for making passwords unique!

    For those asking too, I can recommend Dashlane as a password manager – it's so simple and easy to use across devices :-)

  3. Hitoshi Anatomi

    November 7, 2015 at 8:08 am #

    We could rely on password managers but we should rely on them very modestly.

    ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account.

  4. JUK

    November 9, 2015 at 6:45 pm #

    You can also add T-Mobile / EE What ever they call them selves nowadays, to list, of crimes Against Strong passwords They will not allow any form of punctuation on your main account it's a complete joke out there. were given excellent advice from our Graham about passwords For years And still can't put it into use in some cases is Really Really frustrating given were in 2015.

  5. old_mole

    November 10, 2015 at 1:52 pm #

    ….and then there are the UK financial sites who do not recognise a £ symbol – but $ is fine in your password. Weird……

Leave a Reply