Is the Wells Fargo Mobile App Anti-Security?


The Wells Fargo iPhone app disallows using the “Paste” capability in the phone to paste in long, high entropy passwords copied from my LastPass vault.

It is always interesting to me how banking apps, both web and mobile, specifically making a smartphone or tablet app very hard to use if you use a password with high entropy (see this Wikipedia article on password strength and especially “Entropy as a measure of password strength“).

Since I use a password manager (LastPass) with literally hundreds of sites in my ‘vault’, I use very strong passwords. They are comprised of upper/lowercase letters; numbers; special characters; and are ones that make it simple to have quite strong passwords for anything that matters (and they’re all different!).

So what do I have to do on my iPhone? Open my LastPass vault app; login to LastPass; find my Wells Fargo account; touch it and, in the popup, choose “Copy Password”; and then open the Wells Fargo app and choose the Password field; then choose “Paste”.


The problem is this: There is NO way I could ever remember my password since it is so long and contains so many characters of different types. Curiously the Wells Fargo app also disallows pasting anything in to the Username field…so I can’t even do a workaround by pasting my high entropy password temporarily in to the Username field and then typing it in the Password field.

Get your shit together Wells Fargo. With this app developed this way you are DISCOURAGING THE USE OF STRONG PASSWORDS! 

Of course, they do say on their website here that, “We take your privacy and security very seriously. Read about why our mobile banking services are secure. Learn more…” but I’m not going to dumb-down my password to use their mobile app.

About Steve Borsch

I'm CEO of Marketing Directions, Inc., a trend forecasting, consulting and publishing firm in Minnesota. Prior to that I was Vice President, Strategic Alliances at Lawson Software in St. Paul where I was responsible for all partnerships at this major vendor of enterprise resource planning software products and services. Read more about me here unless you're already weary of me telling you how incredible and awesome I am.


  1. Julian Santos says:

    Omg seriously this is so annoying. How stupid is Wells Fargo’s IT department? Good lord. It’s almost like they want to be hacked.

  2. I had the same problem with the app and the website until I realized Wells Fargo requires passwords that are 6-14 characters long, and only letters and numbers. If you look at the source html of the website you can see the password field has a “maxlength” property of 14.

    When using Firefox on the desktop, it let me (mistakenly) enter a longer password. I assume it just truncated it to 14 characters. On iOS though, the password is pasted into the field but rejected by the web server, and the app just refuses to allow a paste.

    Once I changed my password to be 14 characters long both the app and the website function correctly.

Leave a Comment