Lloyds TSB bank rejects man’s “pants” password

Graham Cluley
Graham Cluley
@[email protected]

If you set a password for your bank account you don’t expect your bank to change it without your permission do you? In particular, you don’t expect people at your bank to have looked at your password, disapproved of it for reasons other than security, and then changed it to something of their own choice.

But that is exactly what appears to have happened to Steve Jetley, a customer of Lloyds TSB bank in Shrewsbury, UK. According to the BBC, after a disagreement with Lloyds TSB, Steve changed his telephone banking password to “Lloyds is pants“.

Steve first realised that Lloyds TSB had a problem with his password when a call centre staff member revealed it had been changed to “No it’s not”.

“I thought it was actually quite a funny response,” [Steve Jetley] said. “But what really incensed me was when I was told I could not change it back to ‘Lloyds is pants’ because they said it was not appropriate. I asked if it was ‘pants’ they didn’t like, and would ‘Lloyds is rubbish’ do? But they didn’t think so.”

Sign up to our free newsletter.
Security news, advice, and tips.

“So I tried ‘Barclays is better’ and that didn’t go down too well either. The rules seemed to change, and they told me it had to be one word, so I tried ‘censorship’, but they didn’t like that, and then said it had to be no more than six letters long.”

Mr Jetley said he was still trying to find a suitable password which met the conditions.

Lloyds TSB has apologised to Steve, and said that it is not their policy to alllow staff to change passwords without the customer’s permission.

Asides from the amusement of this story, there are some important issues here. For instance, how come the bank worker is allowed to see the user’s telephone password?

Sure, they need to confirm that the password given by the person on the other end of the telephone is correct – but they could be given a system whereby they type in the password and the computer system confirms whether it is right or not (ideally by comparing an encrypted version of the account’s password to an encrypted version of what the caller suggests is their password).

It certainly seems bizarre that bank workers are able to change passwords without the account owner’s consent – however much they may disagree with the feeling behind the choice of password.

It’s also peculiar that the password “censorship” should be declined as a telephone password because it’s “too long”.

* Image source: stringberd’s Flickr photostream (Creative Commons 2.0)

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.