The Sad State of Banking Passwords

Posted Sun Sep 30 @ 12:35:29 PM PDT 2012

I have financial accounts open at Chase, US Bank, Ally, Vanguard, and Sterling Savings Bank. I thought it would be interesting to list the password policy for each. So here it is:


  • Must contain 7-32 characters
  • Must include at least one number and one letter
  • Cannot include special characters (&, %, *, etc.)
  • Cannot be the same as your User ID
  • Cannot be the same as any of the last five Passwords you've used

A max length of 32 characters seems a little small, especially since sentence style passwords (like "district9wasthebestmovieevermadeinhistory") are all the rage. But no special characters? That's unacceptable. I can't think of any legitimate reason not to allow special characters. That horrible password policy leads me to believe Chase does not salt and hash passwords.

US Bank

For your protection, passwords must be 8 to 24 characters and include both letters and numbers. Spaces are not allowed. You may also include special characters (such as %, $, &).

Again, we see a pretty conservative length limit. But at least they allow special characters. With that short password length policy, I'd guess they don't salt and hash passwords either.

Ally Bank

The password must be between 8-16 characters long and contain at least one uppercase and one numeric character.

An even more restrictive length. Sheesh. You'd think an extra few bytes for a password wouldn't break the bank.


Your password must have 6 to 10 characters, including at least 2 letters and 2 numbers. Don't use spaces.

10 characters. That's awful.

Sterling Savings Bank

Sterling requires a new Password to be 8 to 32 characters in length, contain at least 1 alpha character and 1 numeric character. It is case sensitive and may not begin or end with a space. Note: The following special characters are allowed: dash (-), dot/period (.), tilde (~), exclamation point (!), at sign (@), pound sign (#), ampersand (&), underscore (_), plus (+), dollar ($). Sterling recommends changing Passwords every 90 days.

They match Chase's length maximum. But at least they allow a handful of special characters.

All in all, these banks' password policies are terrible.

<< Home