Capital One asks users to not use a password manager for “security reasons” [Updated]
Password managers are the number one thing people use so that all services have a unique and complex password, but it does not help when a large company forces you to type it in and not use a password manager for “security”.
Update at the bottom of the article with an official statement from Capital One.
As normal with things like this Troy Hunt was tagged and gave a few great responses to Capital One for ways users can use secure passwords without a password manager.
After events like this company’s find out from the tech community exactly how wrong they are in blocking password managers, and they try really hard to make the conversation leave Twitter.
My personal biggest pet peeve is when a company with a non sensitive issue tells the user to call them to continue chatting or send a DM. This just pulls the bad responses or answers they may give out of the public spotlight, but it does not make the social account look good.
Do you know what the correct answer to this original Tweet by Greg would be?
Oh thanks for the feedback, I will get this passed along to the team that manages the site and see what they can do.
We will end this with Tweets to Capital One showing that the developer/security/appsec community despises “this is for security” as a response fo not using a secure password manager.
UPDATE: A spokesman for Capital One reached out to give an official statement.
We apologize for any confusion that our tweet created regarding our support of password managers. To clarify, we support password manager use and appreciate the value that they bring customers who are managing complex passwords across multiple sites.
At Capital One, only during initial password set-up are users restricted from cutting & pasting/auto filling into the “Retype Your Password” confirmation field. This restriction is to limit future login issues for customers who may have a typo, then duplicate the error by pasting it into the password confirmation field.
We appreciate the feedback and are exploring the removal of manual entry requirements to make it easier for users to create and autofill complex passwords.