If you bank with HSBC India — or simply care about how the organisations you trust handle your credentials — you might want to sit down for this one. From 6 April 2026, HSBC India is requiring all internet banking customers to enter their passwords using uppercase letters only. That means a password like MyBank@99 must now be typed as MYBANK@99. No new password. No reset. Just… type it in capitals.
On the surface, this might sound like a minor inconvenience. In reality, it is a glaring red flag that raises serious questions about how one of the world's largest banks stores and handles customer passwords. And if a global institution like HSBC can get this wrong, it should serve as a wake-up call for every small business owner in the UK.
What Exactly Has HSBC India Done?
HSBC India sent an email to its internet banking customers explaining that, as part of a platform upgrade, passwords will now be case-insensitive — and customers must type their existing passwords entirely in uppercase. This was not a request to create a new password. It was an instruction to type the same password differently.
To anyone with even a passing understanding of how passwords should be stored, this is deeply troubling. If a bank has properly secured your password, it should have no idea what your password actually is — let alone be able to convert it from mixed case to uppercase behind the scenes.
Why This Is a Problem — In Plain English
When you create a password on any properly secured website, the system does not store your actual password. Instead, it runs your password through a one-way mathematical process called hashing. The result is a scrambled string of characters that cannot be reversed. When you log in, the system hashes what you type and checks it against the stored hash. If they match, you are in.
Here is the critical point: the hash of MyBank@99 and the hash of MYBANK@99 are completely different. They are not related. You cannot convert one into the other. So if HSBC can simply tell customers to type their password in uppercase and still have it work, it means one of two things — and neither is good:
- Passwords are stored in plain text or in a reversible (decryptable) format. This means someone with access to HSBC's database could potentially read every customer's password. This is considered one of the most serious failures in digital security.
- Passwords were already being stored in a case-insensitive way. The system was converting passwords to a single case before hashing — meaning mixed-case passwords never offered the protection customers thought they had.
Either way, the implication is the same: HSBC India's password storage practices fall well short of modern security standards.
Fewer Characters Means Weaker Passwords
Beyond the storage concerns, forcing uppercase-only passwords directly weakens the strength of every customer's credentials. Password strength depends on something called entropy — essentially, how many possible combinations an attacker would need to try to guess your password.
When you use a mix of uppercase and lowercase letters along with numbers and symbols, an attacker faces a pool of 94 possible characters per position. Remove lowercase letters from the equation, and that drops to 68. For an eight-character password, this reduces the total number of possible combinations by a factor of roughly 77. That is not a trivial difference — it hands attackers a significant head start.
To put it bluntly: HSBC India has made every customer's password easier to crack.
What the Experts Say
The US National Institute of Standards and Technology (NIST), widely regarded as the gold standard for password guidance, updated its Special Publication 800-63B in 2024. The key recommendations include allowing all ASCII and Unicode characters in passwords, emphasising password length over complexity, and screening credentials against known breach databases. At no point does NIST suggest restricting the character set available to users. Quite the opposite — they recommend making it as broad as possible.
Similarly, the Open Web Application Security Project (OWASP) mandates that passwords be hashed using modern algorithms such as bcrypt, scrypt, or Argon2. These algorithms are case-sensitive, one-way, and deliberately slow to resist brute-force attacks. No legitimate upgrade to such a system would require users to simply retype their password differently.
If your bank can convert your password to uppercase without you resetting it, your bank does not store your password securely. Full stop.
What This Means for Your Small Business
You might be thinking: "I'm not a bank — why should I care?" The answer is simple. If you run any kind of online service — a customer portal, an e-commerce shop, a booking system, or even a staff intranet — you are handling passwords. And your customers and employees are trusting you to do it properly.
Here is what every UK small business should take away from this incident:
- Never store passwords in plain text. Use a modern hashing algorithm like bcrypt or Argon2. If your developer or web platform cannot confirm this, ask serious questions.
- Never restrict the character set. Allow uppercase, lowercase, numbers, symbols, and spaces. The more characters your users can choose from, the stronger their passwords will be.
- Stop enforcing arbitrary complexity rules. NIST now advises against mandating specific character types. Instead, encourage longer passwords and check them against lists of known compromised credentials.
- Implement multi-factor authentication (MFA). A password alone is not enough. MFA adds a second layer of protection that stops the vast majority of automated attacks.
- Use a password manager. Encourage your team to use password managers that generate and store unique, random passwords for every account.
The Bigger Picture: Trust
For small businesses, trust is everything. Your customers choose you over a larger competitor because they trust you with their data, their money, and their time. A security blunder like the one HSBC India has made does not just expose passwords — it erodes confidence.
If a bank worth hundreds of billions of pounds can get basic password security wrong, it is a stark reminder that size and reputation are no guarantee of competence. As a small business owner, you have the advantage of agility. You can audit your systems, fix weaknesses, and implement best practices far more quickly than a global institution can.
What to Do Right Now
If you are an HSBC India customer, change your password immediately — do not simply retype it in uppercase. Create a brand-new, strong password using a password manager, and ensure you are not reusing that password anywhere else.
If you are a small business owner, take this as your prompt to review your own password policies. Ask your web developer or hosting provider how passwords are stored. If the answer is anything other than "hashed with bcrypt, scrypt, or Argon2 and salted," you have work to do.
Security is not a product you buy — it is a practice you maintain. And as HSBC India has just demonstrated, even the biggest names can get it spectacularly wrong.
Not Sure If Your Business Passwords Are Secure?
Our team can audit your website and systems to ensure your password storage, authentication, and security policies meet modern standards. Don't wait for a breach to find out.
View pricing plans