
Ask HN: What banks don't have cartoonishly bad password practices? - curuinor
Chase and Wells Fargo passwords are case insensitive....
======
skylark
It's a financially motivated decision. Banks have a high percentage of people
who are tech illiterate. Many of these people don't use the password reset
when they forget their password, they call tech support, which costs banks a
lot of money. Banks realized they could reduce this call volume by making
their passwords case insensitive and simply refund people if their accounts
get breached.

Most banks also have a mandatory security question, which makes it marginally
more difficult to get brute forced.

Source: Used to work at a bank. Would not recommend.

------
ajeet_dhaliwal
When I moved back to the UK after having had US and Canada bank accounts for
several years it made me realize how much bad service British people are
willing to put up with in comparison. Logging into a UK bank account online
(the worst imo is HSBC) is a total nightmare. You need to know 4
passwords/pins, and have either a security code generator device or phone app
that will generate one for you. For my North American banks, including one
Canadian account I still have, it's simply the number on your debit card and a
password, about as hard as logging into email.

------
Rjevski
In the UK the challenger banks like Monzo, Starling, etc are pretty good.
Monzo just emails you a "magic link" to login, Starling uses a proper password
you can use your password manager to remember.

------
imauld
> Chase and Wells Fargo passwords are case insensitive....

How do they keep any sort of regulatory compliance?

~~~
sova
Please see
[https://news.ycombinator.com/item?id=4285954](https://news.ycombinator.com/item?id=4285954)

------
twobyfour
Case insensitive isn't necessarily insecure. It just means you'll want a
password roughly twice as long for equal security. Now, if they do that and
also limit passwords to, say, 8 chars.... argh!

------
jrowley
Simple.com is pretty solid from a security standpoint from my limited
observations as a consumer, although they only offer two factor via SMS (not
TOTP likely google, etc)

------
bananicorn
We even have a local bank which only allows numeric passwords... They have
two-factor authentication though.

------
muzani
Is case insensitive really a bad thing? Bank logins aren't exactly brute
forceable.

------
tudelo
The username and password are case insensitive btw :)

------
splodge
Any Bank that uses passwords in preference to two-factor authentication?

