It’s not about “supporting password managers”, it’s about not consciously breaking security

So this has been getting quite a bit of airtime today:

Yes, it’s ridiculous and British Gas are getting the lambasting they so deserve, but egregious security faux pas is hardly a new thing for them:

But here’s what really gets me and this tweet sums it up perfectly:

This is not about allowing password managers as though British Gas has to invest effort to make them work – that’s Internet Explorer 8 compatibility! This would make perfect sense:

As a business we’ve chosen not to have the compatibility with six year old browsers

This makes sense because it’s an investment that has to be made and you simply cannot justify the ROI in this day and age.

Lack of support for password managers is not because the organisation doesn’t want to invest the effort, it’s because they’ve been stupid enough to actively set out to disable them.

I’ve written about this before in The “Cobra Effect” that is disabling paste on password fields and that post from a year ago remains just as relevant today. But hey, they’re a large corporate which frequently means not being bound by the same rules of logic that actually explain how things work (or don’t). They’ve indicated this was a conscious decision and large corporates have to make these decisions after many spread sheets written and PowerPoint decks are shown so how about this:

British Gas – share with us the information on which you’ve based your decision to consciously invest effort in disabling security.

Hey, maybe the rest of us will learn something! If that’s the case then we can all be happy in having picked up some newfound wisdom. If not, I’ll happily show them exactly how to fix the problem :)

Security Passwords
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals