This Bank Had The Worst Password Policy We’ve Ever Seen

Passwords are still often the first line of defense against hackers. That’s why it’s important to help and educate users on what a good password is.

FinecoBank, a bank with more than 1.3 million customers in Italy and the UK, suggested an unusual password strategy to its customers: copy and paste the password into Google, and see if anyone else is using it.

“Verify the security of your passwords,” FinecoBank’s website tells new customers when they set up their online account. “Insert it on Google: if it returns less than 10 results it means it’s a good password.”

A FinecoBank customer support confirmed that the bank suggests customers to Google their password in order to make the password “as secure as possible.” After we reached out to FinecoBank for comment, a spokesperson said that “we understand the criticism and we decided not to suggest anymore to our clients to do so.”

It’s important to use unique passwords for each website or service you use, because otherwise one stolen password can lead to the compromise of several accounts, as we explain in the Motherboard Guide To Not Getting Hacked. So FinecoBank has at least the right intentions, suggesting people choose unique passwords. But telling them to paste them online as a test of their strength is definitely not OK, as that could expose the passwords to Google and, perhaps, other snoopers. Instead, the best advice is to use password managers. These are programs that help you create unique passwords and store them securely. You won’t need to remember them, because the password manager will do it for you.

To make matters (MUCH) worse, FinecoBank charges a fee for customers who want to change their password, if they want it delivered via mail. In a public page on its site, FinecoBank says that customers who request a password change will receive it via mail (note: not email, actual, IRL mail) and they will be charged 0.95 euros (around $1), or 2.95 British pounds (around $3.79) if they are in the UK to get it. (FinecoBank’s spokesperson said that customers can change it for free online.)

Luckily, as part of its account activation process, FinecoBank requires customers to set up a second factor to use when logging in online or authorizing certain bank transactions, which makes it a bit harder for hackers to break into customer’s accounts.

Several people who work in the cybersecurity industry pointed at the strange—to say the least— policies on Twitter on Tuesday, likely facepalming every time they hit tweet.

“Is this a premature April Fools? Or are you serious?” wrote Gianluca Varisco, a cybersecurity expert who has previously worked in the Italian government.

Troy Hunt, who maintains the data breach archive and alert service Have I Been Pwned, was also shocked by these policies.

“WTF?” Hunt tweeted. “That’s all kinds of crazy right there.”

Subscribe to our new cybersecurity podcast, CYBER.

READ MORE HERE