How To Create Secure, Strong Passwords for Online Banking

In today’s digital world, so much of our personal information is just a password and a click away. And when it comes to coming up with a password for secure online banking, it’s important to come up with something that will keep you and your finances safe. We’ve come up with the following password guide to help you figure out how to stay safe on line. Take a look and see if your passwords are secure enough.

1. Avoid the obvious

While you may be tempted to use your birthday or phone number or even the word “password,” don’t do it. These practices are all more common than you’d think and doesn’t lead to secure online banking. Try to come up with something that no one in the world would ever guess.

2. Go For Long, Not Short

Short passwords can be easily memorized by someone looking ever your shoulder and are easily cracked using certain types of hacking software. Make yours longer, maybe an entire sentence, if possible. The more characters there are, the harder it will be to figure out.

3. Don’t Write It Down

Writing down your password is never a good idea. You never know what that slip of paper might end up in the wrong hands! Come up with something that’s complex, but that you’re also able to memorize.

4. Mix it up

Use a variety of different characters: upper-case letters, lower-case letters, number, even a !, &, or a %. The more variety you can use, the better. You can even get creative. For instance, “sandcastle” can turn into “s&castle.”

5. Change Your Password Often

It’s easy to get lazy and use the same password year after year, but internet security experts suggest changing your password every 30 – 60 days. Think of it as changing locks on your online life once a month. It’s free, easy, and keeps your online bank account as secure as possible, so why not do it?

6. Don’t Use the Same Passwords for All of Your Accounts

In the event that someone figures out one of your passwords, the last thing you want is for them to be able able to access all of your personal information. A good rule of thumb is to have one password for less sensitive information (i.e., social networking sites, email, instant messaging) and another for sites that contain your financial information.

7. Verify the Site

Before you enter your username and password to login to your online bank account make sure it’s the real one to ensure you’re safely logging in. Fraudsters send links in “phishing” emails to trick users into entering information into fake sites. No matter how smart your banking password is, your online banking security can be compromised if you simply hand it over. The best way to be sure you’re on a real site is to type the URL into the browser window yourself.

Following these simple rules will help you keep your financial information safe and secure.

What other tips (without sharing too much, of course) do you have for making your passwords secure?

External Link Image Label Links to non-Ally websites

We provide links to third-party websites for your convenience. Although we provide a link, Ally Financial is not responsible, nor can we guarantee their products, services, or information. We suggest you review their online policy and security practices to learn about this third party and how they handle consumer information.


  1. 1

    Unfortunately Ally doesn’t allow passwords longer than 16 characters. Passwords locked at a certain length are no more secure than a short password. A smart criminal would not try a password that is not allowed by the system.

    Maybe this could be changed so I can use a longer password?

    • 2

      This is the type of feedback that’s really great, Al. We’ll definitely look into this for you and pass it along to our team over here.

  2. 5

    I would love to see more institutions do what my company does, prompt me to change my password. Sure, that is annoying in some ways, but if it redirects you to change the password every x number of days it makes it easy to remember to do it. If there is too much of a fear of complaints, that could be an opt-in feature.

    • 6

      That’s a really interesting suggestion, Amy. The opt-in feature would make it really interesting since that would be a pretty dramatic change to user experience. We’re passing it along to our team!

  3. 7

    I think that there should be an option available to people so that they can restrict unrecognized computers from accessing their accounts. If a person want to change their settings (so that they may again gain access from an unrecognized computer) the person could simply change their settings from a computer that is already recognized, or call Ally and ask it to be changed. This would allow for those of us who feel the need for the added security to be able to choose this option, without inconveniencing those who do not feel this is necessary. I hope this idea is helpful.

    • 8

      We currently have something similar, Peter, but that might be something that we can look further into. Keep those suggestions coming. We love hearing feedback and figuring out better ways to help you.

  4. 9

    Please do not implement a requirement to change passwords, as Amy suggested. That policy can backfire and result in some folks writing down passwords they can’t possibly be expected to remember. Gentle reminders to change passwords periodically are more effective.

  5. 11

    I can see what Brian means about it backfiring. The reminder is a great idea. Perhaps a “It’s been x days, click here to change your password” alert would work. I think it would fill the need I have to be reminded while making it less likely that the less security conscious would resort to writing it down.

    • 12

      Wow, Amy and Brian, you guys are great. A consensus reached on a suggestion? We’re pushing this through to our team over here to review.

  6. 13

    Unfortunatley the ally password sytem sucks. My password is shorter than I like and harder for me to remember because of all the requirements like using a special character. Id rather have a long password without an upper case letter or special character than a short one with that. Its actually self defeating in my mind. Becaise to have a long password with that I couldn’t remember, but if I didn’t have that I could remember a longer password. But that’s just me. IMO requiring atleast a 9 character password with no further restrictions is better than requiring say a 6 or 7 character password with requiring a special character, and an upper case letter, and all of this. Plus it makes it easier to remember without those extra requirements so the user is more willing to make it longer and won’t have to write it down.

    The best option though that I am going to start doing is to use a password manager so I have have a long complex password that has no meaning. The thing about passwords is they are much easier to remember if they have meaning to the user, the trick is to do that in a way that’s not easy for someone else to figure out, forr example just using your pets name, yay is has meaning to you but is also too obvious to others.

    • 14

      Thanks for the response, Ryan, and feedback on our password system. We’ve heard some good suggestions on this post so far, and we’re really enjoying all of the responses.

    • 16

      Glad that you enjoyed the link, Lisa! It’s pretty simple to change your password (hopefully to something more secure!). When logging in, just select “Forgot Password,” located beneath the box where you log in. Enter the email address you used to first signup and we’ll email you a link with instructions to update your password within 24 hours. Thanks again for the comment!

  7. 18
    linda dodds

    I put in a couple of wrong letters in the password and it locked me out. I didn’t even get the security questions to reset it. Then I had to make the payment by phone because I make all the payments but my husband’s name is on this particular car so they can’t tell me anything else. there was an extra 15.00 added to it because of it being paid by phone.

  8. 19

    Hello. Is Ally considering a 2 factor authentication system at all? Something like RSA SecurID? This would be my preference. We are seeing more and more consumer websites implementing this type of system (Google, Paypal). Thanks.

    • 21

      Mind giving us a call and one of our customer service reps can walk you through this in much more detail, Sheila! You can give us a call anytime, 24/7, at 1-877-247-2559. Thanks!

  9. 24

    Another vote for two factor authentication, especially with the recent release of the mobile website and mobile apps.

    Thanks for being awesome, Ally.

    • 25

      Thanks for the vote of support, Adam! We’re glad to hear you’re happy with us here at Ally Bank. Let us know if you have any questions. Thanks!

  10. 26
    Brian Armstrong

    2-factor auth would be such a nice feature. Something simple like how Google and Facebook handle it would be fine and would add quite a bit of security.

    • 27

      We appreciate the suggestion, Brian! Passing this along to our team over here. Should it get implemented, we’ll be sure to let our community know.

  11. 28

    Absolutely, banking sites should use 2-factor authentication – I’m inclined to suggest that this should be legislated… Please consider supporting Google authenticator, RSA tokens, SMS loops – any of these would demonstrate Ally’s commitment to online security.

  12. 30

    I was signing up for an account with Ally when I thought to think about two-factor authentication. Unfortunately, I had to stop and go with ING instead. Please let me know if this gets implemented.

    • 31

      We’re sorry to hear that, Kyle. We currently protect our customers with two factor authentication that includes Safekeys challenge questions, in addition to username and password. We take security very seriously over here, and our team is always working to ensure we have the best security possible for our customers. Should you decide to change your mind, we’d love to have you here at Ally Bank! Please let us know if you have any other questions.

      • 32
        Ross Kusler

        I am very much interested in using two-factor authentication. Note that safe phrases are NOT two-factor.. they are just another form of one-factor. In order to support two-factor you must require them to enter something they have (one-time password generator) along with something they know (password and safe-phrases). Please please please implement real two-factor.

  13. 36

    I was considering Ally, but the lack of a true two factor authentication solution is a deal breaker for me. I suspect I’ll go with USAA which is using Verisign’s solution like paypal does.

    • 37

      We’re sorry to hear that, Bob. We currently protect our customers with two-factor authentication that includes Safekeys challenge questions, in addition to username and password. We take security very seriously over here and will pass this feedback along to the right people. Our team is always working to ensure we have the best security possible for our customers. Should you decide to change your mind, we’d love to have you here at Ally Bank! Please let us know if you have any other questions.

  14. 38

    Challenge questions and key images are not two-factor authentication. For real two-factor authentication you need to have a system in which login requires me to provide a time-limited single-use token, tied to a physical device in my possession, in addition to my password. This can be implemented by texting a single-use token to a pre-registered cell phone number, by integrating with a smartphone app like Google Authenticator, or by providing a separate key dongle such as a Yubikey.

    I’m glad you are willing to answer these questions online, but please relay this to your IT department. Along with Bob, I am another potential customer who cannot consider your bank until this flaw is resolved.

    • 39

      Thanks for the suggestion, Tyler. Passing this along to our team over here. We take security very seriously, and our team is always working to ensure we have the best security possible for our customers, including new authentication methods in the future. Should you decide to change your mind, we’d love to have you here at Ally Bank! Please let us know if you have any other questions.

  15. 42

    One more vote for two factor authentication. I find that Google Authentication works really well. Also, on a side note, it would be great in your mobile app to let us zoom in on the image so we can make sure they are clear.

  16. 43

    Safekeys is not two factor authentication. It verifies that we are on the real Ally site. It does not verify who who the user is. Two factor authentication is required to log in in ADDITION to a username or password. On Ally if someone broke my username and password they would be in.

    I really hope that Ally would at least give users the option to use a two factor authentication process such as google Authenticator. This would make the site significantly more secure and make me more comfortable.

  17. 45

    I signed up for ally without thinking about if they had two factor authentication. Now I know they don’t, i’ll hold off on transferring any money and most likely close the account.

    • 46

      Thanks for your comment, Joel.

      Ally is serious about protecting our customers’ assets. We provide a safe and secure environment to allow you to feel confident in conducting your banking transactions online. Our primary authentication (entering username and password) is supported by a unique configuration of security layers. While some of our security practices are customer-facing, many live behind the scenes, providing a stronger level of protection for your assets than is visible.

      We’re always working to ensure we have the best security for our customers and hope you’ll feel confident that all your transactions are protected through our Online Banking Security Guarantee.

  18. 47

    As of the writing of this post, the posters who say that Ally is currently not using 2-Factor Authentication are correct.

    Two factor authentication REQUIRES that there be a TWO separate FACTORS of authentication.

    Username/Password – (Something the user KNOWS)
    1-Time Use Token – (Something the user HAS)

    When the two above factors are combined and correctly authenticated at login time, then 2-Factor authentication is correctly implemented.

    Please do share these comments with your Information Security / Assurance / Technology teams.

    By the way, I noticed when I logged in to my account that there was an announcement that said: “Where’s the SafeKeys phrase?”

    I hope this means Ally is really LISTENING to its feedback from its customers and will implement REAL 2-Factor authentication…

  19. 48

    Please implement TRUE 2-factor authentication — that is, deploy a token or app that generates a one-time use code or some system to send one-time use codes out-of-band (e.g., by text or call) — which is essential for security, especially when targeted keyloggers and trojans are increasing common. “SafeKeys” is NOT 2-factor authentication.

  20. 51

    Another vote for two-factor. After becoming a substantial client of Ally I hope to see this soon. You seem to be serious about being the best bank out there, and this is kind of a deal breaker these days.

  21. 52

    Another vote – no insistence – for two-factor. I study security breaches for a living and the single biggest contributor for system intrusions is weak and stolen passwords. You tell users to make strong passwords, but that ignores the fact that long/complex passwords can be stolen (via malicious software that is extremely common) and reused to access accounts just as easily as short/simple ones. In my professional opinion, an organization that is serious about security doesn’t rely on passwords alone for applications like bank accounts. I like Ally’s customer service and savings rate, but I’m most likely going to switch due to this issue. It’s almost 2014, two-factor is easy, very effective, and a no brainer.

    • 53

      Thanks for reaching out, Wade. Your security is our top priority. In fact, we do employ multi-factor (or two-factor) authentication. Earlier this year, you were required to setup new security features during login. These security features provide the additional layer of security you are asking about.

      Since you mentioned crimeware, we’d also like to let you know that as an Ally Bank customer you are eligible to download Webroot® SecureAnywhere free of charge. This anti-virus, anti-malware software removes and protects computers from malicious software. While logged in to your account, please go to the Security Center for information on how to download. Thank you for being a customer!

      To verify your Security Code Delivery features are still setup correctly, please log into your online Ally Bank account, go to the MyProfile section and select Security Code Delivery features. Here, you will be able to edit your current settings. If you have any questions, please feel free to reach out to our Ally Care team – we’re here 24/7 – by phone 1-877-257-ALLY (2559) or by chat.

  22. 54

    Two-factor authentication — and I mean *real* two-factor authentication, *not* security questions or security images — is a must in today’s security environment. As an Ally customer, I am disappointed that it seems that my bank account is less protected than, for example, my social media or online gaming accounts. I encourage Ally to take security to the next level and support real two-factor authentication.

    • 55

      Thanks for sharing your feedback, Brian. Your security is our top priority. In fact, we do employ multi-factor (or two-factor) authentication. Earlier this year, you were required to setup new security features during login. These security features provide the additional layer of security you are asking about. To verify your Security Code Delivery features are still setup correctly, please log into your online Ally Bank account, go to the MyProfile section and select Security Code Delivery features. Here, you will be able to edit your current settings. If you have any questions, please feel free to reach out to our Ally Care team – we’re here 24/7 – by phone 1-877-257-ALLY (2559) or by chat.

  23. 56

    I guess I’m confused about what this “security code delivery” is intended to be used for.

    The way it should work is that whenever there is a log in attempt to my account from a computer that Ally does not recognize, it will send me an authentication code via text to my cell phone.

    I have logged onto Ally using various computers, as well as logging on after clearing my cookies on the computer I’m using now. Not once have I been prompted to enter a security code before being allowed to log in.

    I have two factor authentication set up with my Google account and it does what it should every time, even if all I do is clear the cookies on my home computer.

    Please explain how Ally’s security code is supposed to work?


    • 57

      John, thanks for your question. We take online security seriously, which is why we provide strong protection through multi-factor authentication at login. As you’ve noticed, our system’s decision to challenge authentication is not determined solely by the fact that you’re using a registered device. Instead, we look at a number of factors to determine if a log in reflects your normal patterns. This reduces the number of times legitimate customers get “challenged,” while focusing on additional verifications for log ins that appear abnormal. For more information, please visit our Security Center to see the many methods we use to protect you and to read our Online and Mobile Security Guarantee. Thank you for being a customer.

  24. 58
    Ally Questioner


    Why don’t you offer true two-factor authentication? It’s clear from this page that many of your users (and potential users) want it.

    • 59

      We do use true two-factor authentication for our users because our customers’ security is our top priority. In fact, we have two different multi-factor authentication solutions that are used at login. In order to provide you with the best online experience, two-factor verification is not obvious for most logins. If, however, we decide that we need additional validation, we will request you to enter a security code that you receive through text or email. Two-factor authentication is comprised of something you know (security code/password) and something you have (mobile device or email account).

      All of our customers were required to set up these security features over the past year. If you’re not currently an Ally Bank customer, we’d love to answer any questions you may have! You can also read more about how we protect our customers on our Security Center page here: If you’d like to speak to someone from our Ally Care team, give us a call at 1-877-257-ALLY (2559) – we’re here 24/7. You can also chat with us online.

      • 60

        Dear Ally, what we are asking for here is 2-factor authentication EVERY TIME WE LOGIN, not just the first time a new browser is detected. You guys are way behind the other banks on this.

  25. 61

    Could you give examples of when the use of a security code would be required? For example, if I attempted to login from my neighbor’s computer, would it trigger the need for a code, or would the system assume it was me since it was the same geographical location? Does a login attempt from another city or state automatically require code verification?

    • 62

      John, we appreciate your question. We take the security of our customers very seriously. For this reason, we do not share specific details about how we protect our customers at login. If you’re interested in learning more about how we protect the security of our customers online, head over to our Security Center on Thank you for being an Ally Bank customer!

  26. 63

    I’ve read the information, but it does nothing to clear up when and how the security codes are used.

    As others have pointed out, it’s not two factor authentication unless you are prompted to enter a code when a login attempt is made from an unrecognized device. I understand that Ally might have a different definition, but it’s a definition not generally accepted by most people.

    I would ask that Ally update their security practices to require a validation code for any and all login attempts made from an unrecognized device. Only then can Ally claim to be doing everything they can to protect our accounts.


  27. 64

    I agree, I would feel much more comfortable with a TRUE two-factor authentication system. I use Google Authenticator for any site I use that supports it, and would love to see Ally embrace this form of security.

  28. 65

    Please offer us the option to have token and password based two factor authentication required for every login. I understand you want to reduce login frustration for some customers so you have defaulted to an algorithm that triggers a two factor authentication for login attempts that raise a red flag. Many of your customers take security more seriously than worrying about the hassle of additional steps.

  29. 66

    Another vote for two-factor authentication that uses a security code sent by text message and/or something like google authenticator.

  30. 67
    David S.

    I would LOVE two-factor authentication at Ally, is there a possible chance we could get that enabled? I use Googles authenticator app on my android phone for the 6 digit code, would love Ally take advantage of that too :)

  31. 69

    I am a loyal Ally Bank customer and a security software engineer with experience in secure network products. Please let the tech team know that the Ally’s current authentication is out-of-date. It is critical to update to the “true” two-factor authentication with username/password plus mobile-phone (or home-phone) for every log-in. Thank you.

  32. 71

    In light of today’s events, has any progress been made on TRUE two factor login authentication, as opposed to a magical black curtain of “security taken very seriously” and applied at certain unstated times? I may just be overlooking the option, but at this point, this seems like a pretty basic option for a financial institution to provide. Security questions don’t really cut it anymore. Thanks for listening.

  33. 74

    My goal is have true 2 factor authentication for all my financial sites I use by the end of 2015. I will not be doing business with any financial sites that do not have it. It’s up to Ally if they want to keep my business. Thanks

  34. 75

    +1 for 2-factor authentication! Also, please remove the use of insecurity questions as account backdoors when 2-factor auth is enabled — as Apple does. Then we can have a single page for login again and stop wasting time logging in via two separate pages (what a waste of time!). Thanks for your consideration in the matter.

  35. 76

    I’m also interested in the same thing. I have an account with Capital One, formerly ING. The main reason I’d like to leave is to get with a bank that’s far more forward thinking when it comes to technology. Assuming that many banks are about the same — they hold my money and they’re FDIC insured — the main differentiator for me is the technology that I can use with the bank. How good are the apps, how good is the website, and — you guessed it — do they offer two-factor authentication.

    I’m amused that all Ally does is parrot back the line “We take the security of our customers very seriously.” Yeah, thanks but the proof is the pudding.

    I want two-factor authentication and I want it to work with an app like Google Authenticator. (There are competing apps. The point is that it uses the time-based authentication keys.)

    This is important to me because I travel internationally sometimes, where I have to use computers that I don’t always trust. If one were to get a hold of my password (through a keylogger or other nefarious software), I’d be in trouble. On top of that, I DO NOT have access to my phone account when traveling internationally and thus cannot get text messages. However, I DO have my phone with me, so using the authenticator app would be very easy for me to use two-factor.

    Google’s email accounts do this so well, and so effortlessly, I strongly encourage Ally to take a look at them, understand how they work, and make the Ally accounts work the same way.

    I’m not very impressed by the response that I see from Ally in this thread. They’ve had long enough to implement 2-factor authentication.

    The first bank I can find that does gets my account. I had hoped it would be Ally Bank as I had heard good things. Maybe not.

  36. 77

    Hey, I want 2-factor also! Every time I do the highly insecure “your first pet’s name” stuff, a little part of me dies. Where I work, they just use the TOTP standard, so you can use any number of apps or whatever for it. The new FIDO U2F standard looks even better, as it is phishing resistant.


Leave a Comment