So Egg got taken over by Barclaycard. I’m not entirely happy about that, but it’s why I ended up having to go through enrolment for online account management with Barclaycard.
Let’s see what passwords, etc, they ask for:
1. The first thing Barclaycard wants is a “memorable word, for instance your favourite colour or the place you were born”. OK, except the tooltip on the input explains that this must be 6-8 characters long (letters only). So if your favourite colour is green, red, blue or turquoise, or you were born in Bath, Birmingham or Bury St Edmunds then you’ll have to think of something else. What Barclaycard don’t mention on this page is that the reason for having this word is that it’s used for the standard “give us the 3rd and 5th letters” style challenge when you log in. Presumably the reason for restricting it to 8 letters is that they think people can’t count to more than 8. Guess what: I can. My favourite word is 9 letters long. Foiled. (Yes, I could have just used the first 8 letters of my word, but I didn’t know at the time what the word would be used for.)
2. You can enter a phrase to remind you what your memorable word is. Of course, this can only be a max of 20 characters long and not contain any symbols like “?”. So “What is my favourite colour?” is disallowed on both counts. Why this curious restriction is in place I have no idea.
3. Then Barclaycard lets you pick your own username. This is quite nice, and they let it be 8-20 characters. But it does have to contain a number – wtf? Why does my username have to be oliverhumpage75 instead of oliverhumpage? In the end I made it FUCKYOUBARCL4YCARD. Simple*.
4. Passcode. Oh, so many things wrong with this. The tooltip explains it must be a minimum of 6 digits. The field limits you to 6 digits max, so I guess it’s an exactly 6 digit code then. On top of that, by default it’s your date of birth (ddmmyy). You don’t, apparently, have to set it to be anything different at any point.
So when logging in you have to type your username and 6 digit code. On the next screen, you’re asked for 2 letters from your memorable word: this is done in the form of 2 dropdown menus each with 26 letters in. Now I can see why they’ve done that: if you don’t type, then nefarious keylogging trojans won’t be able to grab your details. However, I would counter with the fact that on a Mac, in Safari at least, proper password fields are *totally* protected against spying by the kernel: no other app, not your keyboard driver or anything, can see what you type. Whereas software could, very easily, see what you select in your drop downs (and keyloggers will still get you if, like me, you type to select from a menu). So personally I actually feel less secure. And it’s annoying and slower.
The improvements I’d like to see are:
1. Explanations by each of the fields in the signup form as to what they’ll be used for
2. Ability to have a longer memorable word and passcode, and more sensible restrictions on the “memorable word reminder”
3. Use proper password fields for giving the letters of the memorable word when logging in
4. Stop encouraging people to use their DoB for their passcode
In conclusion, I give BarclayCard a big thumbs down for this shambles of an online banking signup process, and what I consider to be a less secure sign in process than many other banks. I’m none too impressed with their actual web interface either, with all its fancy graphs hiding the useful info. I shall be cancelling my new card and moving to a better supplier as soon as I can.
* No, I’m not so stupid as to publish my real username. But it is a variant of that.