In 2014 the Globe and Mail wrote an article called "Why Canada’s banks have weaker passwords than Twitter or Google". In 2018 I also wrote about this. I opened a support ticket for my bank complaining about this, their response was that "your password plus personal verification question is 2-factor". E.g. you have 2 passwords, shut up and like it.

Its 2019. I have multi-factor authentication on nearly everything. Except the thing criminals care most about: money. I can prevent the crooks from posting as me on Reddit, from accepting a Pull Request on GitHub. But my finances? Forget about it.

The web is littered with people asking, and complaining, and getting nowhere. The banks obfuscate and dissemble when asked, pointing to other "security" initiatives like the questions. In some cases they SMS you for a transfer. But this is after you are logged in. (and its SMS).

What we want is TOTP. It works with Google Authenticator, Microsoft Authenticator, other apps. Its strong. Its simple. Its ubiqitous (except in the banking sector for clients). (Even better if was a U2F like Yubikey, but, well, I dream!).

Why am I ranting about this today? Well let me tell you. I bank with Royal Bank of Canada (RBC). In order to transfer more than 5K on my business account I need a SecureID fob. OK, its not TOTP, but better than nothing, it works, its secure. To make it as hard as possible for people to do this they charge you $50 for it. OK, fine, I paid. Then they can only ship it to your branch. OK, fine, I'll go the branch. Monday I get the note. I go, they have no idea. I'm in a hurry, I finish doing the transaction that I wanted the SecureID for anyway (manually, paper, cheque, you know, like your great-grandparents did). I come back today to pick up the SecureID fob that *they emailed me was ready*. Nobody knows what it is, where it is. After 1/2 hour of hunting, I'm asked again, "is this a set of cheques?" "is this a passbook?" Finally I point to their own personal keychain, they have one. "Its that thing". Oh, that is just for us, not for customers.

Its clear that if no one in a branch has heard of it, that the level of cybersecurity awareness is not very high. On day 1 I train all my staff about the merits of 2FA (or MFA). On their GitHub, their twitter, their Gmail, etc. Why can I afford to do this as a small business and RBC cannot?

After nearly 1 hour I'm asked to come back another time when a different set of staff are in. I bike home in the fridgid rain and write this missive to you.

So here's my suggestion. Let's do something about this. Are you a reporter? Great, do a story, I'll talk with you. Are you a customer of a bank? Ask your teller, your branch manager, on the online support, wherever. We demand better. Yes I know you have a lot of complex IT systems. Yes I know its tough to explain how this works to consumers. You know what else is expensive? Losing my money. I know you've each and all been hacked. I know you treated this like some sort of actuarial problem cost/benefit. Ford did that with the Pinto, and people died. Put down your calculator, pick up your keyboard, Google "TOTP" and "OpenID Connect" and maybe U2F. I would prefer to login in with OIDC from my Google account: I believe it is much more secure than you and your AS/400 backend with a sticky note on the console saying the admin password is "i manage".

Get on that list or get out.

Head on over to This will give u a quick overview of which of your passwords are:

  • compromposed
  • reused
  • weak

It runs the check in your browser (in JavaScript) so you are not exposing anything more.

Its a cheap simple test (for those who use chrome). Give it a go.

Do you think the bank has discovered mystery event marketing? Or that buggy javascript strikes again?

Is this a clever marketing campaign? or buggy javascript?

View Results

Loading ... Loading ...

Prepping for the new office. I got a heavy bike, why not put some cargo on? On the back you can see a UPS (standard lead+acid battery style) and some mounting brackets, in the back is the 6-port mini-pc that will be the router + the tablet to configure it. Adds about 35kg to the back of the bike.

Gotta say, stability not improved by that much weight over and behind the rear axel. Braking was also not the speediest.

Jury is still out on whether plugging the charger in to the UPS and then into the bike battery would improve range. I'll leave you to try 🙂


Situation: many stackoverflow posts etc wringing hands about missing ability to number paragraphs.

Solution: write it.

You're welcome.

Now you can write a Patent, using Google Docs, collaborate with your team (including your Patent Attorney), and add the paragraph numbering when needed.