Compare Checking Accounts
Advertisement for CheckPrint Advertisement for CheckPrint

How to choose a password for online banking

Published June 15, 2018

Letters, numbers and (sometimes) special characters are all that keep your money from being accessed by anyone on the internet, and it's important to make sure you're following the right safety measures so that you don't fall victim to hackers.

Even worse, choosing a weak password for non-banking accounts, like email or even your cell phone provider, could leave you vulnerable to a cascade-style hack where someone gains access to your financial accounts by resetting your banking password from that trusted, yet compromised, account.

The best passwords are truly random, but we as humans aren't set up to create or remember truly random sequences -- for that, you can use an online password manager and autofill your passwords (which is great because it will provide strong, distinct passwords for each site, but problematic because someone with access to your password manager will have the virtual keys to your virtual kingdom).

Another good approach is to artificially randomize a set of unique experiences that you will remember but another person wouldn't know. While using your birthday, first car, pets' names, etc., can be easy to remember, they are not secure as standalone passwords; however, when you begin to combine personal information and sequence it in ways that are meaningful to you, suddenly the combinations become more secure.

Maybe a list of pets' names, in order, totaling ~25 characters. Or your teachers' last names in reverse chronological order, separated by a distinct character. When you combine those pieces of information into sequences (especially combining information from different genres), you reduce the likelihood of someone guessing your password based on personal information that they've acquired from another source while also reducing the likelihood of a successful brute-force attack (since your combined sequence will be somewhat lengthy). There's a huge benefit to using a different delimiter for each web site (for example, if you were to use your pets' names but separate them with the capitalized second letter of the web site name). This technique of combining a sequence that's private to you with a pattern that makes it reproducible for you and yet still achieving an aspect that seems random to a hacker is likely to be the highest security you can achieve without needing to reset your password every time you need to access your account.

Unfortunately, some services insist that you use a strong password, with letters, numbers, symbols and combinations of cases -- but don't give you enough space (character count) to make it a meaningful passphrase.

Remember that any business who can tell you your password is storing it in a way that is fundamentally flawed. Passwords should be stored using a methodology that adds two security measures: they should be hashed (meaning encrypted) and salted (meaning that they should be altered in a specific way before the hash is applied). When you provide your password to log in, their software should just salt and hash your entry and then compare that against what is stored in their system -- they shouldn't be able to decrypt your password and provide it.

If you receive your password by email or displayed on the screen at any point after you've created it, you can assume they aren't storing it right and that your password has been compromised.