Banks in India—and, I suppose, all over the world—are obsessed with security, as well they should be. Unfortunately, however, most of the restrictions and checks they put in place in the name of security not only make banking inconvenient, they actually make it less safe.
HDFC Bank, for instance, forces you to change the online banking password for your current account (and maybe other types of accounts as well) every three months. Needless to say, this is a monumental hassle. Even beyond that, however, it is a glaring security risk.
Human beings are not good at remembering passwords. And when you force them to try to memorise a new one every few months, they are going to do one of two things—they’ll either start using the same two or three passwords in rotation (which significantly reduces the security this measure was put in place to provide) or start writing them down somewhere, most probably on a much less secure location than their own memory.
This essentially ensures that, at some point, they will either forget to write down the latest iteration of their password or lose the full list somehow, whether it be on a scrap of paper or in a plain text document on their computer. In any event, it is clear to me—and please feel free to correct me if you think I am wrong—that requiring your customers to change their password against their own wish is a recipe for disaster.
Even setting aside the security concerns, it is just a pain in the rear. I am a reasonably tech-savvy person and have enough sense to not keep my pet’s name as my password and to not write it down on the back of the diary in my wallet or the notes application on my phone.
I use the immensely useful 1Password application on my iPad, iPhone and Mac to keep generating new and complicated passwords and keep track of them. I am not very paranoid about security—some would even say I am very not paranoid about security, to the point of being reckless—but in the age of web services getting hacked left, right and center, I figured it was a good idea to have different passwords for different accounts. 1Password takes almost all the headache out of managing all these passwords and allows me to securely keep them on hand at all times.
Even so, when HDFC Bank last asked me to reset my password, I was on my iPad, where the 1Password app is not, due to Apple’s restrictions for third-party applications on iOS, as well integrated as it is on Mac OS X and could not step in to replace the old password automatically when I changed it. I seem to remember having opened the app manually and replaced the password but, in any case, I cannot log into my online banking account using the password I have saved in 1Password’s database now.
And this is me, tech blogger extraordinaire, who is having a hard time keeping up with password changes that are abruptly and unexpectedly forced on me; just think of the poor masses who set “jony123” as their password everywhere and still manage to forget it at inopportune moments!