PassLab
Finance

Password for
Online Banking

UK online banking password rules vary by institution, but the NCSC recommends a minimum of 12 characters drawing from upper, lower, numbers and symbols. The practical recommendation in 2026 is a 20-character random string from all four classes — that is roughly 131 bits of entropy and beyond the reach of any offline brute-force attack. Generate one below — it is created inside your browser using the Web Crypto API and is never sent to a server. Critically, every UK bank now mandates Strong Customer Authentication (SCA) under the Payment Services Regulations 2017, so the password works alongside a second factor (usually an in-app prompt, biometric or hardware key). Never reuse the password anywhere else, and never share the SCA confirmation code with anyone — even with someone who calls claiming to be your bank's fraud team.

Generator
min 12
StrengthVery weak · 0 bits
Time to crack
instant
at 10 billion
guesses / second
20
664
Generated with crypto.getRandomValues() — never leaves your tab.

Online Banking password rules

Min length
12 chars
Recommended
20+ chars
Security note

Financial accounts are high-value targets. Use a unique password here and enable every available security layer (2FA, login alerts, etc.).

The maths, specific to Online Banking

UK Finance's 2024 annual fraud report (covering 2023 data) recorded £459 million in losses to authorised push payment (APP) fraud and a further £708 million to unauthorised transactions — together one of the largest categories of consumer-facing financial crime in the UK. Most unauthorised losses begin with a compromised credential. The maths on a typical bank-imposed minimum: a 12-character password with full character variety gives roughly 79 bits of entropy, just below the NIST SP 800-63B threshold of 80 bits for high-value accounts. Bumping that to 20 characters reaches around 131 bits — sufficient for a credential that protects life savings, mortgage administration, and (for many households) direct debits for almost every household bill.

Why Online Banking accounts are targeted

Online banking accounts are uniquely valuable because compromise turns directly into liquid cash, and unlike most consumer services, the attacker can extract value within minutes via push-payment instructions. UK banks are protected by Strong Customer Authentication mandated by the Payment Services Regulations 2017, so the dominant attack is no longer pure credential theft — it is social engineering. Authorised push payment fraud, where the customer is tricked into authorising the transfer themselves, accounted for £459 million of UK losses in 2023. A strong unique password closes the credential-theft route; staying suspicious of any unexpected call, text or in-app message that asks you to move money closes the social-engineering route.

Source for Online Banking's password rules: Online Banking's official help page.

Common questions about Online Banking passwords

Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.

Last reviewed: . Reviewed quarterly; primary sources re-checked each review.