Internet banking is supposed to be one of the most secure online services around, but a recent email from HSBC to its Indian users is making some question if that’s really the case.
HSBC India has sent an email to customers asking them that their passwords with work in “upper case” starting next week. Starting 6 April 2026, the bank says, passwords will become “UPPER case-sensitive.” The email goes on to give users a peculiar instruction: rather than resetting their password, they should simply start typing it in capital letters. As the email puts it, “if your password is Test123, please enter TEST123 from 6 April 2026.”
The email has been circulating on social media and messaging groups, prompting a wave of concern — and no small amount of disbelief — from cybersecurity professionals, software engineers, and tech-savvy banking customers across India.
What the Email Actually Says
The email, which carries HSBC’s official branding and the tagline “Opening up a world of opportunity,” reads in full:
“We would like to inform you that your Internet Banking passwords will now become UPPER case-sensitive and the same will be in effect from 6 April 2026 onwards. When logging in, please enter your existing password using capital letters.”
It also notes:
“Please note: You can continue to log in using biometrics or secure token and there is no change to these options.”
Customers are directed to visit their nearest branch or call HSBC PhoneBanking for further assistance, with Premier customers advised to reach out to their Relationship Manager.
Why This Has Security Experts Worried
To understand why this email is raising red flags, it helps to know a little about how banks — and any responsible online service — are supposed to store your password.
The right way to store a password
When you create a password with a reputable service, that service should never store the password itself. Instead, it runs the password through a one-way mathematical process called hashing. Think of it like putting a document through a shredder: the output is unique to that document, but you cannot reconstruct the original from the shreds. When you log in, the service hashes what you’ve typed and checks if it matches the stored hash — it never needs to know or “see” your actual password.
Crucially, because hashing is case-sensitive by design, a bank that stores passwords correctly would simply never need to send an email like this. If your password is Test123, the hash stored for Test123 is completely different from the hash for TEST123. There would be no way to “convert” one to the other without forcing users to set a new password entirely.
What this email implies
The fact that HSBC India is asking users to change how they type their existing password — without requiring a password reset — strongly suggests that the bank may not be storing passwords using standard security practices. Instead, it points to one of two uncomfortable possibilities:
- Passwords stored in plain text or in a reversible (decryptable) format. This means the bank potentially has a record of your actual password sitting somewhere in a database, readable by anyone with access to it. This is considered one of the most serious failures in digital security.
- Passwords stored using a normalised or case-insensitive hash. Some older or poorly designed systems store a “lowercased” version of the password hash, making passwords case-insensitive. This is better than plain text, but still considered bad practice by modern security standards.
Either way, the change actually weakens password security for users. By mandating uppercase-only entry, HSBC is effectively reducing what security professionals call “entropy” — the complexity and unpredictability of your password. A password like MyBank@99 is harder to guess than MYBANK@99 because it mixes uppercase and lowercase letters. Removing that variety makes passwords marginally easier for attackers to crack.
“This Is Not Normal”
Standard industry practice, as outlined by organisations such as NIST (the US National Institute of Standards and Technology) and OWASP (the Open Web Application Security Project), requires that passwords be hashed using modern algorithms like bcrypt, scrypt, or Argon2. These algorithms are case-sensitive, one-way, and deliberately slow — making them resistant to brute-force attacks. No legitimate upgrade or policy change to such a system would require users to simply “retype” their password differently.
The episode also raises a more uncomfortable question: if passwords have potentially been stored in a recoverable format, could they have been accessed by unauthorised parties in the past? The email does not address this.
What You Should Do
If you are an HSBC India internet banking customer, here is what security experts broadly recommend:
- After 6 April, change your password to something entirely new and strong — do not simply uppercase your old one. Use a mix of uppercase and lowercase letters, numbers, and symbols.
- Do not reuse this password elsewhere. If your password was stored insecurely, it may be worth changing it on any other site where you used the same password.
- Switch to biometric or secure token login where possible. HSBC’s email confirms these login methods are unaffected, and they are generally more secure than password-based login.
- Stay alert for phishing attempts. Emails asking users to change how they type their password are a classic template used by scammers. While this email appears genuine, it sets a dangerous precedent — customers should always verify such communications by calling the official HSBC PhoneBanking number directly rather than clicking any links.
HSBC India Has Not Responded
At the time of publication, HSBC India had not issued a public statement addressing the technical concerns raised by this email. [This article will be updated if and when a response is received.]
The episode is a timely reminder that “internet banking” and “secure banking” are not always synonymous — and that customers are right to ask hard questions when something does not add up.