Surprise! Your online banking password might not be as secure as you thought

Several major banks don't use case-sensitive passwords.
Written by Zack Whittaker, Contributor

It turns out several leading US banks do not require case-sensitive passwords, which could make it easier for someone to access your account.

A thread on Reddit on Friday pointed out that Wells Fargo, the third largest bank in the US, doesn't require its customers to enter a case-sensitive password. Other users confirmed the issue, whereas other banking customers began checking their own accounts and noted that Wells Fargo isn't the only banking giant to follow such a policy.

Among those, Chase is confirmed to not require case-sensitive passwords, and some accounts belonging to Capital One and American Express are known to not require case-sensitive passwords.

But other banks, such as Bank of America, HSBC, and USAA, required customers to enter exact, case-sensitive passwords.

The financial industry isn't the only one that doesn't enforce strict password rules. Blizzard, a video games developer, doesn't require players to enter a case-sensitive password, and Facebook's rules are more complicated. It allows passwords in a reverse case, which indicates the user left the caps-lock key on.

But does that put a user's security at risk? Long answer short, it depends.

"Case-insensitivity by itself doesn't have to be much of a security problem," said Per Thorsheim, a password expert and security researcher.

"Case-insensitivity does make things easier for hackers, but there's a lot of other factors that must be part of the equation for a definitive yes or no," he said, such as not rate-limiting the number of password attempts per second or minute.

"Length [of passwords] trumps any other password parameters," he said.

He gave an example: The number five, typed out 248 times. "In most cases [it's] a good password, but most systems won't accept you trying to use it," he said.

In other words, a lack of case sensitivity is not necessarily a bad thing on its own, but adding it together with other poor security requirement factors could lead to serious problems.

There are a number of theories about why banks in particular still use case insensitive passwords. The most common one is that many older banks will be running decades-old back-end systems, which in many cases don't support case-sensitive passwords.

On the bright side, most banks -- including Chase and Capital One -- allow two-step security, so even if someone has your password, they still need to jump through several other hoops in order to log into your online bank accounts.

If you haven't set up two-step already, now might be a good time.

Stop using '123456' as your password

Editorial standards