Capital One asks users to not use a password manager for “security reasons” [Updated]

Posted by - Anthony Rossbach
On - October 13, 2018

Password managers are the number one thing people use so that all services have a unique and complex password, but it does not help when a large company forces you to type it in and not use a password manager for “security”.

Update at the bottom of the article with an official statement from Capital One.

Hey there Greg! Thanks so much for reaching out and bringing your concerns to our attention. Regrettably that feature is not available for security reasons. In order to access your account you would have to type your password into the required fields. ^ALEW
— Capital One (@AskCapitalOne) October 9, 2018

As normal with things like this Troy Hunt was tagged and gave a few great responses to Capital One for ways users can use secure passwords without a password manager.

For your security, @AskCapitalOne would like you not to use a password manager. Alternatives include:

– PostIt note on monitor
– Predictable keyboard pattern
– Your dog’s name with an exclamation mark on the end
– “Capital0ne” (see what I did with the O – genius!) https://t.co/ZXhKBsfH4d
— Troy Hunt (@troyhunt) October 9, 2018

After events like this company’s find out from the tech community exactly how wrong they are in blocking password managers, and they try really hard to make the conversation leave Twitter.

The only attention this deserves is from your web team changing this password field to allow the pasting of passwords. It's an easy fix that 10/10 #infosec people would agree with
— Greg Tiber (@TiberGreg) October 9, 2018

My personal biggest pet peeve is when a company with a non sensitive issue tells the user to call them to continue chatting or send a DM. This just pulls the bad responses or answers they may give out of the public spotlight, but it does not make the social account look good.

Do you know what the correct answer to this original Tweet by Greg would be?

Oh thanks for the feedback, I will get this passed along to the team that manages the site and see what they can do.

We will end this with Tweets to Capital One showing that the developer/security/appsec community despises “this is for security” as a response fo not using a secure password manager.

There are no circumstances where disabling pasting of passwords in browsers enhance security.

Love,
the world's appsec community
— Jon Are Rakvåg (@jonarer) October 9, 2018

You guys sponsor #securitynow on @TWiT with @SGgrc. Any episode of that podcast would tell you that preventing the use of password managers is a bad idea.
Not a customer of yours, and am not even in your country, but it irks me that someone probably got a bonus for this "feature"
— Ian Yates (@IanYates82) October 9, 2018

“Security reasons” !? pic.twitter.com/iJZ5wXGcGg
— Sergio Rodriguez (@lordserch) October 9, 2018

Here's a free tip for you, ^ALEW & @AskCapitalOne: If you're ever tempted to write "security reasons" again, just stop. Instead, fix your site, rather than lecturing incorrectly and damaging the security of your customers. (My credit unions do security so much better than you)
— Richard Johnson (@tab2space) October 10, 2018

There are no justifications for blocking paste ‘for security reasons’. Capital One just made the list of banks I cannot give my business to.
— Robert Moir Official (@RobertoMoir) October 10, 2018

https://twitter.com/webster/status/1050052533580894210

pic.twitter.com/i8ORmfBhV7
— Talking Cryptocurrency (@talkcryptoshow) October 10, 2018

Are you serious?

Thankfully, I have no active accounts with your company.

I would NOT trust my finances to a group that COMPLETELY FAILS to understand security.

Password managers INCREASE security.

Your method ensures POOR passwords which equals POOR security.

Wise up!
— Mike Rodriquez (@MikeRodriquez) October 9, 2018

What year is this? People are still doing this garbage? But Y tho.
— Kirk McKenzie? (@realthecaffiend) October 10, 2018

This is a security weakness on your part. Websites are not _ever_ supposed to prevent a user from pasting a password. That's an awful idea from a security perspective. It will only cause users to select poor passwords just because they can't be easily typed into the browser.
— ?? Adrienne Cohea ?️?️ (@AdrienneCohea) October 11, 2018

@aegeanairlines @gakonst Are you for real? Unbelievable stupidity from the Capital One. Sort it out!
— BedBoo (@BedBooIE) October 9, 2018

UPDATE: A spokesman for Capital One reached out to give an official statement.

We apologize for any confusion that our tweet created regarding our support of password managers. To clarify, we support password manager use and appreciate the value that they bring customers who are managing complex passwords across multiple sites.
At Capital One, only during initial password set-up are users restricted from cutting & pasting/auto filling into the “Retype Your Password” confirmation field. This restriction is to limit future login issues for customers who may have a typo, then duplicate the error by pasting it into the password confirmation field.
We appreciate the feedback and are exploring the removal of manual entry requirements to make it easier for users to create and autofill complex passwords.

Anthony Rossbach

A developer that has built large scale services that handles millions of requests daily. Anthony also created and runs the hosting service NodeHost.

Capital One asks users to not use a password manager for “security reasons” [Updated]

Anthony Rossbach

What Symantec research into Buckeye using Shadow Brokers Leaked tools before they where leaked actually means

Windows update suspended after reportedly deleting user files

Canadian banks Simplii Financial (CIBC) and BMO received messages from hackers saying they have customer data

When you put a device online without protection, within minutes it will become a target of attacks as seen by Jake Lahtinen

Equifax shares that more was stolen in the data breach

Sophos finds photo apps hiding malware on the Android Play Store