CH Pat

Why can't USAA allow passwords greater than 12 characters?


Because they can.

Here is why.


I too asked USAA this question since it seemed in conflict with the Financial News and Advice email they sent out to members on 23-Sep-15.

The Protect Your Data section takes one to :   (Jan. 21, 2015), where in Victor Diaz, USAA's executive director of information security services, wrote:

 ‘Get it out past 12 to 15 characters, including spaces," Diaz says. "You could use a line from your favorite poem or lyrics from a song you know you'll remember."’


USAA’s response was pretty much a formula response including:


"We do not allow more than 12 characters because we feel that this would cause a large increase in forgotten passwords among our membership. We have provided the password requirements below:

Password must be between 8 and 12 characters

Contains at least one number

Contains at least one lowercase letter

Contains at least one uppercase letter"


Seems that USAA might be due for a mass hack. The Hackers know that all our passwords are between 8 and 12 characters, and contain at least one number, one lowercase letter, and one uppercase letter. Piece of cake.

Thank you all for your comments.


If you are worried about the security of your password, please consider setting up some of our more advanced log on options.


I prefer the A CyberCode token that generates a unique security code every 30 seconds. With this token, you log on with a new password (Opens pop-up layer) — made up of your PIN plus security code — every time.


Thanks again for posting!

I would like to take a moment to point out the recent banking attacks have been able to bypass second factor authentication.  I am left feeling uncomfortable with a measley 12 character limit.  I am certain that there is a lot of security mechanisms in place that I can not see, but as my credentials are one of the most visible to me as a user I would feel more comfortable with some additional length.

SecurityProfessional, we totally understand your concerns, which is why we offer the cybercode token as mentioned above. We strongly recommend to use this, as this keeps your information secure. With this token, you log on with a new password (Opens pop-up layer) — made up of your PIN plus security code — every time. We also have advanced log on options.   Thanks for posting your concerns, we want to make sure you feel safe. ~Jen




I'd love to let you know that a 12 charachter password is absolutely unacceptable in today's modern computing landscape.  I would encourage USAA to review the latest guidence from NIST for memorized secrets. I use a password manager capable of storing passwords hundreds of charachters long, but am restricted by your weak password policy.


Please protect me and all of my financial assets by improving this NOW.

WantsLongPassword,  Thank you for providing additional feedback. I can understand the frustration with the passwords.  Your online security is of high importance to us. However, I sincerely appreciate your feedback. I have taken the information you provided and submitted it to our research & development teams.

I was just reseting my password today and was gobsmacked to see the 12 character limit. Why even bother with the 8 character minimum? Presumably you have a rate limit on logins, which means a 4 character password is enough for an online attack.


What USAA is leaving it's members (us) vulnerable to is the event where USAA's authentication database get's hacked. If someone get's your database, knowing that there's only password between 8 and 12 characters, cracking all the hashes will be trivial, and thus, bad guy has my password. 


I teach an intro to cybersecurity unit for non-computer science majors. We are telling people to use password managers and longer passwords. It's sad that USAA can't take this seriously. 


I appreciate all the other secuity measures USAA makes available. But you must also think that in the event of breach, the security questions, pins, and user names are likely compromised as well. The only thing that's protected is the password, by hashing. By putting this limit in, you negate that. You likely even negate the benefit of the cookie you store in the users browser showing previous log in (depending on how you're doing it).


I also laugh that your next step is to suggest we move to SMS 2-factor, something that has been shown many times recently is completely by-passable, and NIST now no longer recommends.


When USAA is breached someday (if the news has shown us anything, it's not a matter of if but when), you are going to have a massive headache on your hands, and it's not going to be fun for your users either.

0xdf - We regret that you feel this way, but we appreciate your feedback. Security is a top priority for us. Your comments have been shared and will help us improve future service. Thanks, Jason