Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: passwords

Even More Bad Advice – Part 2

Originally published on

If you thought the last post was awful, this one is worse. We’re back to giving bad advice. This time, we’re talking choices, external link warnings, and, because it’s my top pet-peeve, passwords again!

More Options Is Always Better

“Enjoy checking…with choice! Find the account which matches your needs from our 5 different plans. They’re basically all the same, besides a 0.01% dividend. But who cares…options are essential!”

I get the concept: By creating a solution for every possible need, you can appeal to any potential member. Thus, your membership potential isn’t any one category, it’s humans (and sometimes even that is stretched…why can’t your dog share in savings?). Now that I’m thinking about it, a savings account for your pets is pretty cool. You could put away for their essentials, vet bills, unexpected challenges, and more. It’s like a savings goal, but separated in a fun way. Ok, that one is excluded.

Where was I? Oh, yes, choices. My business works primarily with the auto lending side of credit unions. In it, there is one main goal: Encourage the member to get pre-approved. However, people look for a car before a loan (unless they have no clue what they can afford/finance). As a result, many credit unions set up car-buying resources. They include calculators, lengthy PDF guides, and external company links. In many cases, they’re not even affiliated with those outside links! (Keep this in mind, it comes up later) What are you doing? Keep it simple! One link to do the fun “build/find a car” with a partner program (Disclosure: My company offers exactly this) and another to get pre-approved. Those outside company links? They often have their own financing programs. Bye bye loan (or ever knowing that member is looking to buy a car).

You may have heard of the “Paradox of Choice”. Give someone too many options and they’ll never make any decision. In fact, new research shows that this isn’t 100% true (science doubts itself always, boys and girls). What they found was that better options are better. More options for the sake of options makes people do one of two things: 1) Never decide and do nothing or 2) Decide based on meaningless factors (possibly because the important ones are hard to understand or not immediately obvious). If you must offer options, make sure they are equally good and clearly different.

External Link Warnings Keep Members Safe

A vestige of the World Wide Web’s “dark ages”, these are pop-up messages telling the browser that they are now leaving so-and-so’s website, and they cannot guarantee their safety, security, or that delivery will be in 30 minutes or less. You don’t need them. Many credit union legal teams claim they are mandated, but the only reference I’ve ever uncovered is a non-binding NCUA guidance from 2003. That’s Pi, or pre-iPhone. Weather widgets, local news scrollers, and other useless distractions were commonplace on most websites. Sure, if someone was clicking from their online banking to see what the latest news is in Anytown, USA, yeah, I’d want to ensure it was clear that site isn’t us.

You’ve learned a lot since then.

And if you’re that worried about where you are sending members, why send them there? (Remember the post Trusted Partners!) I’ve seen external link warnings on links to NCUA, loan applications, and more. You have legally-binding agreements with these partners or providers! It gives me the feeling these credit unions just said, “The world is a scary place. Let’s terrify our members, too. Oh, and make sure they never use our products.”

Alright, your legal team insists the warnings are necessary. Can’t argue. Just make them friendlier! Instead of a long text field in legalese, create a bright-colored, concise text notice. “Hey, just so you know, this link goes to someone we work with. They’re great, but we have to let you know they might have different policies on privacy than us. Click here to continue or just wait 5 seconds and we’ll get you on your way!”  Here’s an example from a client (name redacted). It’s still a bit long for my taste, but isn’t scary if you read it:

Simple, friendly, and still accurate. Always remember your mission. You’re people serving people. The second you adopt the terminology people associate with “big banks”, you’re no different.

So, instead of slapping warnings on every link, be diligent in working with people and companies who truly share your mission. Then you don’t need to warn anyone about anything. And, if it’s essential, be nice about it.

Passwords With Symbols Are Most Secure

We covered this in passing last time. But since the focus was on changing passwords, I want to cover this independently. Your password doesn’t need to go to the gym. And no, your password doesn’t even lift, bro.

Password strength is determined by how hard it is for a computer to figure it out, strictly by guessing. And you know the easiest way to make it really hard? Length. Not symbols. Not using aLterNatinG cases. Not replacing 13tt3rs with numbers. Sheer length. Here’s that amazing xkcd comic to explain why, once again.

If my password was “GoshIneverrememberpasswordsnomatterwhattheyare”, I can guarantee you, no computer in existence today will ever crack it. Yet you’ve already memorized it.

Many recent password leaks have had passwords figured out because the security they used was garbage. I can’t help you there. Insist their system gets an outside security audit regularly, and, if they’re responsive, ask if they’re using salted password hashes. If they aren’t, don’t give them your information.

With good security and strong passwords (ie. long ones), you can enjoy the convenience of online services with little worry of your information being compromised.

I never want to see those, “Your password must include 6 symbols, 2 emoji, 3 different cases, and one name of your favorite pet” prompts again!

And that’s just a bit more bad advice.

Image credit: ArsTechnica,

Advice Which Isn’t Great Advice

Originally published on

Read this post to get a whole lot of bad advice.

You’re still here? Wonderful. Because I didn’t give up the whole story. I am giving bad advice, but then we will learn about the better alternatives. And, we will discuss why that advice was bad. Turns out, there’s a lot of it, so the discussion will be split into a couple of parts. To start…

…Let’s focus on your website, as it is the face of your institution for most of your members most of the time. It’s like a branch…does that sound familiar?

Bad Advice: Fewer clicks are better

In the early days of the World Wide Web, everything was slow. Browsers were slow. Modems were slow. Even turning on your computer was a timely process. If a website took under 20 seconds to load, things were great. And now I have to click to another one? Ugh. I have plans tonight, you know!

Today, your phone, computer, and internet connection are each hundreds, if not thousands, of times faster than those original setups. If a site doesn’t load in 4 seconds, the majority of people are gone. It’s easy to tap or click your way dozens of links down a rabbit hole of “10 best” or YouTube related shorts with almost no delay. Just ignore the fact you burnt 3 hours of your life watching a chameleon walking across a branch, then a cat wearing a hat of its own fur (this exists).

While we may waste time online, very little of it is dedicated to waiting.

Give your members the right information to set their expectations properly. If a banner directs to a program, have a page presenting what they can expect, then guide them to applying/shopping/registering. If you were on Amazon and clicking on a product took you to the shopping cart, it’d be off-putting. Don’t do that to your members. Embrace the clicks, within reason.

Bad Advice: Information Can’t Be “Below the Fold”

Back in the day, scrolling was miserable. If you were cool, you had a sticky, dirty gray wheel wedged in your mouse. Otherwise, scrolling meant clicking a tiny arrow on the side of the screen. What. A. Pain. As a result, websites were made to fit within the most common screen dimensions of the day (800×600 or 1024×768). This meant a lot of info squeezed in a small area. I’ll admit. Many of our company sites years ago were sticklers to this concept. We still try to make pertinent information immediately prominent, but if scrolling makes a cleaner, more explanatory process, we’ll do it.

Today, who doesn’t scroll? Touchpads allow easy scrolling. All mice have a wheel or swipe area. Phones and tablets are built on scrolling. It’s second nature now. Which means your members are accustomed to doing it. Your webpages can go down, it’s ok.

General rule: If it’s essential, put it up top. If it’s explanatory, let it go below.

Bad Advice: Changing Passwords Often Improves Security

Wrong. Wrong1. Wrong123. Wr0ng2017. Fido.

How many sites do you sign in with the same password? If the answer is “none”, then you’re obviously using a password manager, or they’re written down on your desk. If the latter, get rid of that list. More than likely, you reuse your favorite password everywhere. It’s ok. You’re not alone. Passwords stink.

This piece of bad advice is my biggest pet peeve. Until recently, it was the official recommendation of the Federal Government, and is still policy at many credit unions (kudos to VyStar, who only offered partially bad advice…smiles!). I actually got into an argument with one of the largest CUs in the US for suggesting it. I’m sorry for their members.

If I asked you to make a complicated password, what would it be? Random letters and numbers (impossible to remember)? A common word with a 1 at the end (possible)? A pet’s name (likely)?

Now, imagine I told you to change it every three months, “in the name of security”. Would you come up with a more complicated password, or a simpler one? Research has shown the latter to be true. If “MyPetIsTheMostAwesome2016” was your original, perhaps the new one would be, “MyPetIsTheMostAwesome2017”. Until they say it has to change more than that. So then you use, “Pet2017”. For the next cycle, you use “p3t2017”. And few months later, you just gave up and wrote it on a post-it note stuck under your desk.

Security experts” (despite being Norton, their advice is awful) claimed that changing your password ensured it was safe. As if passwords are slowly degrading over time. Wrong. They’re either compromised or they’re not. If you have a long, complicated, but easy-to-remember password, stick with it (unless that service said their data was hacked). My favorite comic, xkcd, has a popular post about this topic. Go there, then tell me your password doesn’t include a correct horse with a battery staple. Do it.

In the interest of time, let’s end part one here. Did any of this advice surprise you? Have you been told the opposite by your co-workers, superiors, or trade associations? Comment here, and I’ll help connect you with the resources to educate them the right way. Hey, we can all be wrong. It’s what we do when realizing.

What other bad advice do we have to look forward to? Option overload, one final point about password strength, and those annoying “are you sure you want to continue” pop ups on your website!

Get Secure, or Else

It was the best of times. It was the worst of times. Gather ‘round, for we are going to share a story about online security.

How many passwords do you have? If you’re like most people, the answer is “one”. How many accounts do you have? Once again, the common response would be, “lots”.

Too bad those two do not go well together.

You see, we aren’t the only people online. Many are there to cause damage to your content, whether for fame, money, or to accomplish a societal end. I’m not a fan. Doubtlessly, you aren’t either. All they want is to gain access to juicy content saved online. Documents, photos, e-mails, you name it, they’re out to get it. And what’s stopping them?

Just checking, how many passwords did you say you had?

A number of high-profile leaks of photos, celebrity and otherwise, have brought to the public consciousness the fragility of online storage. An expectation of privacy might only be that, an expectation. Is there anything we can do besides just hand our lives over to the do-baddies?

Yes. I’ll go over my Top 3 ways to help preserve your security and privacy online.

1. A strong password (for every account). No, I don’t mean feeding it spinach and sending it off to the gym 5 days a week. Years of “best practices” have convinced you that the best password is one you will never remember. Well, that’s no good! My favorite online comic tells it better than I ever could. Go click that link. Now, I’ll explain with less comedy than him. Longer is better. Period. Unusual combinations of characters that you’ll remember is perfect. Unless required, don’t expect writing like t#!$ (this) will do you any good. Computers are great at guessing. More characters take longer to check, which makes your password harder to crack. I’m also a huge fan of using password managers to create long, random passwords, then saving them for future use automatically. If you use Apple products, turn on iCloud Keychain. For cross-platform, 1Password is a good choice, and there are others, too. But what if they do get your password?

2. Two-factor authentication. Think of when you pay by debit card. You must scan the card in the terminal, and then either enter your PIN or sign a receipt. Two things must align for the transaction to be approved (or not contested later). However, when you sign on through a website, you enter your password and then…well, you’re in. Two-factor authentication adds a level of security which requires you to prove your identity, typically with your cell phone. When you get your login correct, the site will then send your phone (often by text message) a unique code that must be entered to sign on. The presumption is that a hacker might guess your password, but won’t also have your phone. It does add a step into signing on, but you can have systems not ask again based on a few variables, perhaps, whether you have changed location, or used a different device. I’ve activated this security feature on every service I have. You can see how to activate it for systems you use by checking here.

3. Be smart. Ok, so now you’ve created unique, memorable, yet difficult-for-computers-or-other-people-to-guess passwords. Then, you secured those accounts with a second layer of protection. Congratulations! You’re already much more protected from damaging hacks. Now, let’s keep it that way. Remember the old adage, “if it looks too good to be true”? Still applies! The hackers realized they can’t break in to your accounts, so they need you to open the door for them, or let them just peek in from time to time. They’re going to go about that in two ways: Phishing and malware.

  • Without blasting some old Phish tunes, phishing is when you receive a message or visit a site that looks like it’s trustworthy, yet is not. I’ve never found a legitimate company that sends out e-mails asking their users to enter their password “or else”. A bank will never request your password, nor will your social media services. If it seems suspicious, go to the site by typing the address yourself and check for announcements.
  • Malware is the online equivalent of tapping the phone line. If you keep your computer updated with the latest security releases for every program, this is a lesser concern. However, if you are tempted by that free download of The Avengers or Windows 10, be aware those treats might have some creatures hiding inside. The last round of malware that affected Mac users was isolated to a pirated copy of a popular software program. There’s no such thing as a free lunch.

The most common hacks happen when online baddies gain access to a list of usernames and passwords from some compromised site. Then, they just use those same credentials all over the internet. Do you have any e-mail/password combinations that would work in more than one place?

We are past the age when anti-virus software (Windows) was all you needed to be safe on your computer. As we keep more of our personal and professional lives online, it becomes more valuable to try and gain access to it. Stay ahead of those fiends with these strategies. I will post on occasion about other security steps you can take. Oh, and if you’re using an iPhone 5S or later, use Touch ID!

© 2018 Credit Union Geek

Theme by Anders NorenUp ↑