Can users make use of a password manager when banks tell them never to write passwords down?

I am not a laywer, but a properly constructed password manager stores passwords approximately as securely as any modern banking system.

I can't speak to the legality of using a password manager, but I can say that on a philosophical level, anywhere a personally provided password is acceptable as identification, a (properly constructed) password manager password is acceptable.

(Edit: Adding a password to a properly constructed password manager is not equivalent to simply writing them down.)


I'm a lawyer in Germany. Here the special conditions between customer and bank are part of the contract. So we are talking about a clause in these special conditions prohibiting the use of a password manager.

I went to the site of my bank, drew the conditions and really, it says, the customer is not allowed to store the password on his PC.

So this clause forbids to store my pw on the PC. The question is, do I really store the password inside the password manager, or do I "store" something like 23%%4l5ksa0ß90ßv9w6&!? And is this a legal clause?

I appreciate your question!


Edit: How to solve the problem? -- As pai28 asks. I'm not even sure that the people who wrote those conditions are aware of the progress we, the users, made during the last years. We use pw-managers, because an existence online is impossible without.

So the clause should be altered: The customer is not allowed to store the password unencrypted on any IT-device. Or something like this.

I'll write to the association of my bank and ask. If I ever get a serious answer (not blabla,dear customer we very much appreciate, but mucho complicado...), I'll report on the outcome.


Finally ! Storing passwords encrypted will be ok (2019!)

In June 2019 I got new terms & conditions from my bank and one of the clauses says, that the customer of the bank ( = me ) is not allowed to store the authentication secrets unsecured on my computer. So storing passwords, transaction numbers, whatever using a password manager or encryption finally is ok!

The bank (a »Volksbank« in Germany) has a record of caring about the customer's side of encryption. They offered even gpg-encrypted e-mails, which I really appreciated. It is a local bank and I won't swap them for an internet based bank.


I have never heard of this so I can't say for sure, but I would guess that the original premise is flawed: I don't think any bank would have a policy stating they will not insure your account against fraud if you store your password somewhere outside of your own head. Enforcing that rule would require passwords to be easy to remember, and consequently easy to guess. The most secure passwords are long random character strings, which most humans would have to write down or store somewhere. The bank may "advise" you not to write down your password on a piece of paper where others can see it, but asking you not to record it anywhere would reduce security, not enhance it. Of course, I'd have to read the particular bank's conditions to know for sure.

Furthermore, it seems pointless for a bank to have a rule like this because you could always lie and say you didn't store it anywhere. It would be a nearly unenforceable rule.

Edit: despite what I think, here's a bank that has the rule you are referring to, although it is somewhat vague: http://www.amp.com.au/accountacessandoperatingconditions (See page 7). The short of it is: "Memory Aids" are allowed but you must take "reasonable" measures to ensure it is not compromised. I would interpret that to mean an encrypted password manager is more than adequate.