VIDEO: Good password advice from NatWest? Don’t bank on it

NatWest Bank has a seemingly new section on its website where it has posted a number of videos about computer security.

A noble effort, and one which I’m sure they did with the right intentions – but I’m afraid that their advice around online passwords is flawed.

As I explain in my video response, their advice on how people can remember lots of different passwords for different websites is fundamentally flawed.

Good password advice? Don't bank on it | Graham Cluley

Sign up to our free newsletter.
Security news, advice, and tips.

The problem? They’re telling people to use a formula to create their password. Yes, that does mean that users will end up with different passwords, but it also means that if someone finds out your password in one place and also determines your formula, then they will be able to unlock your accounts anywhere else online too.

Not a great solution, especially when the person trying to crack your accounts might be a former partner who you once shared one of your passwords (and your formula) with.

Instead, use a password manager. Then you will have truly unique, hard-to-crack passwords for all of your online accounts.

If you enjoyed my video, please consider subscribing to my YouTube channel so you don’t miss anymore in future.

Hat-tip: Thanks to IT consultant Paul Moore for first bringing NatWest’s contentious video to my attention, and came up with the great title for the video.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

6 comments on “VIDEO: Good password advice from NatWest? Don’t bank on it”

  1. Neil

    Good advice. But which password manager(s) do you recommend?

    1. Marco Fiori · in reply to Neil

      Was going to ask the same thing. Starting to think it's worth considering one moving forward.

  2. Andrew G

    I'm afraid I have to disagree, I think NatWest's advice is good advice for most people.

    Password managers undoubtedly create strong & truly unique passwords, and we should definitely be promoting their use as much as possible in preference to any other method, however they're not practical for everyone. They're confusing for some non-technical people, and also don't work with Microsoft Edge at the moment which makes them much less convenient (it might be easy for us to use a different browser but many technophobes don't even know what a browser is – they think the big blue "e" icon *is* the internet).

    In terms of hackers discovering their rule, a single letter in their password won't indicate to a hacker that they've used a rule to modify a static password; the password simply won't work on whatever site the hacker is trying it on and they'll just move on to trying the next set of user credentials in their list without a second thought (this obviously doesn't apply to anyone who's being specifically targeted, eg celebrities).

    In terms of a jealous ex-lover scenario, if a user has previously told them their password and rule then they'd no doubt also be happy to share their password manager master password with them if they ever needed to share a password. Ok so that's only one password they'd then need to change if required, but a vindictive ex-lover would probably have misused a password before the victim ever thought to change their master password.

    So the benefits that NatWest's advice would bring if people followed it far outweigh the downsides of a few limited scenarios in my opinion. Personally I don't see any real reason why most people shouldn't follow the advice?

    Happy to hear counter arguments to this though, and alternative suggestions for making passwords unique!

    For those asking too, I can recommend Dashlane as a password manager – it's so simple and easy to use across devices :-)

  3. Hitoshi Anatomi

    We could rely on password managers but we should rely on them very modestly.

    ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account.

  4. JUK

    You can also add T-Mobile / EE What ever they call them selves nowadays, to list, of crimes Against Strong passwords They will not allow any form of punctuation on your main account it's a complete joke out there. were given excellent advice from our Graham about passwords For years And still can't put it into use in some cases is Really Really frustrating given were in 2015.

  5. old_mole

    ….and then there are the UK financial sites who do not recognise a £ symbol – but $ is fine in your password. Weird……

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.