How a bad password policy at Bank of America reduces security

By | June 9, 2023

Yesterday, I was helping my elderly uncle reset the password on his Bank of America account. My uncle, alas, uses the same password on every web site, a password which has been in so many security breaches that I’m surprised any of his accounts stay secure for more than a few days.

I’ve of course been trying to get him to stop doing it—at least for important accounts like his bank account—by getting on TeamViewer with him when he needs to reset the password on one of these accounts and changing its to a three-word passphrase that I can easily read him over the phone and he can write down accurately in a notebook.

Let’s be clear here: a passphrase consisting of three random words is quite secure. When you add to that the fact that the BoA web site frequently requires two-factor authentication via telephone, it’s more than secure enough for most users’ purposes. (To be clear, no, I am not endorsing SMS here over stronger forms of 2FA, but SMS 2FA is a lot better than none, and it’s about all a bank is going to be able to get someone like my uncle to use.)

And yet when we finally made it to BoA’s password reset screen, which involved entering the last six digits of my uncle’s account number, his SSN, the last four digits of his debit card number, its expiration date, and its CVV (!!), I discovered that BoA wasn’t going to allow me to use a passphrase, because its “strict” password policy requires passwords to contain at least one upper-case letter, lower-case letter, and number.

Why is this bad? Well, just to give one example, “mummy-eagle-vanilla” is a much strong password than “1Direction”, and yet BoA prohibits the former but allows the latter.

My uncle won’t use a password manager. He can’t use random-characters passwords because I won’t be able to read them to him accurately over the phone when helping him change them, he won’t be able to transcribe them accurately into his notebook, and it’s impossible for him to type them accurately from his notebook when he actually needs to use them to log in. Passphrases are my only chance of weaning my uncle off of using the same password everywhere, so BoA’s web site actively prevents me from making my uncle’s account more secure.

It is unfathomable to me why companies where security is important continue to get this wrong, especially when solutions like this one are widely available and have been for many years.

Print Friendly, PDF & Email

One thought on “How a bad password policy at Bank of America reduces security

  1. Roland

    Jik, it’s all about MVP. I learned the hard way when my mother died that most institutions care little about how their policies impact people, just their bottom line. Even after showing up at one bank’s branch with a death certificate in hand I could not get them to stop sending credit card offers to my dead mother, whose mail is now going to me. Many other institutions have no process for removing someone from their customer list when they have died. That one struck me – the one behavior that is guaranteed in this life is death, and yet there is no policy in place for a behavior that will be exhibited by every customer??

    I left BofA long ago over their dehumanizing policies. Find a local credit union whose staff will get to know your uncle and help him when he gets stuck. With respect to pass phrases, substitute numbers for dashes and capitalize and you are set to go: “Mummy1Eagle1Vanilla”. It is no more secure but at least you can manage it easily and the bank will accept it.


Leave a Reply

Your email address will not be published. Required fields are marked *