JPMorgan Chase is big on security. If you try and access your online account from another computer you first get an email verifying the request. But for those who have ever selected the “remember my user ID” check box (shown below) there is a huge security threat.
Once this has been selected entering the wrong password takes you to an inner page where password confirmation is performed. Here are the 2 steps.
Entering wrong password:
Notice in the image above I entered a 4 digit password (which is incorrect).
For some reason the inner page automatically populates the password with the ‘correct’ password. Shown below is the 8 digit correct password:
All you (or anyone else trying to hack your account) needs to do now is press ‘Log on’.
The truth is that I don’t know why the confirmation page auto populates the password. And I don’t know how to turn it off, short of clearing cache which will be remove all stored forms from all websites (I do not want this).
I bring this up because if a regulation/security intensive organization like Chase can make this error it is only fair to assume many many retailers must be making the same usability mistakes.