Is the Wells Fargo Mobile App Anti-Security?
The Wells Fargo iPhone app disallows using the “Paste” capability in the phone to paste in long, high entropy passwords copied from my LastPass vault.
It is always interesting to me how banking apps, both web and mobile, specifically making a smartphone or tablet app very hard to use if you use a password with high entropy (see this Wikipedia article on password strength and especially “Entropy as a measure of password strength“).
Since I use a password manager (LastPass) with literally hundreds of sites in my ‘vault’, I use very strong passwords. They are comprised of upper/lowercase letters; numbers; special characters; and are ones that make it simple to have quite strong passwords for anything that matters (and they’re all different!).
So what do I have to do on my iPhone? Open my LastPass vault app; login to LastPass; find my Wells Fargo account; touch it and, in the popup, choose “Copy Password”; and then open the Wells Fargo app and choose the Password field; then choose “Paste”.
EXCEPT THE WELLS FARGO APP DISALLOWS PASTING A PASSWORD IN THE PASSWORD FIELD!
The problem is this: There is NO way I could ever remember my password since it is so long and contains so many characters of different types. Curiously the Wells Fargo app also disallows pasting anything in to the Username field…so I can’t even do a workaround by pasting my high entropy password temporarily in to the Username field and then typing it in the Password field.
Get your shit together Wells Fargo. With this app developed this way you are DISCOURAGING THE USE OF STRONG PASSWORDS!
Of course, they do say on their website here that, “We take your privacy and security very seriously. Read about why our mobile banking services are secure. Learn more…” but I’m not going to dumb-down my password to use their mobile app.
5 Comments
Leave a Comment
About Steve Borsch
Strategist. Learner. Idea Guy. Salesman. Connector of Dots. Friend. Husband & Dad. CEO. Janitor. More here.
Connecting the Dots Podcast
Podcasting hit the mainstream in July of 2005 when Apple added podcast show support within iTunes. I'd seen this coming so started podcasting in May of 2005 and kept going until August of 2007. Unfortunately was never 'discovered' by national broadcasters, but made a delightfully large number of connections with people all over the world because of these shows. Click here to view the archive of my podcast posts.
Omg seriously this is so annoying. How stupid is Wells Fargo’s IT department? Good lord. It’s almost like they want to be hacked.
I had the same problem with the app and the website until I realized Wells Fargo requires passwords that are 6-14 characters long, and only letters and numbers. If you look at the source html of the website you can see the password field has a “maxlength” property of 14.
When using Firefox on the desktop, it let me (mistakenly) enter a longer password. I assume it just truncated it to 14 characters. On iOS though, the password is pasted into the field but rejected by the web server, and the app just refuses to allow a paste.
Once I changed my password to be 14 characters long both the app and the website function correctly.
changed my password to 14 digits and now I can paste on the mobile app
Sheesh…I haven’t checked for awhile. You mean this password issue is still going on between the website and the mobile app? I’m going to investigate again and ping them.
Roger (above) is correct. 14 digits or less. The app should provide an error as I’m sure they’ve lost some customers due to their ‘bad UI’.