Password for
Online Banking
UK online banking password rules vary by institution, but the NCSC recommends a minimum of 12 characters drawing from upper, lower, numbers and symbols. The practical recommendation in 2026 is a 20-character random string from all four classes — that is roughly 131 bits of entropy and beyond the reach of any offline brute-force attack. Generate one below — it is created inside your browser using the Web Crypto API and is never sent to a server. Critically, every UK bank now mandates Strong Customer Authentication (SCA) under the Payment Services Regulations 2017, so the password works alongside a second factor (usually an in-app prompt, biometric or hardware key). Never reuse the password anywhere else, and never share the SCA confirmation code with anyone — even with someone who calls claiming to be your bank's fraud team.
guesses / second
Online Banking password rules
Financial accounts are high-value targets. Use a unique password here and enable every available security layer (2FA, login alerts, etc.).
UK Finance's 2024 annual fraud report (covering 2023 data) recorded £459 million in losses to authorised push payment (APP) fraud and a further £708 million to unauthorised transactions — together one of the largest categories of consumer-facing financial crime in the UK. Most unauthorised losses begin with a compromised credential. The maths on a typical bank-imposed minimum: a 12-character password with full character variety gives roughly 79 bits of entropy, just below the NIST SP 800-63B threshold of 80 bits for high-value accounts. Bumping that to 20 characters reaches around 131 bits — sufficient for a credential that protects life savings, mortgage administration, and (for many households) direct debits for almost every household bill.
Why Online Banking accounts are targeted
Online banking accounts are uniquely valuable because compromise turns directly into liquid cash, and unlike most consumer services, the attacker can extract value within minutes via push-payment instructions. UK banks are protected by Strong Customer Authentication mandated by the Payment Services Regulations 2017, so the dominant attack is no longer pure credential theft — it is social engineering. Authorised push payment fraud, where the customer is tricked into authorising the transfer themselves, accounted for £459 million of UK losses in 2023. A strong unique password closes the credential-theft route; staying suspicious of any unexpected call, text or in-app message that asks you to move money closes the social-engineering route.
Source for Online Banking's password rules: Online Banking's official help page.
Common questions about Online Banking passwords
More finance password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.