Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News

      Public money, private plans: MPs demand Post Office transparency

      13 June 2025

      Coal to cash: South Africa gets major boost for energy shift

      13 June 2025

      China is behind in AI chips – but for how much longer?

      13 June 2025

      Singapore soared – why can’t we? Lessons South Africa refuses to learn

      13 June 2025

      10 red flags for Apple investors

      13 June 2025
    • World

      Yahoo tries to make its mail service relevant again

      13 June 2025

      Qualcomm shows off new chip for AI smart glasses

      11 June 2025

      Trump tariffs to dim 2025 smartphone shipments

      4 June 2025

      Shrimp Jesus and the AI ad invasion

      4 June 2025

      Apple slams EU rules as ‘flawed and costly’ in major legal pushback

      2 June 2025
    • In-depth

      Grok promised bias-free chat. Then came the edits

      2 June 2025

      Digital fortress: We go inside JB5, Teraco’s giant new AI-ready data centre

      30 May 2025

      Sam Altman and Jony Ive’s big bet to out-Apple Apple

      22 May 2025

      South Africa unveils big state digital reform programme

      12 May 2025

      Is this the end of Google Search as we know it?

      12 May 2025
    • TCS

      TechCentral Nexus S0E1: Starlink, BEE and a new leader at Vodacom

      8 June 2025

      TCS+ | The future of mobile money, with MTN’s Kagiso Mothibi

      6 June 2025

      TCS+ | AI is more than hype: Workday execs unpack real human impact

      4 June 2025

      TCS | Sentiv, and the story behind the buyout of Altron Nexus

      3 June 2025

      TCS | Signal restored: Unpacking the Blue Label and Cell C turnaround

      28 May 2025
    • Opinion

      Beyond the box: why IT distribution depends on real partnerships

      2 June 2025

      South Africa’s next crisis? Being offline in an AI-driven world

      2 June 2025

      Digital giants boost South African news media – and get blamed for it

      29 May 2025

      Solar panic? The truth about SSEG, fines and municipal rules

      14 April 2025

      Data protection must be crypto industry’s top priority

      9 April 2025
    • Company Hubs
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • AvertITD
      • Braintree
      • CallMiner
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • Incredible Business
      • iONLINE
      • Iris Network Systems
      • LSD Open
      • NEC XON
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Tenable
      • Vertiv
      • Videri Digital
      • Wipro
      • Workday
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Motoring
      • Public sector
      • Retail and e-commerce
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
    • Events
    • Advertise
    TechCentralTechCentral
    Home » In-depth » FNB’s new password policy makes its customers less secure

    FNB’s new password policy makes its customers less secure

    By Alistair Fairweather20 August 2019
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    Earlier this week, First National Bank customers woke up to a huge inconvenience: the online banking system now requires you to manually type your password. If this doesn’t sound like a big deal, it’s worth learning about a whole generation of users who rely on password managers to securely store, update and auto-fill their passwords.

    Technology and knowledge workers (including me) will often have dozens or hundreds of different accounts with different combinations of usernames, e-mail addresses, passwords and second-factor systems (also known as OTPs). Managing account credentials manually quickly leads to huge headaches such as getting locked out of vital systems (sometimes permanently). Try explaining to a client that you have permanently locked the Gmail account that owns their website’s sales data.

    (Update: FNB backs down on password decision after backlash)

    The only way to stay sane in this environment is to use a password manager. I use 1Password (one of the best pieces of software I’ve owned), but there are plenty of others — LastPass is also excellent, and there at least a dozen others (some free, some paid).

    If this sounds like whining from a tiny minority of tech geeks, you’re missing the bigger picture

    But these password managers also have a second important function: they make passwords more secure because they remove the need to remember them. My passwords are typically 30 or 40 characters long with an eye-watering assortment of symbols, digits and letters. They are generated automatically (and randomly) by my password manager.

    As such I literally don’t know any of my important passwords — they are too long and complex. I have outsourced that function to a piece of software that is much better at handling this task than me. The only password I have to remember is the one that gives me access to my password manager (hence the name “1Password”).

    Ridiculous choice

    So, by essentially forbidding me to paste my own password into my own browser, FNB has forced me to make a ridiculous choice: either stop using Internet banking (not happening) or change my password to something I can actually remember and type out (in other words something much less secure). And never mind the fact that my password manager is a password protected, military-grade encrypted vault, which is arguably more secure than most of FNB’s own servers.

    If this sounds like whining from a tiny minority of tech geeks, you’re missing the bigger picture. Many, many people store their passwords in less sophisticated digital forms like Word documents or online notes. Many also use a browser that stores their passwords for them. FNB’s site has long blocked that auto-fill feature but the implementation depends on browsers, so there are probably tens of thousands of users who unconsciously rely on one of these rudimentary password managers.

    It’s these people that FNB is concerned about. If someone were to steal the laptop of such a user, the logic goes, they would have de facto access to their online banking account.

    However, FNB’s solution will actually make this problem worse, not better. This is not a matter for debate — far smarter people than me have shown that these kinds of passwords are orders of magnitude easier to crack (that is, to guess using brute computational force) than the kinds of passwords that a password manager will produce.

    So, by forcing all users to manually type in their passwords, FNB is achieving three unintended things:

    • They are reducing the average complexity of passwords for their entire customer base;
    • They are ensuring that more people will store their passwords in insecure formats — including writing them down, or storing them on the desktop of their computer; and
    • They are dramatically increasing password churn and password reset requests via their systems. This will create more noise in their system and make it harder to distinguish between valid and fake reset requests.

    The community managers running @Rbjacobs on Twitter are doing their best to explain and mollify grumpy users. The party line, it seems, is that storing your passwords on a device is inherently insecure and remembering your password is better.

    While this approach may scale inside a corporation where you pay everyone’s salaries, it’s not going to wash with customers

    There are two big problems with that argument: firstly, stopping people from copying and pasting won’t stop them storing their passwords on a device. If your passwords are all in a text note called “Passwords.txt” then all this change is going to do is make your life slightly more annoying.

    You’re not going to change your behaviour. People are bad at remembering passwords, so they record them. Blocking the copy-and-paste feature won’t make people better at remembering their passwords. That’s just not how humans work.

    Secondly, any significant changes to your FNB bank account require a form of second factor authentication — typically this is via an SMS or a notification via the app. So, in order to do anything, including changing a password, you need access to both a phone and a computer. I respectfully submit that, if a thief has access to both your laptop and your phone, you’re in pretty big trouble and copying and pasting is the least of your problems.

    Deeper issue

    There’s another, deeper, issue with this approach. Hackers have now stolen (and distributed) literally billions of user passwords in multiple high-profile attacks and leaks from the likes of Yahoo and LinkedIn. If you think your own passwords are safe, check your e-mail address at HaveIBeenPwned. Odds are that your details have leaked somewhere at some point.

    Apart from the obvious problem of a hacker using one of these lists to guess your specific personal password, these huge databases have done something much more frightening — they have taught hackers what human-generated passwords look like. Or, more specifically, they have provided billions of data points that hackers can use to train their artificial intelligence systems to make them better at guessing passwords. This can make guessing a password — a job that would normally take a computer (literally) thousands or even millions of years to do randomly — into a 10-minute job.

    The answer to the above problem is actually pretty simple: use a password manager with long, highly random passwords, together with two-factor authentication. Until this week FNB did a brilliant job of supporting that method. This week’s change is a big step backward.

    I recognise that this change comes out of a genuine concern for the safety of customers’ accounts. This isn’t some arrogant corporate dictatorship — this is obviously the recommendation of a well-meaning security team. But the problem with every corporate security team I’ve ever encountered is, ironically, they don’t understand how to change people’s behaviour.

    They rely, instead, on brute force. Anyone who works at a bank has suffered from their maddening password policies: “All passwords must now include gang signs and squirrel noises”. But while this approach may scale inside a corporation where you pay everyone’s salaries, it’s not going to wash with customers.

    Something that’s maybe not clear is that I love my bank. FNB is one of the most innovative and forward-thinking banks in the world. I am proud to be a customer and I have been delighted by FNB’s service many, many times. This polemic comes out of a place of love. So, FNB, we implore you, don’t be kak, be lekker.

    • Alistair Fairweather is founder of PlainSpeak, a consultancy focused on helping businesses and people to get the most out of technology


    1Password Alistair Fairweather FNB LastPass top
    Subscribe to TechCentral Subscribe to TechCentral
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleEnergy minister sees unions backing Eskom rescue
    Next Article FNB backs down on password decision after backlash

    Related Posts

    Economic growth could triple this year: Absa

    26 March 2025

    Hyper-personalisation is next up in eBucks, Pick n Pay pact

    18 March 2025

    Pick n Pay strikes back at Checkers with eBucks deal

    27 February 2025
    Company News

    Huawei Watch Fit 4 Series: smarter sensors, sharper design, stronger performance

    13 June 2025

    Change Logic and BankservAfrica set new benchmark with PayShap roll-out

    13 June 2025

    SAPHILA 2025 – transcending with purpose, connection and AI-powered vision

    13 June 2025
    Opinion

    Beyond the box: why IT distribution depends on real partnerships

    2 June 2025

    South Africa’s next crisis? Being offline in an AI-driven world

    2 June 2025

    Digital giants boost South African news media – and get blamed for it

    29 May 2025

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2025 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.