Online Banking on PC vs Telephone

[BeebMaster]

More and more I find that I am excluded from certain online banking services because I only use my PC to log in, and not a mobile telephone "app". I don't understand why. For example, with Halifax I can do 3 things on mobile telephone that I can't do on PC:

1. Pay in a cheque.
2. Change my address
3. Stop my cards temporarily or permanently.

None of these can be done with the online banking and need a telephone call or visit to a branch.

In addition, RBS have just claimed that mobile app is more "secure" than PC with a web browser:

I forgot my PIN for my card reader, so to get a reminder, I have to wait for it in the post. However, apparently because a telephone app is "more secure", if I had it, I could have been shown my PIN on screen.

I really don't understand that. What if the 'phone is nicked, surely the robber then has access to everything that's on the 'phone, including the banking? As far as I've been able to see, people just tap things and they load up without any security challenge at all. To get into my online banking, a robber would have to nick my PC, and my PC login password, and my banking user ID, and password to get access to my banking.

[VectorEyes]

Mobile banking apps always have security in my experience. It might be a PIN code or password or FaceID, but it’s there. My suspicion is that the banks prefer mobile apps because almost everyone has a smartphone these days, and they don’t want to pay for the costs of maintaining a website interface and a mobile app version.

Possibly there is also a security concern? Mobile OSs are generally continually updated (until the manufacturer deems the device obsolete of course) and the app developers can require that the app run on the latest OS. On a desktop PC you might be running any random browser on any OS version from the last few years. And your PC might be remotely controlled by those scammers who phone up and offer to remotely control your machine so they can remove a virus.

[jgharston]

If "everybody has a smart phone nowadays", then everybody also has a *WEB* *BROWSER* nowadays - on their smart phone!

And your PC might be remotely controlled by those scammers who phone up and offer to remotely control your machine so they can remove a virus.

I was subject to an attempted scam where they wanted me to install something on my smart phone. I kept them on the phone for a long as possible while I pushed random buttons on my Nokia 3310.

[a1exh]

I've been using online banking for over 30 years. My bank has always required 2 step authentication.

Originally the 2-step authentication was done using Web Browser Client + email code (which is not secure).

Then they introduced the dongle devices, a keypad that you used to generate a code with.

Then they introduced an app to replace the dongle in look and feel.

Now it is Web Browser + Mobile Banking App.

I'm happy with the mix of security. Can't hurt albeit slightly OTT if you ask me.

With the four online banks I used at the moment there is nothing one thing that requires Mobile Banking App only and can't be done using a Web Browser and that is paying in cheques. The reason being that you have to send a photo of the cheque and it's much easier using a mobile phone than desktop/laptop.

There are a multitude of things that can't be done using the App alone and require desktop browser login. (Setting up new direct debits, setting up repeating standing orders, IBAN banking)

The issue is that virus/malware for x86 PC is much much more prevalent than on iOS (and to some extent Android) so there are probably fewer frauds using mobile banking apps than desktop PCs.

Mobile Banking apps still traditionally require 2-step authentication. Biometrics/phone pin code + secure banking password. Even if a phone is stolen they have no access via banking apps (without malware)

I would strongly recommend you change banks.

[garethQ]

I don't mind apps for a lot of the day to day stuff, but there are two things I want to see in all the banking apps I have:

• The ability to have the app on multiple devices, like my phone and iPad.

• Better download controls for statements

[a1exh]

• The ability to have the app on multiple devices, like my phone and iPad.

You can't do that? I have banking apps on all my devices at the same time and they work. Not 2 devices simultaneously but same app on different devices one at a time.

• Better download controls for statements

Meaning? My banks offer traditional download of statements as PDFs or CSV via SSL. I can even make custom statements with filters (they are not 100% flexible) such as start date / end date. In/out. etc. yes better filtering would be nice. I just take everything and filter locally using Excel.

[sweh]

I can't talk much about iOS, but I've done a fair amount of pulling apart of Android so...

Each app in Android runs under a different uid and gid; e.g. BankApp might run as uid:gid 12345:12345. SocialMediaApp might be 23456:23456. In addition each app has a unique data directory e.g. /data/data/bankapp and /data/data/socialmediaapp.

Much of this is enforced by the OS when the app is installed. An app my decide to allow other apps to read data or whether the data is allowed to be backed up, whether it may be indexed as media files, etc etc.

As an aside; this is also how Android handles "work profiles" when using MDM; it creates a second copy of the application with different uid:gid and directory; e.g. personalOutlook might be 4321:4321 /data/data/outlook but work outlook might be 543:543 /data/data/1/outlook. It's a clever solution!

The application is responsible for handling of encryption of data at rest. Android provides an API for handling of encryption secrets, so each application has a unique encryption key. (Also the whole disk is normally encrypted; it's to protect against a different attack vector).

(More modern phones also provide secure environments with hardware assist, e.g. Samsung Knox, Google Titan M2).

When you register your app with your bank by logging in for the first time, a cryptographic secret is created and stored on the device. This may be protected by biometrics. When you next open the app and login with biometric what happens is that crypto-secret is unlocked and that's used for communicating with the backend systems.

This is effectively MFA (something you are and something you have - the phone with the crypto secret). As long as you can trust the phone to properly protect the crypto-secret.

And here is where things get interesting and we look at ways to attack it.

First level defense is the encryption of the disk itself. If you lose the phone and it's been powered off (eg when passing through airport security) then the data on the disk is unreadable. When the phone is powered on it asks for a PIN or password to unlock the disk; biometrics aren't enough (US allows for law enforcement to force you to biometric unlock but doesn't allow for them to demand a PIN/password... stoopid). If your phone was already powered on then the contents are unlocked; a good forensic attack might be able to read the raw contents... but if you're being attacked at that level then https://xkcd.com/538/ probably applies, anyway!

So now we need to look at the strength of biometrics; how easy is it to break into an app with fingerprint or face recognition. As already noted, if you're physically present then the bad guy can force you to enter this (also see xkcd reference). If you're not present then there's normally a limited number of attempts before that method gets locked out (eg 5 wrong fingerprints and you're back to PIN/password). Unless you're specifically being targetted and someone has copied your fingerprints and made a mould and stuff, it's probably secure enough.

Next we need to look at malware; because of the uid/gid separation of applications we're pretty much only concerns with malware that can get to root level on the phone. This is getting harder and harder (unless you deliberately put the phone into unlocked bootloader mode because you want to root it yourself, or run 3rd party firmware). Google does provide "root detection" routines, but if you have root this can be bypassed (eg magisk hide). In 2019 a zero-day root exploit on Android would be worth over $2.5million (and $2million on iOS).

So let's put all this together; modern phones are pretty secure execution environments!

Note I've been using "modern phones". Get a good modern phone (not some $150 Chinese variant that comes pre-populated with malware) and keep it patched.

Disclaimer: I work for a large financial technology company; we provide banking services to smaller banks and credit unions - eg we provide the backends the bank depends on. A few years ago we wanted to start allowing Outlook/Teams/Sharepoint on BYOD so I was tasked with seeing how secure it was on Android; I had an older phone I had rooted and was able to bypass Intune version and root checking and get to the raw data; I found the team hadn't originally turned on encryption (oops) and even after they had there was a bug in Teams where it didn't encrypt properly (MS patched that). That's how I know what Android does

Now compare all that security-in-depth to your desktop web browser. Everything runs as the same user (you!), there's much much more malware associated with desktops (eg keystroke loggers), configurations are mostly insecure out of box, disks aren't encrypted by default... even app level encryption on Windows can be dodgy if it uses the encryption API 'cos it uses the user credentials to unlock the secret key, so malware running as the user will automatically decrypt.

Windows is a lot more secure than it was before; a recent Linux is even less likely to have desktop malware. The attack vectors between mobile apps and webapps are different. I'm not going to say one is more secure than the other.

I, personally, do most of my banking in Chrome on Linux because I prefer a full keyboard. But I also have the mobile app on my phone for when I'm out and about (and it sends me alerts when my credit card is used which has, once, been used to detect fraud within minutes of it happening... No I didn't buy a pizza in Queens, quick phone the bank. My bank basically made me part of their fraud department!)

I don't do telephone banking 'cos I don't like talking to people

[tricky]

I wanted online banking without phone banking, but was told I had to install phone banking, then online then I could remove phone.
After the hour it took the branch manager to install phone banking and the estimate of another hour to install online and remove phone I stuck with just phone. I have mostly been happy with it.

The thing that annoys me a lot! Is having to give a mobile number to use to verify stuff! The argument is that it is more secure, well, is debatable! We have no mobile signal where we live and not one of the three mobile providers that we currently use support WiFi calling/recieving except one who does on iphone, which I hate despite our designers being in every one!

</Rant>

[geraldholdsworth]

Must be co-incidence that I needed to drop into a bank branch today to transfer some money to pay for a holiday. When asked if I use online or mobile banking, I answered that I don't trust computers, being a computer programmer, and I don't have a mobile phone. She was taken aback, albeit with a wee bit of jealousy, that I didn't have a mobile.

Problem is, up here in the Highlands, because RBS (along with a lot of other banks) are closing a lot of branches, our local branch is 35 miles away. I'm lucky that I get to go into Inverness for work, at least, once a week. But I still insist on visiting the branch to pay in money, or do any transfers.

[jgharston]

Problem is, up here in the Highlands, because RBS (along with a lot of other banks) are closing a lot of branches, our local branch is 35 miles away. I'm lucky that I get to go into Inverness for work, at least, once a week. But I still insist on visiting the branch to pay in money, or do any transfers.

I'm feeling well off now, my local bank branch is only 21 miles away.

A few months ago, my bank changed its the first part of their two-factor authentication from asking for four characters from my passcode string to asking for the whole string. When it first happened I refused, printed out the page, and went to the bank to warn them of what was obviously a scam. "oh, no it's not, we've changed it to ask for all 18 characters to make it more secure for smartphone users with password managers."

I'm not sure how having all 18 characters of my passphrase passing through my keyboard buffer, web browser, and internet connection is any more secure than four of those 18 characters which won't be asked for again for a long time. All 18 characters are guarranteed to be asked for the very next time there is an attempt to log in.

[guesser]

If an attacker is in a position to intercept what you type between your keyboard and the webserver you've probably already lost the battle.
On the other hand encouraging passwords like %}l:y}AOH_lck3OFD rather than the name of your dog with a 1 on the end is a huge boost.

My bank wants particular letters out of a terrible password I can store in my head and it infuriates me. Not least the handwavy explanation of some magical maths that allows them to validate odd letters from a password without having to store the original password unhashed.

[jgharston]

If an attacker is in a position to intercept what you type between your keyboard and the webserver you've probably already lost the battle.
On the other hand encouraging passwords like %}l:y}AOH_lck3OFD rather than the name of your dog with a 1 on the end is a huge boost.

My bank wants particular letters out of a terrible password I can store in my head and it infuriates me. Not least the handwavy explanation of some magical maths that allows them to validate odd letters from a password without having to store the original password unhashed.

Well, asking for 8th, 15th, 4th and 12th characters in that order from the passphrase I keep in my head is better than asking me to type the entirety of "auntmatildagoeshome" (not actually my passphrase). Next time I log in it's guarranteed that giving the 8th, 15th, 4th and 12th characters in that order will be incorrect, whereas it is guarranteed that "auntmatildagoeshome" will be correct.

[paulb]

Well, asking for 8th, 15th, 4th and 12th characters in that order from the passphrase I keep in my head is better than asking me to type the entirety of "auntmatildagoeshome" (not actually my passphrase). Next time I log in it's guarranteed that giving the 8th, 15th, 4th and 12th characters in that order will be incorrect, whereas it is guarranteed that "auntmatildagoeshome" will be correct.

I always thought that the picking of certain character positions from a passphrase had the hallmarks of performative security, and so any reference to a decent comparative analysis of that approach versus the use of the entire passphrase would be informative. However, I think the problem with the approach is that while you may be capable of the mental gymnastics, many people would take to writing down their passphrase and then counting along from one letter, number or symbol by eye, aided by their writing instrument.

And we all know that writing down passphrases is strongly discouraged. It used to be taboo, but with all the weak passphrases and reset requests that result from getting people to memorise tens of different sets of credentials, organisations are now slightly more realistic and have learned not to expect secret agent levels of discipline from random punters.

[danielj]

Must confess, I moved everything over to monzo a few years ago and it's been brilliant. Everything is app based, no need for a branch. Payments easy, statements easy, everything easy. Only thing is no chequebook, but the last time I wrote a cheque was over 10 years ago so it's been no great loss.

Viva la revolution!

[daveejhitchins]

I use First Direct (HSBC) - so, telephone only. No questions asked when I call, as they have voice recognition. Still have a Chequebook and I can pay-in and take-out via the Post Office (even cheques) and cash machines, of course!

If I need a face-to-face I just call in at the local HSBC - in my case 5 miles away in Darlington.

Dave H.

[IanS]

I use First Direct (HSBC) - so, telephone only.

First direct have an app, I've only ever spoken to them on the phone abuout twice since I've had an account.

https://www.firstdirect.com/ways-to-bank/mobile-app/

Still have a Chequebook and I can pay-in and take-out via the Post Office (even cheques) and cash machines, of course!

You can pay in cheques via the app, no need to go anywhere.

[SteveBagley]

A few months ago, my bank changed its the first part of their two-factor authentication from asking for four characters from my passcode string to asking for the whole string. When it first happened I refused, printed out the page, and went to the bank to warn them of what was obviously a scam. "oh, no it's not, we've changed it to ask for all 18 characters to make it more secure for smartphone users with password managers."

I'm not sure how having all 18 characters of my passphrase passing through my keyboard buffer, web browser, and internet connection is any more secure than four of those 18 characters which won't be asked for again for a long time. All 18 characters are guarranteed to be asked for the very next time there is an attempt to log in.

If I'm asked for four characters from a password I probably have around a 1 in 64^4 chance of guessing it correctly, as opposed to a 1 in 64^18 chance of guessing the actually password. Now if I'm trying to access bank accounts (and remember I'm not necessarily interested in accessing your specific account, but just gaining access to some), having a 1 in 64^4 chance of success from randomly guessing a password is a lot better than 1 in 64^19 (remember I don't know how long the password on an account is). At worst, if I am after a specific account, the give me four characters from the password basically boils it down into a Wordle-like puzzle, less if I can capture or force multiple logins… (If you wondering why I chose 64 as an estimate, it's because there's 26 letters, both upper and lower case, 10 digits and an assortment of valid symbols.)

The banks are basing their decisions on an analysis of the specific threat model to their service, and the network transport is not part of that. TLS1.3 which all banks will use by now is going to keep the data secure in transit. There's no security benefit from not transmitting the full password over the network anymore, so we can effectively ignore that.

Instead, a far bigger source of problems will be simply the account credentials are compromised, either by obtaining the username or password, or by obtaining the session cookie out of the browser itself and using it elsewhere.

Passwords can be obtained in a variety of ways -- keyloggers, shoulder surfing or just from the fact that people reuse the same password on multiple accounts (which is why stolen password lists are so valuable -- it's quite likely that there is at least one user whose stardot username and password is the same as their bank login details). One way to mitigate stolen passwords is to use long, random passwords on each site, so the compromise of one site does not affect others.

Of course, humans don't like remembering long random sequences which is why password managers are so useful and important. Not only can they generate and store long unique passwords, they can also present them directly without them being typed in (killing off the threat of keyloggers) or going via the clipboard (killing off malware from copying it from there) and will often guard access to them behind biometrics (face or touch -- often being able to tell if the presenting individual is alive) which leaves the threat down at whether the session cookies can be extracted, transmitted and reused before they expire.

Which, as sweh explained earlier, is why banks prefer mobile apps over the web (apart from the obvious UI benefits!).

It turns out that a lot of the password advice (pick something you can remember, and don't write it down) that made sense when passwords were being used to control access to machines and resources in a controlled environment (school, militiary base, office etc.) don't apply when being used to protect always-on, networked resources like banks on the internet (in fact the exact opposite is almost the case).

Steve

[daveejhitchins]

I use First Direct (HSBC) - so, telephone only.

First direct have an app, I've only ever spoken to them on the phone abuout twice since I've had an account.

https://www.firstdirect.com/ways-to-bank/mobile-app/

Still have a Chequebook and I can pay-in and take-out via the Post Office (even cheques) and cash machines, of course!

You can pay in cheques via the app, no need to go anywhere.

Yes, I have the app - good one too - But, if you need to speak to them . . . the apps no good I didn't know about the cheque through the app, though. And, I'm at the Post Office 3/4 times a week - a nice walk 20min. round trip.

Dave H.

[BeebMaster]

I don't really understand this thing about cheques (or the other things you can't do with PC online banking but can do on telephone); I have a camera and a scanner, so what's the difference in me uploading a picture of the cheque that I have made, than the 'phone camera taking the picture and uploading it?

Just before I moved, I received a cheque being the payout from a local club I had left, and paid it in branch but it had been so long since I had seen a cheque that I never noticed it wasn't dated! On the receipt slip when I was back home there was an image of the cheque, with no date, and sure enough, later that day in my online banking there was "Correction" and the amount debited again!

So I had to get them to send me a new cheque, which should have arrived the day before we moved, but the Royal Mail started the redirection early, so it came to our new house eventually, and I had to go to the branch near here (only 20 mins or so away luckily) to pay it in. Could have all been avoided if I as a PC-banking customer had been afforded the same facilities as the mobile-telephone-banking-customer.

And I think this is a wider problem now; long has there been a differentiation between the online and the not online, with the not online people being disadvantaged on price and convenience compared to the online people. But now there is an even finer differentiation between the online-on-a-computer people and the online-on-a-telephone people, with the computer people disadvantaged compared to the telephone people.

[paulb]

And I think this is a wider problem now; long has there been a differentiation between the online and the not online, with the not online people being disadvantaged on price and convenience compared to the online people. But now there is an even finer differentiation between the online-on-a-computer people and the online-on-a-telephone people, with the computer people disadvantaged compared to the telephone people.

There are several factors at play, at different levels of economics. Streamlining services to "app"-only provision supposedly allows institutions to cut costs, although many of the costs are actually being outsourced to the customer, like needing to have a new-enough smartphone with the right features. And putting everything on a smartphone effectively requires the customer to enter into contractual agreements with one of two corporations who have inserted themselves into every facet of modern commerce.

A broader observation can be made about the disadvantaged versus the privileged, which is to say that the disadvantaged usually end up being further disadvantaged by terms of business. For example, if they don't have access to the appropriate technology, they might be charged "handling" or "processing" fees. Meanwhile, the privileged will be suitably tooled up and able to take advantage of the cost-optimised workflows of such organisations, getting to keep even more of the money that they already have in larger amounts. Regularly taking money off the less well-off is a pretty mature business model, of course, as is throwing money at the very well-off.

There's also the accessibility argument in all of this. "Use the app" is not sound advice for various demographics, whether they can afford the technology and accompanying services or not. In a recent rant about this on another forum, I noted that the complacency of one financial institution in assuming that their customers could just "use the app" had their remaining branches rammed for weeks with people who couldn't, leaving that institution facing possible daily fines for not authenticating all of their customers.

[garethQ]

Must be co-incidence that I needed to drop into a bank branch today to transfer some money to pay for a holiday. When asked if I use online or mobile banking, I answered that I don't trust computers, being a computer programmer, and I don't have a mobile phone. She was taken aback, albeit with a wee bit of jealousy, that I didn't have a mobile.

Problem is, up here in the Highlands, because RBS (along with a lot of other banks) are closing a lot of branches, our local branch is 35 miles away. I'm lucky that I get to go into Inverness for work, at least, once a week. But I still insist on visiting the branch to pay in money, or do any transfers.

Wow, you sound like my grand parents. lol. I suspect you are going to have to get something at some point.

I can not stand going into banks myself. So many hours wasted as a kid, let alone as an adult.

[BigEd]

(I think the age range of participants on Stardot is such that some of us are the age of grandparents compared to others... I have come to realise that old people are just people+time.)

[SteveBagley]

I don't really understand this thing about cheques (or the other things you can't do with PC online banking but can do on telephone); I have a camera and a scanner, so what's the difference in me uploading a picture of the cheque that I have made, than the 'phone camera taking the picture and uploading it?

If I write an app for a phone, I can verify that the image was taken at the time the app was used using the camera on the device, by the app which I wrote, rather than just being a random JPEG that’s been uploaded. This means I, or rather the bank, can be a lot more confident the image is genuine, and was taken at a specific location, on a specific device, running specific code, and so therefore the cheque in the image is genuine. Compare that to an image upload from a PC, where there’s no way to validate the source of the image — particularly if you stray away from the narrow path of a Mac or Windows box.

And that’s before you consider the user experience or trying to support users on the multitude of platforms you get with a computer…

The big difference is that phones and tablets have been designed and built as trusted computing platforms from the ground up, so it is possible to attest that every piece of code running is what you expect it to be — which for a bank undertaking financial transactions over the network is crucial.

Compare this to the average computer, which is the exact opposite, and while both Apple and Microsoft are rapidly doing their best to make Macs and Windows into trusted platforms they aren’t yet.

Steve

[Coeus]

On the question of cheque fraud, I remember a conversation with a relative of mine who was, at the time, head of cheque clearing for RBS. This may have been in the early days of handwriting recognition and sending electronic images of cheques around. At that time, the checks on a cheque being deposited were:

• That all five items were completed.
• That the amount in words was the same as amount in figures.

The system did not check that:

• The name in the "Pay to" field matched the person trying to deposit.
• The date was valid and not in the future.
• The signature matched the drawer.

We didn't discuss algorithms used to spot fraudulent transactions but I would suggest that checking one`s bank statements is an important part of this.

[BeebMaster]

Anyway, in the meantime I remembered my PIN, so instead of having to continue waiting for the "reminder" in the (presumably-even-more-secure-than-anything-online) post, which had irked me into starting this topic in the first place, I went to the nearest RBS cash machine and unlocked my PIN!

I blame the Council! It was setting them up as a new payee so I could pay my poll tax before they send me to chokey that caused me to have my card reader blocked in the first place!!

[jgharston]

On the question of cheque fraud, I remember a conversation with a relative of mine who was, at the time, head of cheque clearing for RBS. This may have been in the early days of handwriting recognition and sending electronic images of cheques around. At that time, the checks on a cheque being deposited were:

• That all five items were completed.
• That the amount in words was the same as amount in figures.

The system did not check that:

• The name in the "Pay to" field matched the person trying to deposit.
• The date was valid and not in the future.
• The signature matched the drawer.

I remember one time at university in the '80s, a friend bought some groceries at Tesco, paid by cheque with a cheque guarrantee card. Till operator took the check, confirmed the signiture matched the card, and accepted it.
A few days later he realised he'd accidently took his girlfriend's chequebook, paid by filling out one of his girlfriend's cheques, with his signiture and his cheque card, and the payment went out of her account.

[jgharston]

Anyway, in the meantime I remembered my PIN, so instead of having to continue waiting for the "reminder" in the (presumably-even-more-secure-than-anything-online) post, which had irked me into starting this topic in the first place, I went to the nearest RBS cash machine and unlocked my PIN!

I blame the Council! It was setting them up as a new payee so I could pay my poll tax before they send me to chokey that caused me to have my card reader blocked in the first place!!

Wow! You still have outstanding poll tax to pay? Everybody I know paid off all outstanding debts, or had it written off, by the mid-90s.

[BeebMaster]

When I paid by cheque in the mid 2000s for a college nightschool course, I asked if they needed a cheque guarantee card. Out came the book of rules, which was the size of telephone directory, and after a few minutes of pondering I was told - "No, as the payment is higher than the guarantee amount we don't need it" - so they were happy to accept a cheque which could have bounced, but would have insisted on a smaller cheque being guaranteed!

I used to pay a house lease rent of £2.50 in the original amount in the lease - two pounds ten shillings - by cheque, also in the early 2000s, and that always went through!

[Coeus]

When I paid by cheque in the mid 2000s for a college nightschool course, I asked if they needed a cheque guarantee card. Out came the book of rules, which was the size of telephone directory, and after a few minutes of pondering I was told - "No, as the payment is higher than the guarantee amount we don't need it" - so they were happy to accept a cheque which could have bounced, but would have insisted on a smaller cheque being guaranteed!

That makes perfect sense to me. Imagine what happens when someone write a cheque which they don't have the funds for.

If it is guaranteed, the bank pays it taking the drawer into an unauthorised overdraft. It is then up to the bank to resolve the situation with the drawer. Any extra admin is down to them, though they may impose a charge on the drawer,

If it is not guaranteed, the cheque is returned unpaid and the college have to chase the student for payment, hassle that they don't want.

[sweh]

It turns out that a lot of the password advice (pick something you can remember, and don't write it down) that made sense when passwords were being used to control access to machines and resources in a controlled environment (school, militiary base, office etc.) don't apply when being used to protect always-on, networked resources like banks on the internet (in fact the exact opposite is almost the case).

A lot of people quote https://xkcd.com/936/ ("Correct Horse Battery Staple") as a methodology.

Unfortunately this is shit. It doesn't scale. I have 319 passwords stored in my manager. There is no way in hell I could remember 319 stupid phrases.

Use a password manager. Let it take the strain. Remember one password (and MFA it).