British Gas reveals it doesn’t think password managers are good for security

British GasWell, this is bizarre.

British Gas customer Ben Woodward understands the benefits of having a complicated, hard-to-remember password rather than a dumb, easy-to-guess one.

But, unfortunately, he says British Gas’s website is set up in such a way that it prevents him from using his preferred password manager.

British Gas apparently doesn’t let you copy-and-paste your password when you try to log into its site.

Anything which discourages users from adopting password managers or makes them less useful is bad for security as a whole.

We have enough trouble getting people to use stronger, unique passwords without sites like British Gas making safety online even more difficult.

Frankly it’s a bizarre and inexplicable decision. I hope British Gas reconsiders, and builds its site to make it easier for customers to use a password manager – which I believe the vast majority of computer security experts would consider to be a more secure approach.

Sadly, I suspect British Gas is far from the only website to have a password manager-unfriendly login. If you know of others, feel free to leave a comment and maybe we can help them see sense.

Update:

This looks encouraging!


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

19 comments on “British Gas reveals it doesn’t think password managers are good for security”

  1. Barry Neilsen

    Annoying, and an odd policy statement, but not unique I'd have thought. My online bank site, plus one of my credit cards, asks for random characters from my password. I have to have my password manager open and visible on screen so I can count off the password characters each time I log on. Maybe some password managers can deal with this but the last time I checked the one that I use, KeePass, does not. I haven't thought through whether these restrictions actually strengthen security or weaken it.

    1. Graham CluleyGraham Cluley · in reply to Barry Neilsen

      Hi Barry – long time no chat! (Barry was my first ever boss in the anti-virus industry)

      Yes, I've found that an issue too with some sites. They demand I don't enter my full password, but instead ask for the 7th, 12th and 24th character instead. It's almost made me want to have a less complex, less random, shorter password in frustration.

      Almost.

      What I tend to do is make a note for those sites in my password manager, listing each letter of my password in tabulated form so I can easily work out the position of each letter in the sequence.

      For instance, if my password was qtyBU{3Ek,M?dUoFvwf7

      I'd say

      1.. q
      2.. t
      3.. y
      4.. B
      5.. U
      6.. {

      You get the picture…

      1. Phil Nash · in reply to Graham Cluley

        "(Barry was my first ever boss in the anti-virus industry)" – I thought the name sounded familiar. Hi Barry!

        As for keeping passwords in tabulated form (in a password manager – 1Password in my case) that's exactly what I do too!

        It doesn't overcome the visibility angle, but I tend to do it from the app on my phone – even if I'm entering it on a desktop – to make it less immediately visible.

    2. Techno · in reply to Barry Neilsen

      In Keepass you can set the Auto-Type to do individual characters using {PICKCHARS}. For example, for one site that requires 3 characters I set the Auto-Type to:
      {PICKCHARS:Password:C=3}

      I click on the first password field, right-click and select Perform Auto-Type. This causes a window to appear where I pick the 3 characters and it inserts them.

      You may need to play around with it to get it right. For example, a delay can be useful
      {DELAY=200}{PICKCHARS:Password:C=3}
      :
      I haven't yet tried the scenario where a tab is required between each field. Presumably it would be:
      {PICKCHARS:Password:C=1}{TAB}{PICKCHARS:Password:C=1{TAB}{PICKCHARS:Password:C=1}

  2. Barry Neilsen

    Yes, I do that too. Glad to find independent confirmation :)

    By the way, I've been following your posts for quite a while now. Great to have such a useful and trustworthy source of info with a pedigree – probably not the right word – that I don't have to verify for myself. Congratulations on the awards, too.

  3. Peter

    Password manager My1Login uses the random character model to get access to the manager itself. I quite like My1Login, have used it for several years and have about 170 accounts stored in it.

  4. P. Anchen

    British Gas Help: "I understand but…"

    Actually, the "but" usually means they DON'T understand. However, their updated reply does indeed look encouraging.

    It will be interesting to follow this story, especially if it turns out that British Gas changes their idiotic policy on password managers. Such responsiveness must surely be a clear and egregious violation of the Laws of Bureaucracy…especially apropos if utility companies are as heavily regulated in the UK as they are here in the U.S., where they're "private" in name only.

    A gas service utility would never get away with that kind of responsiveness here, where all signs of genuine government service are increasingly stomped to death by a state system that's fully committed to bureaucratic incompetence. The recent theft of 21.5 million people's personal information at the U.S. Office of Personnel Management is a case in point.

  5. Techno

    Virgin Mobile has also disabled paste in their password field. It seems that this is becoming the accepted practice.

    In Keepass I get around it by using Auto-Type which inserts the password one character at a time (set the Auto-Type to {PASSWORD} only).

  6. Anonymous

    Password managers are A solution, not THE solution (the latter of which probably doesn't even exist).

  7. Gordon Hay

    The issue with the British Gas site is, like some others, signing out returns you to the log-in page so that if you have auto-login enabled in LastPass you go straight back into the site, which I suspect is the reason the guy was trying to paste his password in rather than allow auto-login.

    Because it behaves like that I have auto-fill enabled and auto-login disabled for BG to get round that problem, just having to click the log-in button manually.

    The answer for BG is to have a "bye, come back soon" page appear after signing out, like, say, Tesco or Virgin.

  8. Jeremy Clulow

    I just logged in to British Gas with LastPass and all worked quite normally with auto form fill. I use a variety of ad, Flash and script blockers in Firefox, so perhaps that helped me and might help others.

    1. Vagelis · in reply to Jeremy Clulow

      Yes, disabling Javascript does the trick. It is a workaround…

  9. Vagelis

    Ebay has the same policy… Plus (this is not relevant to this subject) Paypal does not provide 2 factor authentication for non US users… It is just infuriating…

    1. Gordon Hay · in reply to Vagelis

      I'm in the UK and I have a form of 2FA enabled on PayPal – after the initial login I have to request a code to be sent by SMS to my phone, enter and submit it for the login to proceed. If I remember correctly you can set it up in your account/profile page.

  10. Kevin Waite

    Hi. I use the PasswordSafe manager and it provides a very useful Display Subset of Password function. This neatly handles the situation where my bank wants the 13, 23 and 28th characters of my password: you just type those numbers and get the characters back.

  11. Martin Tomes

    There is a bookmarklet here which will disable the past blocking.

    http://meyerweb.com/eric/thoughts/2015/07/07/undoing-oncutoncopyonpaste-falsities/

  12. Gordonjcp

    Passwords that are a random jumble of letters and symbols are stupid. Password *managers* are stupid. Don't do stupid stuff.

    I take it you've seen the XKCD cartoon about passwords?

  13. Graham Anderson

    Gordon, the battery horse staple whatever strategy only scales to looking out for a few important passwords that you don't want to commit to a password manager itself.

    I have over 600 logins in my password manager, and there is no way I could use the XKCD method to create unique, strong passwords for all of those sites and remember them. If you can, bravo!

  14. Raphael

    Graham, Google-Login also hardens the use of password managers. I use 1Password and have to click three times (once for the "remember me" deactivation) to login into my google account. It's on purpose for sure. They want you to keep your cookies, keep being logged in so all their web analytics plugins (used by millions of websites) and google internal services can be linked to your account. Knowledge sells and could also be put into good use (prevention of misuse etc.). People clearing their caches, cookies and returning with new sessions are harder to track. As a developer I can make sense of all the reasons behind it, but it's a bad decision overall.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.