HSBC India Mandates All-Uppercase Passwords for Asks Customers

HSBC India announced a significant policy change for its internet banking customers: as of April 6, 2026, all passwords must be entered using uppercase letters exclusively.

The mandate, communicated via official customer emails, has sparked widespread concern among technical experts regarding the bank’s credential storage practices and overall security posture.

The Uppercase Migration

According to the bank’s recent communications, customers must type their existing passwords in capital letters going forward. For example, a user with the password “Test123” must now enter “TEST123” to access their account.

By upgrading to a true case-sensitive login portal, the bank’s backend now requires the exact uppercase input to match the existing uppercase hashes stored in its database.

Despite the bank’s explanation regarding legacy hashing, security researchers have labeled the directive a massive red flag. Standard cybersecurity practices dictate that credentials must always be stored as one-way hashes, rendering the original input unreadable.

As noted by security researchers, it should be literally impossible for a vendor to know your credentials’ casing unless they weren’t storing passwords as hashes. This anomaly has fueled industry speculation about potential plaintext password storage or deeply flawed legacy security practices.

Adding to the confusion, the bank’s official FAQ still states that passwords are not case-sensitive, creating a glaring contradiction in their public documentation.

Critics have been quick to point out that this uppercase mandate actively weakens user security. By eliminating lowercase letters from the allowable character set, the bank effectively cuts password options in half.

A password that mixes cases has higher entropy and is inherently harder to crack. Restricting users to an uppercase-only format drastically reduces the number of possible character combinations, which makes accounts significantly more vulnerable to automated brute-force attacks and credential stuffing.

Security experts recommend that users proactively reset all passwords to establish new, strong credentials for better protection.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.