In today’s digital world, so much of our personal information is just a password and a click away. And when it comes to coming up with a password for secure online banking, it’s important to come up with something that will keep you and your finances safe. We’ve come up with the following password guide to help you figure out how to stay safe on line. Take a look and see if your passwords are secure enough.
1. Avoid the obvious
While you may be tempted to use your birthday or phone number or even the word “password,” don’t do it. These practices are all more common than you’d think and doesn’t lead to secure online banking. Try to come up with something that no one in the world would ever guess.
2. Go For Long, Not Short
Short passwords can be easily memorized by someone looking ever your shoulder and are easily cracked using certain types of hacking software. Make yours longer, maybe an entire sentence, if possible. The more characters there are, the harder it will be to figure out.
3. Don’t Write It Down
Writing down your password is never a good idea. You never know what that slip of paper might end up in the wrong hands! Come up with something that’s complex, but that you’re also able to memorize.
4. Mix it up
Use a variety of different characters: upper-case letters, lower-case letters, number, even a !, &, or a %. The more variety you can use, the better. You can even get creative. For instance, “sandcastle” can turn into “s&castle.”
5. Change Your Password Often
It’s easy to get lazy and use the same password year after year, but internet security experts suggest changing your password every 30 – 60 days. Think of it as changing locks on your online life once a month. It’s free, easy, and keeps your online bank account as secure as possible, so why not do it?
6. Don’t Use the Same Passwords for All of Your Accounts
In the event that someone figures out one of your passwords, the last thing you want is for them to be able able to access all of your personal information. A good rule of thumb is to have one password for less sensitive information (i.e., social networking sites, email, instant messaging) and another for sites that contain your financial information.
7. Verify the Site
Following these simple rules will help you keep your financial information safe and secure.
What other tips (without sharing too much, of course) do you have for making your passwords secure?
Comment on this article
Comments
Al on January 25, 2011 at 10:35am
Unfortunately Ally doesn't allow passwords longer than 16 characters. Passwords locked at a certain length are no more secure than a short password. A smart criminal would not try a password that is not allowed by the system. Maybe this could be changed so I can use a longer password?
Ally on January 25, 2011 at 11:30am
This is the type of feedback that’s really great, Al. We’ll definitely look into this for you and pass it along to our team over here.
Billy on January 25, 2011 at 3:15pm
Use a service like LastPass or KeePass to generate and store unique, random passwords for all your online accounts.
Ally on January 25, 2011 at 5:31pm
Ahh, we’ll check those out, and might just write a follow-up post on them, Billy. Thanks for that!
Amy on January 25, 2011 at 11:22pm
I would love to see more institutions do what my company does, prompt me to change my password. Sure, that is annoying in some ways, but if it redirects you to change the password every x number of days it makes it easy to remember to do it. If there is too much of a fear of complaints, that could be an opt-in feature.
Ally on January 26, 2011 at 12:04pm
That’s a really interesting suggestion, Amy. The opt-in feature would make it really interesting since that would be a pretty dramatic change to user experience. We’re passing it along to our team!
Peter on January 26, 2011 at 1:50pm
I think that there should be an option available to people so that they can restrict unrecognized computers from accessing their accounts. If a person want to change their settings (so that they may again gain access from an unrecognized computer) the person could simply change their settings from a computer that is already recognized, or call Ally and ask it to be changed. This would allow for those of us who feel the need for the added security to be able to choose this option, without inconveniencing those who do not feel this is necessary. I hope this idea is helpful.
Ally on January 26, 2011 at 2:25pm
We currently have something similar, Peter, but that might be something that we can look further into. Keep those suggestions coming. We love hearing feedback and figuring out better ways to help you.
Brian on January 26, 2011 at 3:25pm
Please do not implement a requirement to change passwords, as Amy suggested. That policy can backfire and result in some folks writing down passwords they can't possibly be expected to remember. Gentle reminders to change passwords periodically are more effective.
Ally on January 27, 2011 at 9:54am
Thanks, Brian. Any and all feedback is good to us and it’s great to have a discussion about these things. Appreciate the feedback!
Amy on January 28, 2011 at 8:35am
I can see what Brian means about it backfiring. The reminder is a great idea. Perhaps a "It's been x days, click here to change your password" alert would work. I think it would fill the need I have to be reminded while making it less likely that the less security conscious would resort to writing it down.
Ally on January 28, 2011 at 1:05pm
Wow, Amy and Brian, you guys are great. A consensus reached on a suggestion? We’re pushing this through to our team over here to review.
ryan on February 3, 2011 at 3:40pm
Unfortunatley the ally password sytem sucks. My password is shorter than I like and harder for me to remember because of all the requirements like using a special character. Id rather have a long password without an upper case letter or special character than a short one with that. Its actually self defeating in my mind. Becaise to have a long password with that I couldn't remember, but if I didn't have that I could remember a longer password. But that's just me. IMO requiring atleast a 9 character password with no further restrictions is better than requiring say a 6 or 7 character password with requiring a special character, and an upper case letter, and all of this. Plus it makes it easier to remember without those extra requirements so the user is more willing to make it longer and won't have to write it down. The best option though that I am going to start doing is to use a password manager so I have have a long complex password that has no meaning. The thing about passwords is they are much easier to remember if they have meaning to the user, the trick is to do that in a way that's not easy for someone else to figure out, forr example just using your pets name, yay is has meaning to you but is also too obvious to others.
Ally on February 4, 2011 at 10:44am
Thanks for the response, Ryan, and feedback on our password system. We’ve heard some good suggestions on this post so far, and we’re really enjoying all of the responses.
lisa on April 7, 2011 at 6:06am
thanks for info. How do I change my password?
Ally on April 7, 2011 at 2:55pm
Glad that you enjoyed the link, Lisa! It’s pretty simple to change your password (hopefully to something more secure!). When logging in, just select "Forgot Password," located beneath the box where you log in. Enter the email address you used to first signup and we'll email you a link with instructions to update your password within 24 hours. Thanks again for the comment!
Isolveree on July 6, 2011 at 1:27am
Absolutely with you it agree. In it something is also to me this idea is pleasant, I completely with you agree.
linda d. on July 18, 2011 at 2:24pm
I put in a couple of wrong letters in the password and it locked me out. I didn't even get the security questions to reset it. Then I had to make the payment by phone because I make all the payments but my husband's name is on this particular car so they can't tell me anything else. there was an extra 15.00 added to it because of it being paid by phone.
Jack on July 22, 2011 at 2:49pm
Hello. Is Ally considering a 2 factor authentication system at all? Something like RSA SecurID? This would be my preference. We are seeing more and more consumer websites implementing this type of system (Google, Paypal). Thanks.
Sheila on December 9, 2011 at 2:40pm
I cannot seem to be able to find out how to set up a user name and password. What am I missing?
Ally on December 9, 2011 at 3:11pm
Mind giving us a call and one of our customer service reps can walk you through this in much more detail, Sheila! You can give us a call anytime, 24/7, at 1-877-247-2559. Thanks!
Roberta on January 15, 2012 at 6:27pm
The blog is cool
Ally on January 17, 2012 at 9:23am
Thanks for that, Roberta!
Adam on June 21, 2012 at 7:16pm
Another vote for two factor authentication, especially with the recent release of the mobile website and mobile apps. Thanks for being awesome, Ally.
Ally on June 21, 2012 at 7:18pm
Thanks for the vote of support, Adam! We’re glad to hear you’re happy with us here at Ally Bank. Let us know if you have any questions. Thanks!
Brian A. on June 24, 2012 at 6:06pm
2-factor auth would be such a nice feature. Something simple like how Google and Facebook handle it would be fine and would add quite a bit of security.
Ally on June 24, 2012 at 6:08pm
We appreciate the suggestion, Brian! Passing this along to our team over here. Should it get implemented, we’ll be sure to let our community know.
William on August 4, 2012 at 10:50am
Absolutely, banking sites should use 2-factor authentication - I'm inclined to suggest that this should be legislated... Please consider supporting Google authenticator, RSA tokens, SMS loops - any of these would demonstrate Ally's commitment to online security.
Ally on August 4, 2012 at 10:52am
Appreciate the suggestion, William. We’ll be sure to pass this along to our team over here. Thank you!
Kyle on August 27, 2012 at 11:59pm
I was signing up for an account with Ally when I thought to think about two-factor authentication. Unfortunately, I had to stop and go with ING instead. Please let me know if this gets implemented.
Ally on August 28, 2012 at 12:02am
We’re sorry to hear that, Kyle. We currently protect our customers with two factor authentication that includes Safekeys challenge questions, in addition to username and password. We take security very seriously over here, and our team is always working to ensure we have the best security possible for our customers. Should you decide to change your mind, we’d love to have you here at Ally Bank! Please let us know if you have any other questions.
timothyoc213@wowway.com on September 13, 2012 at 12:43am
how do i change my log in user name?
Ally on September 14, 2012 at 4:17pm
Timothy, please give our Ally Care team a call 24/7 at 1-877-247-2559. They'll be able to help you out here. Thanks!
Ally on September 14, 2012 at 4:17pm
Timothy, please give our Ally Care team a call 24/7 at 1-877-247-2559. They'll be able to help you out here. Thanks!
Bob on September 28, 2012 at 9:05pm
I was considering Ally, but the lack of a true two factor authentication solution is a deal breaker for me. I suspect I'll go with USAA which is using Verisign's solution like paypal does.
Ally on September 28, 2012 at 9:07pm
We’re sorry to hear that, Bob. We currently protect our customers with two-factor authentication that includes Safekeys challenge questions, in addition to username and password. We take security very seriously over here and will pass this feedback along to the right people. Our team is always working to ensure we have the best security possible for our customers. Should you decide to change your mind, we’d love to have you here at Ally Bank! Please let us know if you have any other questions.
Tyler on October 27, 2012 at 2:43am
Challenge questions and key images are not two-factor authentication. For real two-factor authentication you need to have a system in which login requires me to provide a time-limited single-use token, tied to a physical device in my possession, in addition to my password. This can be implemented by texting a single-use token to a pre-registered cell phone number, by integrating with a smartphone app like Google Authenticator, or by providing a separate key dongle such as a Yubikey. I'm glad you are willing to answer these questions online, but please relay this to your IT department. Along with Bob, I am another potential customer who cannot consider your bank until this flaw is resolved.
Ally on October 27, 2012 at 7:01am
Thanks for the suggestion, Tyler. Passing this along to our team over here. We take security very seriously, and our team is always working to ensure we have the best security possible for our customers, including new authentication methods in the future. Should you decide to change your mind, we’d love to have you here at Ally Bank! Please let us know if you have any other questions.
Cory on November 16, 2012 at 1:52am
Another vote for 2-factor Authentication using something like what USAA uses. Tyler summed it up very well. PLEASE consider this!
Ally on November 16, 2012 at 7:01am
Thanks for the recommendation, Cory. Passing this along to our team over here.
Zach on December 11, 2012 at 11:06am
One more vote for two factor authentication. I find that Google Authentication works really well. Also, on a side note, it would be great in your mobile app to let us zoom in on the image so we can make sure they are clear.
Jared on January 15, 2013 at 1:04am
Safekeys is not two factor authentication. It verifies that we are on the real Ally site. It does not verify who who the user is. Two factor authentication is required to log in in ADDITION to a username or password. On Ally if someone broke my username and password they would be in. I really hope that Ally would at least give users the option to use a two factor authentication process such as google Authenticator. This would make the site significantly more secure and make me more comfortable.
Ally on January 17, 2013 at 2:55pm
Thanks for your feedback, Jared. We appreciate it. We’ll pass it on to our team.
Joel on January 19, 2013 at 3:34am
I signed up for ally without thinking about if they had two factor authentication. Now I know they don't, i'll hold off on transferring any money and most likely close the account.
Ally on January 26, 2013 at 1:07pm
Thanks for your comment, Joel. Ally is serious about protecting our customers' assets. We provide a safe and secure environment to allow you to feel confident in conducting your banking transactions online. Our primary authentication (entering username and password) is supported by a unique configuration of security layers. While some of our security practices are customer-facing, many live behind the scenes, providing a stronger level of protection for your assets than is visible. We’re always working to ensure we have the best security for our customers and hope you’ll feel confident that all your transactions are protected through our Online Banking Security Guarantee.
Chris on April 5, 2013 at 6:24am
As of the writing of this post, the posters who say that Ally is currently not using 2-Factor Authentication are correct. Two factor authentication REQUIRES that there be a TWO separate FACTORS of authentication. Username/Password - (Something the user KNOWS) 1-Time Use Token - (Something the user HAS) When the two above factors are combined and correctly authenticated at login time, then 2-Factor authentication is correctly implemented. Please do share these comments with your Information Security / Assurance / Technology teams. By the way, I noticed when I logged in to my account that there was an announcement that said: "Where's the SafeKeys phrase?" I hope this means Ally is really LISTENING to its feedback from its customers and will implement REAL 2-Factor authentication...
Gary on April 7, 2013 at 8:41am
Please implement TRUE 2-factor authentication -- that is, deploy a token or app that generates a one-time use code or some system to send one-time use codes out-of-band (e.g., by text or call) -- which is essential for security, especially when targeted keyloggers and trojans are increasing common. "SafeKeys" is NOT 2-factor authentication.
Heather on April 17, 2013 at 5:57pm
One more vote for true 2-factor authentication. This would make me feel so much more secure about using an online bank!
Ally on April 19, 2013 at 5:02pm
Thanks for the feedback, Heather. We’ll be sure to pass this on to the appropriate teams.
Chris on May 2, 2013 at 8:24pm
Another vote for two-factor. After becoming a substantial client of Ally I hope to see this soon. You seem to be serious about being the best bank out there, and this is kind of a deal breaker these days.
Wade on November 27, 2013 at 10:07pm
Another vote - no insistence - for two-factor. I study security breaches for a living and the single biggest contributor for system intrusions is weak and stolen passwords. You tell users to make strong passwords, but that ignores the fact that long/complex passwords can be stolen (via malicious software that is extremely common) and reused to access accounts just as easily as short/simple ones. In my professional opinion, an organization that is serious about security doesn't rely on passwords alone for applications like bank accounts. I like Ally's customer service and savings rate, but I'm most likely going to switch due to this issue. It's almost 2014, two-factor is easy, very effective, and a no brainer.
Ally on December 2, 2013 at 4:11pm
Thanks for reaching out, Wade. Your security is our top priority. In fact, we do employ multi-factor (or two-factor) authentication. Earlier this year, you were required to setup new security features during login. These security features provide the additional layer of security you are asking about. Since you mentioned crimeware, we’d also like to let you know that as an Ally Bank customer you are eligible to download Webroot® SecureAnywhere free of charge. This anti-virus, anti-malware software removes and protects computers from malicious software. While logged in to your account, please go to the Security Center for information on how to download. Thank you for being a customer! To verify your Security Code Delivery features are still setup correctly, please log into your online Ally Bank account, go to the MyProfile section and select Security Code Delivery features. Here, you will be able to edit your current settings. If you have any questions, please feel free to reach out to our Ally Care team – we’re here 24/7 – by phone 1-877-257-ALLY (2559) or by chat.
Brian on December 10, 2013 at 12:03pm
Two-factor authentication -- and I mean *real* two-factor authentication, *not* security questions or security images -- is a must in today's security environment. As an Ally customer, I am disappointed that it seems that my bank account is less protected than, for example, my social media or online gaming accounts. I encourage Ally to take security to the next level and support real two-factor authentication.
Ally on December 13, 2013 at 3:32pm
Thanks for sharing your feedback, Brian. Your security is our top priority. In fact, we do employ multi-factor (or two-factor) authentication. Earlier this year, you were required to setup new security features during login. These security features provide the additional layer of security you are asking about. To verify your Security Code Delivery features are still setup correctly, please log into your online Ally Bank account, go to the MyProfile section and select Security Code Delivery features. Here, you will be able to edit your current settings. If you have any questions, please feel free to reach out to our Ally Care team – we’re here 24/7 – by phone 1-877-257-ALLY (2559) or by chat.
John on December 30, 2013 at 10:55pm
I guess I'm confused about what this "security code delivery" is intended to be used for. The way it should work is that whenever there is a log in attempt to my account from a computer that Ally does not recognize, it will send me an authentication code via text to my cell phone. I have logged onto Ally using various computers, as well as logging on after clearing my cookies on the computer I'm using now. Not once have I been prompted to enter a security code before being allowed to log in. I have two factor authentication set up with my Google account and it does what it should every time, even if all I do is clear the cookies on my home computer. Please explain how Ally's security code is supposed to work? Thanks
Ally on December 31, 2013 at 1:11pm
John, thanks for your question. We take online security seriously, which is why we provide strong protection through multi-factor authentication at login. As you’ve noticed, our system’s decision to challenge authentication is not determined solely by the fact that you’re using a registered device. Instead, we look at a number of factors to determine if a log in reflects your normal patterns. This reduces the number of times legitimate customers get “challenged,” while focusing on additional verifications for log ins that appear abnormal. For more information, please visit our Security Center to see the many methods we use to protect you and to read our Online and Mobile Security Guarantee. Thank you for being a customer.
Ally Q. on January 6, 2014 at 1:46pm
Ally, Why don't you offer true two-factor authentication? It's clear from this page that many of your users (and potential users) want it.
Ally on January 8, 2014 at 2:45pm
We do use true two-factor authentication for our users because our customers’ security is our top priority. In fact, we have two different multi-factor authentication solutions that are used at login. In order to provide you with the best online experience, two-factor verification is not obvious for most logins. If, however, we decide that we need additional validation, we will request you to enter a security code that you receive through text or email. Two-factor authentication is comprised of something you know (security code/password) and something you have (mobile device or email account). All of our customers were required to set up these security features over the past year. If you’re not currently an Ally Bank customer, we’d love to answer any questions you may have! You can also read more about how we protect our customers on our Security Center page here: http://www.ally.com/security/index.html. If you’d like to speak to someone from our Ally Care team, give us a call at 1-877-257-ALLY (2559) – we’re here 24/7. You can also chat with us online.
John on January 13, 2014 at 8:21pm
Could you give examples of when the use of a security code would be required? For example, if I attempted to login from my neighbor's computer, would it trigger the need for a code, or would the system assume it was me since it was the same geographical location? Does a login attempt from another city or state automatically require code verification?
Ally on January 14, 2014 at 5:08pm
John, we appreciate your question. We take the security of our customers very seriously. For this reason, we do not share specific details about how we protect our customers at login. If you’re interested in learning more about how we protect the security of our customers online, head over to our Security Center on allybank.com: http://www.ally.com/security/index.html. Thank you for being an Ally Bank customer!
John on January 18, 2014 at 8:16pm
I've read the information, but it does nothing to clear up when and how the security codes are used. As others have pointed out, it's not two factor authentication unless you are prompted to enter a code when a login attempt is made from an unrecognized device. I understand that Ally might have a different definition, but it's a definition not generally accepted by most people. I would ask that Ally update their security practices to require a validation code for any and all login attempts made from an unrecognized device. Only then can Ally claim to be doing everything they can to protect our accounts. Thanks
Mark on January 30, 2014 at 10:56am
I agree, I would feel much more comfortable with a TRUE two-factor authentication system. I use Google Authenticator for any site I use that supports it, and would love to see Ally embrace this form of security.
Bob on April 12, 2014 at 7:49pm
Dear Ally, what we are asking for here is 2-factor authentication EVERY TIME WE LOGIN, not just the first time a new browser is detected. You guys are way behind the other banks on this.
Thomas on April 17, 2014 at 11:35pm
Please offer us the option to have token and password based two factor authentication required for every login. I understand you want to reduce login frustration for some customers so you have defaulted to an algorithm that triggers a two factor authentication for login attempts that raise a red flag. Many of your customers take security more seriously than worrying about the hassle of additional steps.
David on April 25, 2014 at 10:52am
Another vote for two-factor authentication that uses a security code sent by text message and/or something like google authenticator.
David S. on April 28, 2014 at 12:15pm
I would LOVE two-factor authentication at Ally, is there a possible chance we could get that enabled? I use Googles authenticator app on my android phone for the 6 digit code, would love Ally take advantage of that too :)
Kevin on May 1, 2014 at 9:42pm
+1 two-factor authentication
Allen on May 3, 2014 at 10:03pm
I am a loyal Ally Bank customer and a security software engineer with experience in secure network products. Please let the tech team know that the Ally's current authentication is out-of-date. It is critical to update to the "true" two-factor authentication with username/password plus mobile-phone (or home-phone) for every log-in. Thank you.
Tanay on June 4, 2014 at 2:50am
I also vote for a true two-factor authentication system using SMS or Google Authenticator.
Ross K. on June 6, 2014 at 7:20pm
I am very much interested in using two-factor authentication. Note that safe phrases are NOT two-factor.. they are just another form of one-factor. In order to support two-factor you must require them to enter something they have (one-time password generator) along with something they know (password and safe-phrases). Please please please implement real two-factor.
Ross on August 6, 2014 at 7:53pm
In light of today's events, has any progress been made on TRUE two factor login authentication, as opposed to a magical black curtain of "security taken very seriously" and applied at certain unstated times? I may just be overlooking the option, but at this point, this seems like a pretty basic option for a financial institution to provide. Security questions don't really cut it anymore. Thanks for listening.
L G. on August 14, 2014 at 11:39am
I vote for a true two factor login authentication system.
Bob on August 25, 2014 at 8:06pm
Ally, are you working on this yet?
Robert on September 4, 2014 at 10:49pm
My goal is have true 2 factor authentication for all my financial sites I use by the end of 2015. I will not be doing business with any financial sites that do not have it. It's up to Ally if they want to keep my business. Thanks
Paul on September 13, 2014 at 9:34pm
+1 for 2-factor authentication! Also, please remove the use of insecurity questions as account backdoors when 2-factor auth is enabled -- as Apple does. Then we can have a single page for login again and stop wasting time logging in via two separate pages (what a waste of time!). Thanks for your consideration in the matter.
Jay on September 28, 2014 at 2:07pm
I'm also interested in the same thing. I have an account with Capital One, formerly ING. The main reason I'd like to leave is to get with a bank that's far more forward thinking when it comes to technology. Assuming that many banks are about the same -- they hold my money and they're FDIC insured -- the main differentiator for me is the technology that I can use with the bank. How good are the apps, how good is the website, and -- you guessed it -- do they offer two-factor authentication. I'm amused that all Ally does is parrot back the line "We take the security of our customers very seriously." Yeah, thanks but the proof is the pudding. I want two-factor authentication and I want it to work with an app like Google Authenticator. (There are competing apps. The point is that it uses the time-based authentication keys.) This is important to me because I travel internationally sometimes, where I have to use computers that I don't always trust. If one were to get a hold of my password (through a keylogger or other nefarious software), I'd be in trouble. On top of that, I DO NOT have access to my phone account when traveling internationally and thus cannot get text messages. However, I DO have my phone with me, so using the authenticator app would be very easy for me to use two-factor. Google's email accounts do this so well, and so effortlessly, I strongly encourage Ally to take a look at them, understand how they work, and make the Ally accounts work the same way. I'm not very impressed by the response that I see from Ally in this thread. They've had long enough to implement 2-factor authentication. The first bank I can find that does gets my account. I had hoped it would be Ally Bank as I had heard good things. Maybe not.
icknay on January 23, 2015 at 7:09pm
Hey, I want 2-factor also! Every time I do the highly insecure "your first pet's name" stuff, a little part of me dies. Where I work, they just use the TOTP standard, so you can use any number of apps or whatever for it. The new FIDO U2F standard looks even better, as it is phishing resistant. PLEASE PLEASE PLEASE!
Bob on June 12, 2015 at 4:49pm
Please support FIDO U2F, it would really give you a competitive advantage over other banks!
Ramon on August 31, 2015 at 5:55pm
+1 on FIDO U2F its affordable and for now Hack proof!
Authorize c. on May 13, 2017 at 9:06am
I really like how some websites require you to authorize the computers you use to log in with, like having a code emailed to you or sent as a text to your phone, then you enter that code into the website before logging in. I would feel very confident in the security of my Ally account if you considered enabling this type of feature for online banking. My other banking and even health insurance websites use this feature. I hope you consider it.
Ally on May 23, 2017 at 9:38am
Thanks for sharing your feedback! We'll pass your request along to the team.
Jonathan on December 17, 2017 at 10:59pm
It's nearly 2018 and no u2f support from an "online" focused banking product, thats just crazy. I'll take my money and my yubikeys some place that plays nice with u2f.
Michael M. on July 4, 2018 at 6:30pm
Please add U2F Fido keys. They're a great standardized security solution.
Rowelyn on July 5, 2018 at 10:41am
Can you please give an example