Vanguard Security

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Vanguard Security

Post by Doc »

I just inadvetantly closed the tab in internet explorer while logged into my account at Vanguard without logging off. I then opened a new tab, went back to Vanguard and entered my account name. I was taken directly to my accounts without having to resubmit my password.

I had though that closing the tab would log you off. I just checked a bank and another broker and both logged me out when I closed the tab. Is there a time lag at Vanguard or am I just having a senior moment? Any thoughts or additional information?
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
genjix
Posts: 267
Joined: Sat Mar 12, 2011 1:51 pm

Re: Vanguard Security

Post by genjix »

For my browsers I always go into the privacy tabs and make sure it never remembers any history and delete cookies, history and saved passwords.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: Vanguard Security

Post by ftobin »

Closing a tab has no effect on your authentication; your session cookie is still in the browser. Other sites might have something fancier going on, but such efforts usually hinder the ability to use multiple tabs at the same site (or use forward/backward buttons).

We're getting a a point where the concept of even "closing a browser" is a thing of the past. Look at tablets and phones -- they don't actually shut down programs unless they absolutely have to, since starting them back up requires a lot of precious CPU/energy.
User avatar
wilpat
Posts: 534
Joined: Sun Jan 20, 2008 6:30 pm

Re: Vanguard Security

Post by wilpat »

If you click on "LOG OFF" you will be "really" logged off.
Contrary to the belief of many, profit is not a four letter word!
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Re: Vanguard Security

Post by Doc »

wilpat wrote:If you click on "LOG OFF" you will be "really" logged off.
Yea, that's my ususual procedure. I just goofed.

I guess my real question is if I have just left the "cookie" on my computer or was it up there in the cloud also so that anyone that knew my account name could get in without entering a password.
ftobin wrote:Other sites might have something fancier going on, but such efforts usually hinder the ability to use multiple tabs at the same site (or use forward/backward buttons).
I have not noticed the back button and multiple tab restriction on other sites that I visit.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
User avatar
bogleblitz
Posts: 506
Joined: Mon Oct 01, 2012 2:51 pm

Re: Vanguard Security

Post by bogleblitz »

Doc wrote:
wilpat wrote:
I guess my real question is if I have just left the "cookie" on my computer or was it up there in the cloud also so that anyone that knew my account name could get in without entering a password.
It is a "cookie" on your computer. No one else can login as you at that moment in time.
User avatar
bUU
Posts: 608
Joined: Sun Nov 25, 2012 10:41 am

Re: Vanguard Security

Post by bUU »

ftobin wrote:Closing a tab has no effect on your authentication; your session cookie is still in the browser.
Correct, and actually browsers are now configurable to leave them resident in memory even after you close the last tab.
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Re: Vanguard Security

Post by Doc »

bUU wrote:
ftobin wrote:Closing a tab has no effect on your authentication; your session cookie is still in the browser.
Correct, and actually browsers are now configurable to leave them resident in memory even after you close the last tab.
But at least two other financial sites apparently "erase" the cookie when you close the tab so it is not a browser issue. Maybe it depends on the "remember me" choice which is usually not available on financial sites.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
carolinaman
Posts: 5453
Joined: Wed Dec 28, 2011 8:56 am
Location: North Carolina

Re: Vanguard Security

Post by carolinaman »

I tried it and it worked the same way for me. Fidelity, Prudential and my bank all require the entry of password at the same time as the id which prevents this from occurring with them. Vanguard is the only site I have to sign on to that does id and password in different screens. IMO, it is an unacceptable breach of their security. Your window could prematurely or abnormally terminate for other reasons and you would not have chance to logoff. Hopefully, Vanguard will fix this.
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Re: Vanguard Security

Post by Doc »

johnep wrote:I tried it and it worked the same way for me. Fidelity, Prudential and my bank all require the entry of password at the same time as the id which prevents this from occurring with them. Vanguard is the only site I have to sign on to that does id and password in different screens. IMO, it is an unacceptable breach of their security. Your window could prematurely or abnormally terminate for other reasons and you would not have chance to logoff. Hopefully, Vanguard will fix this.
I have two banks that require signin on two pages and they both log out when the tab is closed so this is not the answer.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: Vanguard Security

Post by ftobin »

Doc wrote:I have two banks that require signin on two pages and they both log out when the tab is closed so this is not the answer.
After closing the tab at one of these sites, undo the close-tab, hit reload, and see if you have full site functionality.
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Re: Vanguard Security

Post by Doc »

ftobin wrote:
Doc wrote:I have two banks that require signin on two pages and they both log out when the tab is closed so this is not the answer.
After closing the tab at one of these sites, undo the close-tab, hit reload, and see if you have full site functionality.
Yes. Reopening the closed tab at Schwab at least has you still logged in with full site functionality.

I am way beyond my pay grade here.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Re: Vanguard Security

Post by Doc »

Logged into accounts at five different institutions and closed the browser without logging off. Restarted browser and "Reopened Last
Browser Session". Was logged off on all five so at least that works consistently.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: Vanguard Security

Post by ftobin »

Doc wrote:Yes. Reopening the closed tab at Schwab at least has you still logged in with full site functionality.
This indicates that Schwab is not actually logging you out when you close a tab, as logouts should not be able to be reversed by simply undoing a closed tab.

Vanguard is just providing additional functionality, where if you go to a login screen, but you're already authenticated, it skips re-asking you to login and just proceeds to the normal main page. Schwab's login page, on the other hand, doesn't take into account that you're already authenticated -- I personally consider this unhelpful.

This is more of a usability issue than a security one.
User avatar
bUU
Posts: 608
Joined: Sun Nov 25, 2012 10:41 am

Re: Vanguard Security

Post by bUU »

Intercepting the closing of a tab is exceedingly unreliable.

Do yourself a favor.... don't try to beat the system in that way.... click the Logout button every time.
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Re: Vanguard Security

Post by Doc »

ftobin wrote:
Doc wrote:Yes. Reopening the closed tab at Schwab at least has you still logged in with full site functionality.
This indicates that Schwab is not actually logging you out when you close a tab, as logouts should not be able to be reversed by simply undoing a closed tab.

Vanguard is just providing additional functionality, where if you go to a login screen, but you're already authenticated, it skips re-asking you to login and just proceeds to the normal main page. Schwab's login page, on the other hand, doesn't take into account that you're already authenticated -- I personally consider this unhelpful.

This is more of a usability issue than a security one.
I don't understand what the difference is between opening a new tab and typing in the web address vs. clicking <reopen closed tab>.

In any case if I am sitting at my home computer and doing something else after improperly logging out am I at risk in any of these circumstances? Is it really necessary to close the browser when I go upstairs to get another cup of coffee or to get rid of the last one just in case I inadvertently closed a tab without logging off?
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
ScottW
Posts: 165
Joined: Tue Mar 25, 2008 8:13 am

Re: Vanguard Security

Post by ScottW »

Logging onto a site generates a cookie on your computer, and in the case of financial institutions, the cookie is usually a "session" cookie, meaning that it is destroyed when the browser is closed. Closing a tab generally won't close a session, but exiting the browser altogether will.

When in doubt, quit your browser. Vanguard may still believe you're logged on, but without the corresponding session cookie it won't make much difference. The logged on session will eventually time out on Vanguard's servers.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: Vanguard Security

Post by ftobin »

Doc wrote:I don't understand what the difference is between opening a new tab and typing in the web address vs. clicking <reopen closed tab>.
I guess I'm confused as to what you're asking. Neither Schwab nor Vanguard has a mechanism for logging you out when you close a tab; if they did, you wouldn't be able to access either site without logging back in. Re-opening a closed tab does not count as re-authenticating, just as typing a web address does not authenticate you.
In any case if I am sitting at my home computer and doing something else after improperly logging out am I at risk in any of these circumstances? Is it really necessary to close the browser when I go upstairs to get another cup of coffee or to get rid of the last one just in case I inadvertently closed a tab without logging off?
As long as your computer is personal, I personally don't think you're at much risk even if you never logoff. The session cookies kept in-memory by your browser are held fairly securely, and there are other, easier avenues of attack than a third-party program trying to capture them. Most sites will timeout your session cookie after inactivity anyways (usually too short of a time, IMO).

I am very conscious about security systems, and yet I never "logoff" of a site. I even let Firefox store all my passwords (encrypted). I know the risk exposure from these is not enough for me to worry about. Small tangent: simply having to type in a password is a security risk: letting Firefox auto-fill the password makes sure I don't get phished, since Firefox will only auto-fill the correct site. Additionally, making people re-authenticate to a site after a 10-minute timeout encourages lax attention when authenticating due to repitivity.
Last edited by ftobin on Thu Jan 24, 2013 1:56 pm, edited 1 time in total.
User avatar
Topic Author
Doc
Posts: 10606
Joined: Sat Feb 24, 2007 12:10 pm
Location: Two left turns from Larry

Re: Vanguard Security

Post by Doc »

Thanks everbody. It's not everyday that I learn something about IT on a financial board.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.
User avatar
Steelersfan
Posts: 4125
Joined: Thu Jun 19, 2008 8:47 pm

Re: Vanguard Security

Post by Steelersfan »

johnep wrote:I tried it and it worked the same way for me. Fidelity, Prudential and my bank all require the entry of password at the same time as the id which prevents this from occurring with them. Vanguard is the only site I have to sign on to that does id and password in different screens. IMO, it is an unacceptable breach of their security. Your window could prematurely or abnormally terminate for other reasons and you would not have chance to logoff. Hopefully, Vanguard will fix this.
My bank and the American Funds web site both require userid and password on two screens.
Post Reply