Vanguard increasing password length

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.

Vanguard increasing password length

Postby VeremchukA » Wed Mar 20, 2013 6:11 pm

Sorry if this has been discussed, I don't come here very often so I may have missed it.

When asked to fill out a survey due to a recent call to Vanguard, they had an other comments section. I complained that for some time we have wanted a stronger password. I received a call from Vanguard and I asked the rep to email what we discussed so that you can read it. It looks like sometime in Q3 2013 Vanguard is going to increase your ability to have a 20 character password. I already use upper, lower and special characters in mine despite those are things supposedly being added as well. The email is below edited to hide some information of a personal nature.



A message from Vanguard

Subject Vanguard Initiated E-mail
Posted date Tue Mar 19 19:00:02 EDT 2013

Dear Mr. ********:

Thank you for taking the time on February 26, 2013, to complete a Vanguard survey and for speaking with me on March 15, 2013. Vanguard reviews survey responses to determine ways that we can improve the products and services that we offer to clients. After reading your survey, I wanted to follow up on your comments regarding the limit we currently have for characters we allow for a password.

As part of our commitment to our shareholders, we constantly review the comments and feedback we receive from our shareholders. We continually analyze the suggestions we receive and strive to incorporate the services our shareholders request.

As we discussed in our telephone conversation, in a continuing effort to protect our client's personal and financial data, we recently modified the password strength to include special characters and strengthened the password encryption. We are also currently in the process of increasing our password field to include up to twenty (20) characters as well as have the ability to distinguish between upper and lower case. We are looking to have this elevated by the end of the third quarter of 2013.

Thank you again for taking the time to complete our survey.
User avatar
VeremchukA
 
Posts: 96
Joined: Fri Mar 27, 2009 1:33 am
Location: usa

Re: Vanguard increasing password length

Postby stockfreak » Wed Mar 20, 2013 6:39 pm

.....
Last edited by stockfreak on Fri Mar 22, 2013 7:42 am, edited 1 time in total.
stockfreak
 
Posts: 2
Joined: Sat Dec 08, 2012 12:22 pm

Re: Vanguard increasing password length

Postby bertie wooster » Wed Mar 20, 2013 7:06 pm

That's a pleasant surprise. Vanguard should be commended for improving their security.
User avatar
bertie wooster
 
Posts: 391
Joined: Mon Jun 25, 2007 6:14 pm

Re: Vanguard increasing password length

Postby Rob5TCP » Wed Mar 20, 2013 8:20 pm

FINALLY - it appears they have been listening to their clients and maybe monitoring the Bogleheads !!!!!!
User avatar
Rob5TCP
 
Posts: 1944
Joined: Tue Jun 05, 2007 8:34 pm
Location: New York, NY

Re: Vanguard increasing password length

Postby Epsilon Delta » Thu Mar 21, 2013 12:05 am

VeremchukA wrote:
A message from Vanguard

...
We are also currently in the process of increasing our password field to include up to twenty (20) characters as well as have the ability to distinguish between upper and lower case. We are looking to have this elevated by the end of the third quarter of 2013.

Twenty characters, really!!!?? Come on Vanguard Guys, spend the extra $1.50 on storage and make it a hundred. You'll make the diceware users happy and never have to address the issue again.

I need an emoticon for "shakes head in disbelief".
User avatar
Epsilon Delta
 
Posts: 3437
Joined: Thu Apr 28, 2011 8:00 pm

Re: Vanguard increasing password length

Postby Alex Frakt » Thu Mar 21, 2013 12:34 am

Epsilon Delta wrote:"shakes head in disbelief".

Leave out the spaces and that can be your new password. :happy
Alex Frakt
Founder
 
Posts: 9621
Joined: Fri Feb 23, 2007 2:06 pm
Location: Chicago

Re: Vanguard increasing password length

Postby Rob5TCP » Thu Mar 21, 2013 9:38 am

Alex Frakt wrote:
Epsilon Delta wrote:"shakes head in disbelief".

Leave out the spaces and that can be your new password. :happy


Actually, if Vanguard also accepted spaces, that would be an even better password.
I am thrilled they are going to 20 characters plus upper/lower case. Spaces would add
just one more dimension to "my" sense of security.
User avatar
Rob5TCP
 
Posts: 1944
Joined: Tue Jun 05, 2007 8:34 pm
Location: New York, NY

Re: Vanguard increasing password length

Postby Epsilon Delta » Thu Mar 21, 2013 3:38 pm

Rob5TCP wrote:
Alex Frakt wrote:
Epsilon Delta wrote:"shakes head in disbelief".

Leave out the spaces and that can be your new password. :happy


Actually, if Vanguard also accepted spaces, that would be an even better password.
I am thrilled they are going to 20 characters plus upper/lower case. Spaces would add
just one more dimension to "my" sense of security.

If you leave in the spaces it's 23 characters and does not fit.

Many reasonable password* memorization techniques only generate 2 or 3 bits of entropy per byte. This means you need more than 20 characters to get an unbreakable password. In many case you don't need an unbreakable password, but it would be nice to have. Vanguard is essentially saying if you want one it has to be random. There is no need for this. It's just as much work to go from 10 to 20 as from 10 to 100, and the other costs are absolutely trivial, so this change is just bizarre. If your going to fix something fix it once, fix it right and you'll never have to fix it again.

* E.g. diceware, password haystack, using numbers (with comma or spaces for grouping so you can enter the darn thing).
User avatar
Epsilon Delta
 
Posts: 3437
Joined: Thu Apr 28, 2011 8:00 pm

Re: Vanguard increasing password length

Postby mickeyd » Thu Mar 21, 2013 4:53 pm

We are looking to have this elevated by the end of the third quarter of 2013.



Sweet. This should give the Chinese Mafia something to do this summer...
Part-Owner of Texas | | “The CMH-the Cost Matters Hypothesis -is all that is needed to explain why indexing must and will work… Yes, it is that simple.” John C. Bogle
User avatar
mickeyd
 
Posts: 3626
Joined: Fri Feb 23, 2007 4:19 pm
Location: Deep in the Heart of South Texas

Re: Vanguard increasing password length

Postby Rob5TCP » Thu Mar 21, 2013 8:42 pm

Any improvement is welcome. While I would like even more, I can "rest easier" with this.
Yes, it does mean even more complexity, but I can manage that .
User avatar
Rob5TCP
 
Posts: 1944
Joined: Tue Jun 05, 2007 8:34 pm
Location: New York, NY

Re: Vanguard increasing password length

Postby SpaceCommander » Thu Mar 21, 2013 10:27 pm

So will we be required to increase our password to something much longer? Great. Now I can't remember it anymore and will have to write it down somewhere. How's that for better security? :oops:
I honor my personality flaws, for without them I would have no personality at all.
User avatar
SpaceCommander
 
Posts: 467
Joined: Thu Nov 08, 2007 5:13 pm
Location: Seattle

Re: Vanguard increasing password length

Postby Steelersfan » Thu Mar 21, 2013 10:43 pm

The fact that they are strengthening the password encryption is good news. That's where the threat (such as it exists) exists.

The password length and allowable characters - ho hum. With eight characters of number and letters it's already in the quadrillions of possibilities.

Deciphering passwords via brute force is a non-starter.
User avatar
Steelersfan
 
Posts: 2470
Joined: Thu Jun 19, 2008 9:47 pm

Re: Vanguard increasing password length

Postby LadyGeek » Thu Mar 21, 2013 10:45 pm

This thread is now in the Investing - Theory, News & General forum (general investing, or news concerning Vanguard).

I'm glad they're updating the password rules. BTW, our forum software can handle 100 characters and has a password strength meter: Forum Software Updated: Show Password Strength You can test password strength with it.

Generic password discussion should be redirected to the Personal Consumer Issues forum (computer security). In particular: Another reason why you should never reuse passwords...
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 19550
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: Vanguard increasing password length

Postby Random Musings » Fri Mar 22, 2013 3:45 pm

I would believe for most people that increasing length from 10 to 20 (and allowing caps and stuff) is a satisfying solution.

Vanguard, let's start working on improving the portfolio analysis tool next (or the VBS group).

RM
User avatar
Random Musings
 
Posts: 5035
Joined: Thu Feb 22, 2007 5:24 pm
Location: Pennsylvania

Re: Vanguard increasing password length

Postby Mudpuppy » Sat Mar 23, 2013 7:28 pm

SpaceCommander wrote:So will we be required to increase our password to something much longer? Great. Now I can't remember it anymore and will have to write it down somewhere. How's that for better security? :oops:

The advice against writing passwords down really only applies when you can't physically secure the slip of paper containing the password. So in other words, it's bad to have a post-it note on your office monitor because so many people have access to the average office building and therefore would have access to the post-it. On the other hand, there's nothing wrong with writing it down and sticking it in your wallet, unless you're in the habit of losing your wallet all the time or leaving it sitting out on your desk at work for anyone to riffle through. Likewise, writing it down and sticking it in the safe when you aren't using it really isn't that bad of a practice either. You just don't want to write it down and leave it out for everyone to discover.
Mudpuppy
 
Posts: 2682
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Vanguard increasing password length

Postby Mudpuppy » Sat Mar 23, 2013 7:30 pm

Steelersfan wrote:Deciphering passwords via brute force is a non-starter.

Not so much these days if the hash gets exposed by any means. Let me redirect you to my reply on the request for Vanguard improvements thread: viewtopic.php?f=10&t=112838#p1642979
Mudpuppy
 
Posts: 2682
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Vanguard increasing password length

Postby VeremchukA » Sun Mar 24, 2013 12:20 am

Gee I am surprised at so many negative comments. I would have thought everyone would have welcomed this change. I have read a lot of complaining about only 10 characters and the issue of case sensitivity. I viewed this as a great thing and thought everyone would be happy to know this is in the works. :confused I would have welcomed 15 characters but 20 is great. I say hurray for Vanguard finally listening to us and making this change. :sharebeer
User avatar
VeremchukA
 
Posts: 96
Joined: Fri Mar 27, 2009 1:33 am
Location: usa

Re: Vanguard increasing password length

Postby Jeff7 » Sun Mar 24, 2013 2:45 am

I'm glad that they're doing this.

Though with computers becoming incredibly powerful, you can brute-force a lot of passwords per second.
If you're cracking password hashes offline, 350 billion combinations per second. Now, this of course only applies if you've got the data stored locally. If any website has the capacity to accept 350 billion password attempts per second, I really would love to know what kind of server setup they've got. ;)
10 characters: Per a "How Secure Is My Password" site, the password B7(f].a~\z would take 526 years, assuming 4 billion calculations per second. ATI's Radeon HD 4890 can do 1,000 billion calculations per second. Using kf0b9dks9x as a password: 10 days on a desktop PC, so that graphics card should have it figured out in an hour.

Awhile back, it was predicted that quantum computers would render current encryption technology useless. Turns out, graphics cards have some of the same speed benefits that would make quantum computers good for brute-force cracking of encrypted files, simply because they need to process a lot of data, in parallel, very quickly.
So we kind of got there ahead of schedule. Oops.

The good news is that a lot of servers don't allow you to try a lot of passwords really quickly - and they might even lock you out if you try too many in a row. Even humble Windows XP would only let you enter 5 (or 3?) incorrect login attempts before locking out the interface for awhile. But, that's not the only way to break into something.


I'd just like to throw this into here as well.
In the olden days, the biggest risk was that someone else would get into your workstation, so a short and difficult password might have been your best bet. Your dog's name, and 3 random characters. That should suffice.
Now, e-commerce is huge. Financial and medical data is stored on Internet-connected systems. PLCs used in industrial control systems are fully networked. So the goal now is to break through the outer defenses of a server, and hope you can swipe some of the data there, and then do your password cracking offline at your convenience.

So, in the vein of what's in that XKCD page, here's a fun password:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a

The person trying to break that wouldn't know that it's almost all the same character. They also don't know the length. As password length increases, the number of possible combinations increases exponentially.
Or even "This is my password, and it's really quite secure because it's very long, and it contains ^ an unexpected odd character." would work as a password. It's huge, it contains a capital letter, a non-alphanumeric character, spaces, and punctuation. Another fun one:  »¿∞æ─╩ß, but not all systems support wacky characters like that.
And password cracking doesn't work like in movies: The computer system won't tell you which characters were correct, or how close you are getting. The password is either entirely correct, or it is wrong. (If your system does work like the ones in the movies, please promptly fire anyone on your IT team who was involved with setting it up, and if they went to college, notify their professors' college board that their educational standards have some significant room for improvement.)


Something else of note here: Sometimes password lists have been made available to the IT security community. What they've found, besides the fact that some passwords are extremely common, is that computer analysis finds some distinct patterns in seemingly random passwords. For example, here, our syntax and words are bound by the rules of the English language. It's not common to have a word with the characters "zctx" in that sequence, or to have a punctuation mark (excluding quotation marks) at the beginning of a sentence. What this ends up meaning is that a cracking computer can be set up to prioritize a list of common passwords as ones to try first. If those fail, it can also determine what a typical password is going to look like: Capital letter, lowercase, lowercase, lowercase, lowercase, space, number, punctuation mark.
That sort of thing reduces the pool of potential passwords that it has to try, or can at least increase the probability of finding the password more quickly.
However, doing this sort of pattern analysis is not something that's terribly simple to set up, at least, not at the moment; I think that particular analysis study may have been done in a computer forensics lab, or at a university.


You've also got the other weak link: People.
E-mail conversation: "Hi, I'm a network administrator consultant that your company recently hired. I'm working on an issue with some occasional slowdowns on this part of the network, which should give you better performance once I'm done. They haven't gotten me fully set up yet though with the access list. Do you have a working password to <database server> that I could use for today?"
"Sure, here you go: <username> <password>. Welcome to the team!"

No hacking skills required - you simply lied and asked for access, which quite possibly allowed you to bypass many tens of thousands of dollars of sophisticated security and encryption systems. And, because no security procedures were violated, at least as far as the computers are concerned, no alarms are raised that there was just a breach.


A way to really foul things up, and make things difficult for anyone to get into your stuff:
- Use a long, nonsense username.
- Use a password that's long and varied.
- They aren't going to fact-check your answers to security questions. "What's your mother's maiden name?" Answer: Billy's Tuesday chicken. "What is the city of your birth?" Answer: Triton, the largest moon of Neptune.
- Now the catch: Where to keep this information? In a heavily encrypted file, such as one made by Truecrypt, protected by a long and strong password. Then hope no one gets and cracks that file.;) Truecrypt supports encryption up to 3 layers deep, with some strong algorithms. A government supercomputer might have a shot at breaking that, but not anytime soon.



Hm....maybe all that didn't make anyone feel any better.

But longer passwords can and should be more secure. That's really what I was trying to say. :D


as well as have the ability to distinguish between upper and lower case

...for real? They don't do that already? Are their systems just that old, or what's the deal? It's ASCII data, and capital and lowercase are represented differently. Even a space is just another ASCII character.
10 characters, and the lack of distinction between uppercase and lowercase effectively reduces the available pool of characters by 26.
Yes, these changes they're implementing are most welcome. (Though I'd prefer to see even more than 20 characters.)
Jeff7
 
Posts: 287
Joined: Sat Nov 24, 2012 3:30 pm

Re: Vanguard increasing password length

Postby FedGuy » Sun Mar 24, 2013 8:30 am

Jeff7 wrote:You've also got the other weak link: People.
E-mail conversation: "Hi, I'm a network administrator consultant that your company recently hired. I'm working on an issue with some occasional slowdowns on this part of the network, which should give you better performance once I'm done. They haven't gotten me fully set up yet though with the access list. Do you have a working password to <database server> that I could use for today?"
"Sure, here you go: <username> <password>. Welcome to the team!"


Company policies are another weak link. Not long after I started with my current employer, I had an IT issue that required me to call the Help Desk. After working on it for a while, the Help Desk person asked me for my password "So I can work on this without you needing to be on the line." I balked, found my local database administrator, and reporting the social engineering attempt. He looked at me like I had three heads and told me the request was legitimate: "We always ask for your passwords for this sort of thing. How else are we going to resolve your issue?"

After being told by a few other IT people that this was their standard way to resolve that type of issue, I reluctantly changed my password, gave the person my new password, waited for them to fix the problem, and then changed my password back.
FedGuy
 
Posts: 687
Joined: Sun Jul 25, 2010 4:36 pm

Re: Vanguard increasing password length

Postby Call_Me_Op » Sun Mar 24, 2013 9:07 am

Actually, I am a bit uncomfortable that they had to be told [by clients] to do this.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein
Call_Me_Op
 
Posts: 4823
Joined: Mon Sep 07, 2009 3:57 pm
Location: Milky Way

Re: Vanguard increasing password length

Postby tibbitts » Sun Mar 24, 2013 9:28 am

FedGuy wrote:
Jeff7 wrote:You've also got the other weak link: People.
E-mail conversation: "Hi, I'm a network administrator consultant that your company recently hired. I'm working on an issue with some occasional slowdowns on this part of the network, which should give you better performance once I'm done. They haven't gotten me fully set up yet though with the access list. Do you have a working password to <database server> that I could use for today?"
"Sure, here you go: <username> <password>. Welcome to the team!"


Company policies are another weak link. Not long after I started with my current employer, I had an IT issue that required me to call the Help Desk. After working on it for a while, the Help Desk person asked me for my password "So I can work on this without you needing to be on the line." I balked, found my local database administrator, and reporting the social engineering attempt. He looked at me like I had three heads and told me the request was legitimate: "We always ask for your passwords for this sort of thing. How else are we going to resolve your issue?"

After being told by a few other IT people that this was their standard way to resolve that type of issue, I reluctantly changed my password, gave the person my new password, waited for them to fix the problem, and then changed my password back.

Although I understand your issue, anybody would have given you the three-headed look if you called this a "social engineering attempt." You called the helpdesk, after all, not the other way around. A lot of commercial software, including from the very largest and most respected vendors, doesn't provide a built-in mechanism for a support person to access your view of the software without the support person either changing your password (which they can typically do without your knowledge or consent), or asking for your password (which of course you can first change to a temporary password if you choose.) If the support person changes your password without your knowledge, they then have to deal with communicating the new password to you at some future time, since you can no longer access the software.

In less secure days gone by, it was common to have a support person be able to view a customer's password in plain text(!), so you never heard requests to provide or change your password.

Obviously it would be nice if every software product thought of this situation and provided a relatively secure solution to it, but many don't. Sometimes a company has sufficient resources and decides it's worth the effort to build its own software solution to the problem; sometimes not. As far as practical security is concerned, from personal experience I can tell you that it's not even close to the biggest problem.

Paul
tibbitts
 
Posts: 4986
Joined: Tue Feb 27, 2007 7:50 pm

Re: Vanguard increasing password length

Postby tibbitts » Sun Mar 24, 2013 9:35 am

Call_Me_Op wrote:Actually, I am a bit uncomfortable that they had to be told [by clients] to do this.

Nobody will ever know for sure if the change would have happened anyway. It's tempting to think that because of the frequent discussion here on the forum, this was a hot issue for all VG customers, but probably 99.999% were perfectly happy with the password selection, and would have listed something like having a choice of website themes higher on their lists of requested updates.

Paul
tibbitts
 
Posts: 4986
Joined: Tue Feb 27, 2007 7:50 pm

Re: Vanguard increasing password length

Postby VeremchukA » Sun Mar 24, 2013 2:44 pm

Jeff7,

Thanks for your post, very interesting.

as well as have the ability to distinguish between upper and lower case


...for real? They don't do that already?


Yeah I thought that was wrong when she told me that and it was in the email. Currently I have upper and lower case letters and I am positive I tested it cuz that's just my nature and if I did not use the right case the password was incorrect. So on that count the info is erroneous but over all it is good news IMO.
User avatar
VeremchukA
 
Posts: 96
Joined: Fri Mar 27, 2009 1:33 am
Location: usa

Re: Vanguard increasing password length

Postby mickeyd » Sun Mar 24, 2013 3:08 pm

Call_Me_Op wrote:Actually, I am a bit uncomfortable that they had to be told [by clients] to do this.


At VG I think of myself more as a co-owner than just a client. Does that seem off-base?
Part-Owner of Texas | | “The CMH-the Cost Matters Hypothesis -is all that is needed to explain why indexing must and will work… Yes, it is that simple.” John C. Bogle
User avatar
mickeyd
 
Posts: 3626
Joined: Fri Feb 23, 2007 4:19 pm
Location: Deep in the Heart of South Texas

Re: Vanguard increasing password length

Postby Mudpuppy » Sun Mar 24, 2013 3:15 pm

Jeff7 wrote:Something else of note here: Sometimes password lists have been made available to the IT security community. What they've found, besides the fact that some passwords are extremely common, is that computer analysis finds some distinct patterns in seemingly random passwords. For example, here, our syntax and words are bound by the rules of the English language. It's not common to have a word with the characters "zctx" in that sequence, or to have a punctuation mark (excluding quotation marks) at the beginning of a sentence. What this ends up meaning is that a cracking computer can be set up to prioritize a list of common passwords as ones to try first. If those fail, it can also determine what a typical password is going to look like: Capital letter, lowercase, lowercase, lowercase, lowercase, space, number, punctuation mark.
That sort of thing reduces the pool of potential passwords that it has to try, or can at least increase the probability of finding the password more quickly.
However, doing this sort of pattern analysis is not something that's terribly simple to set up, at least, not at the moment; I think that particular analysis study may have been done in a computer forensics lab, or at a university.

Several popular GPU cracking programs have GUIs which allow the user to specify a list of patterns using a variation on regular expressions and to expand a word list to many variations on that word as specified by a list of patterns. It's so simple, a random script kiddie could do it, as long as they grasped the concepts of regular expressions. The research into popular patterns might be so complex that it's only happening at labs, but the application to actual password cracking is very much "in the wild". That's why my password-related mantra is now "once they get the hash, all bets are off".
Mudpuppy
 
Posts: 2682
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Vanguard increasing password length

Postby stevep001 » Sun Mar 24, 2013 3:48 pm

I get frustrated when I read threads with this debate on this board. Of the thousands of facts about the security or non-security of Vanguard's operation, we as customers have visibility to a couple small parts of the process -- the login sequence, the validation mechanism when an account is linked to Vanguard, and a couple others. Nearly all of what Vanguard does to secure our accounts is invisible to us.

Here's an example. An earlier poster wants us to think that it's possible for new hardware to try 350 billion Vanguard password combinations per second, implying that the current password scheme weak. If you dig just a bit, the article linked to indicates that the crack was run at that rate against NTLM authentication -- a form of authentication that Microsoft stopped recommending over 10 years ago. While I won't pretend to know how Vanguard encrypts our passwords, I can say with 100% certainty that it does not use the NTLM crypto algorithm discussed in the article.

That said, support for longer passwords will make things more secure. But, if you look in detail at risk management procedures put in place, they all have that property -- doing more means more secure. The question is always "how much is enough."

Here are steps that you can personally take to minimize the chance that someone else will access your account:

1. Don't use the same password on the Vanguard site as other sites
2. Use a longer rather than a shorter password, one follows good password practices
3. Only log in from a computer that you control -- not your neighbor
4. Don't install [bloatware -- admin LadyGeek] (e.g., toolbars) from the internet on the computer you use to log in to the site
5. Use one highly regarded antivirus package on your computer.
stevep001
 
Posts: 250
Joined: Sun Oct 05, 2008 10:23 am

Re: Vanguard increasing password length

Postby Jeff7 » Sun Mar 24, 2013 11:01 pm

stevep001 wrote:...
Here's an example. An earlier poster wants us to think that it's possible for new hardware to try 350 billion Vanguard password combinations per second, implying that the current password scheme weak. If you dig just a bit, the article linked to indicates that the crack was run at that rate against NTLM authentication -- a form of authentication that Microsoft stopped recommending over 10 years ago. While I won't pretend to know how Vanguard encrypts our passwords, I can say with 100% certainty that it does not use the NTLM crypto algorithm discussed in the article.
...
I was intending that to be more an example of the computing power available now, just on the consumer market, and not specific to Vanguard's operation. I too would hope that they're using far more secure encryption schemes.
I also referenced the fact that you're not going to be able to brute-force that many passwords against a remote server, unless they've got some amazingly high-tech fiber Internet hookup with incredibly low latency - and they'd probably lock you out after X attempts anyway.
Jeff7
 
Posts: 287
Joined: Sat Nov 24, 2012 3:30 pm

Re: Vanguard increasing password length

Postby Mel Lindauer » Sun Mar 24, 2013 11:30 pm

I applaud Vanguard for taking this additional security measure.
Best Regards - Mel | | Semper Fi
User avatar
Mel Lindauer
Moderator
 
Posts: 22307
Joined: Mon Feb 19, 2007 9:49 pm
Location: Daytona Beach Shores, Florida

Re: Vanguard increasing password length

Postby cb474 » Thu Mar 28, 2013 2:23 am

Man, it's about time. But twenty characters? Really?

Why does Vanguard persist in putting artificial limits on the strength of passwords people can use?

Allowing longer passwords does not preclude anyone from user a shorter crappier password if they want to. And as LadyGeek points out above, even this forum allows passwords five times as long.
cb474
 
Posts: 714
Joined: Tue Jan 19, 2010 7:32 am

Re: Vanguard increasing password length

Postby cb474 » Thu Mar 28, 2013 4:18 pm

Strangely, I just spoke with a Vanguard customer service peson and he said he'd heard nothing about future changes to the password rules and that you cannot currently use special characters. There's also nothing in the security settings on the website that indicate the change to allow special chacters.

But I went ahead and tried it and the system definitely recognizes special characters. (The system however still is not case sensitive. I have an upper case later in my password, but if I type it lower case the system accepts the password and logs me in.)

So why isn't Vanguard making the change known to people? It seems like a contiuation of Vanguard's apparent policy to actively discourage people from using better passwords. I just don't get it.
cb474
 
Posts: 714
Joined: Tue Jan 19, 2010 7:32 am

Re: Vanguard increasing password length

Postby Jeff7 » Sat Mar 30, 2013 5:07 pm

cb474 wrote:Man, it's about time. But twenty characters? Really?

Why does Vanguard persist in putting artificial limits on the strength of passwords people can use?

Allowing longer passwords does not preclude anyone from user a shorter crappier password if they want to. And as LadyGeek points out above, even this forum allows passwords five times as long.

I wonder what, if any, technical reason there is for only allowing such a short password?
Some legacy issue or something like that?
For example, Pro-Engineer, a CAD software package, does not support spaces in filenames, nor does it support filenames longer than 32 characters, despite running on Windows systems, up to and through to Windows 8. However, its origins run back a long time, to Unix systems, and it seems that a lot of that old code is still present, which affects its capabilities. (Or else it's a simple change, and they're very lazy about making it.)
Jeff7
 
Posts: 287
Joined: Sat Nov 24, 2012 3:30 pm

Re: Vanguard increasing password length

Postby cb474 » Sat Mar 30, 2013 7:02 pm

I'm completely willing to believe that there are technical reasons why these limitations exist. And I believe some possibilities have been discussed in other threads in this forum on the topic, by people more knowledgeable about the technology. For example, there may be some backend system that's fundamental to how everything works at Vanguard and that would be expensive to upgrade.

On the other hand, the ability to use more complex passwords of almost any length is so commonplace on such basic sites across the internet that I still think it's an embarrassment for Vanguard not to suck it up and do what is necessary. It was an embarrassment years ago. Now it's just shameful.

Obviously the security of one's finances is fundamental. And so is making users feel confident that this is being taken seriously. Poor password procedures is effectively a big advertisement on Vanguard's part that they are less than concerned with security (whatever the backend realities may be).

Anyway, I expect a lot more. I don't really accept that this is a cost issue. This is one arena in which, if the logic is based on cost, Vanguard is letting the perfect be the enemy of the good (ultra low costs trumping everything, even security). Not only should better passwords have been allowed long ago, but there should also be two factor authentication (at least as an option), which many banks and financial institutions (to say nothing of just basic email providers) have implemented for years now.

It's just beyond me how badly this is handled and how now that they're making some improvements they are such baby tiny steps that will still leave Vanguard far behind the times, in terms of security.
cb474
 
Posts: 714
Joined: Tue Jan 19, 2010 7:32 am

Re: Vanguard increasing password length

Postby sperry8 » Sun Mar 31, 2013 3:22 am

Mel Lindauer wrote:I applaud Vanguard for taking this additional security measure.


Agreed. Extra characters plus upper/lower will make this very secure. Finally!
Certainty is a requirement of ignorance.
User avatar
sperry8
 
Posts: 639
Joined: Sat Mar 29, 2008 10:25 pm
Location: Los Angeles, CA

Re: Vanguard increasing password length

Postby patrick » Sun Mar 31, 2013 12:14 pm

Jeff7 wrote:I'm glad that they're doing this.

Though with computers becoming incredibly powerful, you can brute-force a lot of passwords per second.
If you're cracking password hashes offline, 350 billion combinations per second. Now, this of course only applies if you've got the data stored locally.


Looking into the article a bit, it turns out that this is not only limited to NTLM passwords, but also that the setup used 25 graphics cards and it consumes 7 kilowatts of electricity. Also, note that if the passwords are salted, each password has to be cracked separately, with an enormous amount of time needed to crack all the accounts (though if you just try the most likely passwords against every account you would get a good portion of them quickly).

Jeff7 wrote:And password cracking doesn't work like in movies: The computer system won't tell you which characters were correct, or how close you are getting. The password is either entirely correct, or it is wrong. (If your system does work like the ones in the movies, please promptly fire anyone on your IT team who was involved with setting it up, and if they went to college, notify their professors' college board that their educational standards have some significant room for improvement.)


At least one system seems like it would (sort of) allow this -- Fidelity's. The reason being that you can access the account by telephone by only pressing the corresponding key on your phone, so it must store the password in phone digit form also. This would mean only needing 1 trillion tries (all possible 12 digit numbers) for a character password to get the password in numerical form, after which a smaller number of tries would be needed against the full alphanumeric password.
patrick
 
Posts: 818
Joined: Fri Sep 04, 2009 4:39 am

Re: Vanguard increasing password length

Postby Mudpuppy » Sun Mar 31, 2013 4:28 pm

patrick wrote:
Jeff7 wrote:I'm glad that they're doing this.

Though with computers becoming incredibly powerful, you can brute-force a lot of passwords per second.
If you're cracking password hashes offline, 350 billion combinations per second. Now, this of course only applies if you've got the data stored locally.


Looking into the article a bit, it turns out that this is not only limited to NTLM passwords, but also that the setup used 25 graphics cards and it consumes 7 kilowatts of electricity. Also, note that if the passwords are salted, each password has to be cracked separately, with an enormous amount of time needed to crack all the accounts (though if you just try the most likely passwords against every account you would get a good portion of them quickly).

Without getting into the gory technical details, there are ways to share the workload such that one can essentially look at work previously done to minimize the work being done now. The end result is that each password is NOT tested in isolation. The current group is simultaneously tested and the workload minimizing techniques can also be employed to save time on the next round of cracking.

Also, do not discount the GPU cracking rig due to its number of graphics cards and electrical consumption. A similar cracking rate could be achieved by distributing the workload amongst many smaller GPU cracking rigs. The crowdsourcing of password cracking is not to be discounted. It is not very expensive to set up a GPU rig capable of a couple billion tries per second against MD5 passwords. Even a gaming laptop would be capable of such rates.

patrick wrote:
Jeff7 wrote:And password cracking doesn't work like in movies: The computer system won't tell you which characters were correct, or how close you are getting. The password is either entirely correct, or it is wrong. (If your system does work like the ones in the movies, please promptly fire anyone on your IT team who was involved with setting it up, and if they went to college, notify their professors' college board that their educational standards have some significant room for improvement.)


At least one system seems like it would (sort of) allow this -- Fidelity's. The reason being that you can access the account by telephone by only pressing the corresponding key on your phone, so it must store the password in phone digit form also. This would mean only needing 1 trillion tries (all possible 12 digit numbers) for a character password to get the password in numerical form, after which a smaller number of tries would be needed against the full alphanumeric password.

It still doesn't work that way with Fidelity. Fidelity doesn't tell you when you have a digit correct or incorrect when trying to access it by phone, just whether the entire string of digits is correct or incorrect. And, as I recall from previous conversations (I don't have a Fidelity account personally to test this), the numeric password is all you need to log in by either phone or web. In other words, Fidelity's passwords are numeric, not alphanumeric. So it's just a simpler domain to crack, but the method of cracking remains the same.

Now WPS on the other hand does work the way Jeff7 was talking about. WPS authenticates each half of the password separately. In other words, it will return something like "left half correct, right half wrong" (simplified of course) when you try a password. Additionally, the last digit is a checksum digit, so it is based on the value of the previous 7 digits. So the 8 digit WPS "passcode" is actually a 4 digit passcode followed by a 3 digit passcode and a checksum digit. This means there's only 11000 combinations to try, at most. Practical attacks have been shown to only take hours to perform against live wireless routers. Once the attacker gets the WPS passcode correct, they are given your WPA2/WPA/WEP password by the WPS protocol. This is why you should always disable WPS on your wireless router.

WPS reference: http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
Mudpuppy
 
Posts: 2682
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Vanguard increasing password length

Postby Munir » Sun Mar 31, 2013 5:06 pm

Excuse my ignorance, but are there any statistics (numbers) on how many investment web sites have been hacked, and money lost for their owners? Have any Bogleheads had their accounts hacked?
User avatar
Munir
 
Posts: 1782
Joined: Mon Feb 26, 2007 5:39 pm
Location: Oregon

Re: Vanguard increasing password length

Postby ogd » Sun Mar 31, 2013 5:25 pm

stevep001 wrote:I get frustrated when I read threads with this debate on this board. Of the thousands of facts about the security or non-security of Vanguard's operation, we as customers have visibility to a couple small parts of the process -- the login sequence, the validation mechanism when an account is linked to Vanguard, and a couple others. Nearly all of what Vanguard does to secure our accounts is invisible to us.


As a professional, I completely agree with this sentiment. Stop worrying about it. The password length is the very small tip of a very large iceberg. The real security work is in protecting the backend, and on our side in protecting our computers.

When an online system locks you out after a small number of attempts, and the backend password storage is periodically updated to keep up with computing power (example: PBKDF2 is an industry standard password-encryption function with strength as a parameter), then password length pretty much doesn't matter, and you definitely don't need to increase it over time.

stevep001 wrote:Here are steps that you can personally take to minimize the chance that someone else will access your account:

1. Don't use the same password on the Vanguard site as other sites
2. Use a longer rather than a shorter password, one follows good password practices
3. Only log in from a computer that you control -- not your neighbor
4. Don't install [bloatware -- admin LadyGeek] (e.g., toolbars) from the internet on the computer you use to log in to the site
5. Use one highly regarded antivirus package on your computer.


Excellent recommendations, stevep. I would only add "Pay attention to the lock icon at vanguard.com and to the security image when you log in".
User avatar
ogd
 
Posts: 2581
Joined: Fri Jun 15, 2012 12:43 am

Re: Vanguard increasing password length

Postby Jeff7 » Sun Mar 31, 2013 5:31 pm

Munir wrote:Excuse my ignorance, but are there any statistics (numbers) on how many investment web sites have been hacked, and money lost for their owners? Have any Bogleheads had their accounts hacked?
I don't think you should separate out "investment sites" for this, and instead ask, "How many secure web sites have been hacked, with data lost or stolen?"

Keeping data secure is a pretty big job, and with computers becoming not only faster, but increasingly interconnected, with greater demand for data to be available anywhere at any time, the job is getting much more difficult to prove that the computer trying to gain access to some data is in fact being instructed to do so by the proper party. And with so much data being kept on just a single internal network, the amount of information that can be stolen during one breach can affect millions of users.



ogd wrote:As a professional, I completely agree with this sentiment. Stop worrying about it. The password length is the very small tip of a very large iceberg. The real security work is in protecting the backend, and on our side in protecting our computers.

When an online system locks you out after a small number of attempts, and the backend password storage is periodically updated to keep up with computing power (example: PBKDF2 is an industry standard password-encryption function with strength as a parameter), then password length pretty much doesn't matter, and you definitely don't need to increase it over time.

...
For the user side of things, the password is something we can change and have control over. All that other invisible stuff is beyond our control, and that's not always a good feeling. I guess we're left then to hope and trust that they are indeed keeping up on things on the backend.
Last edited by Jeff7 on Sun Mar 31, 2013 5:35 pm, edited 1 time in total.
Jeff7
 
Posts: 287
Joined: Sat Nov 24, 2012 3:30 pm

Re: Vanguard increasing password length

Postby Leesbro63 » Sun Mar 31, 2013 5:32 pm

Can someone explain to me what the SERIOUS risk is of someone getting into your Vanguard account? OK, they could sell stuff and cause a taxable event, market loss or missed market gain. The REAL risk is in getting the money. And how can they do that? Change the address? Won't that generate an Email (or an Email to an old Email address for an Email change)? Wire the money? How do you do that online?

What is the REAL risk of the current, allegedly weak password?
User avatar
Leesbro63
 
Posts: 3657
Joined: Mon Nov 08, 2010 5:36 pm

Re: Vanguard increasing password length

Postby patrick » Sun Mar 31, 2013 5:37 pm

Mudpuppy wrote:Without getting into the gory technical details, there are ways to share the workload such that one can essentially look at work previously done to minimize the work being done now. The end result is that each password is NOT tested in isolation. The current group is simultaneously tested and the workload minimizing techniques can also be employed to save time on the next round of cracking.


Without any details at all I don't know what to make of this -- can you link to a source that describes how cracking salted passwords in significantly less time than the time to crack a single password multiplied by the number of passwords can be done (or at least credibly claims to have done it)?

Edited to add: A brief web search finds http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html talking about breaking salted passwords. It involve any describe any shortcuts but rather involves trying all 23 million guesses against all 39 thousand salts. This only takes an hour if you try 259 million per second -- a bit less since many of the password could be cracked before going through the whole list.

Mudpuppy wrote:Also, do not discount the GPU cracking rig due to its number of graphics cards and electrical consumption. A similar cracking rate could be achieved by distributing the workload amongst many smaller GPU cracking rigs. The crowdsourcing of password cracking is not to be discounted. It is not very expensive to set up a GPU rig capable of a couple billion tries per second against MD5 passwords. Even a gaming laptop would be capable of such rates.


As far as I know all the large distributed cracking efforts have been done by groups that (I would hope!) are ethical enough not to use it to steal financial accounts. Of course, you could crowdsource secretly by tricking lots of people into installing your password cracker (for instance, by claiming it is an anti spyware program). However, in that case you could just steal your users' passwords when they typed them in, and then you would not have to go to the trouble of stealing the financial institution's password file.

patrick wrote:It still doesn't work that way with Fidelity. Fidelity doesn't tell you when you have a digit correct or incorrect when trying to access it by phone, just whether the entire string of digits is correct or incorrect. And, as I recall from previous conversations (I don't have a Fidelity account personally to test this), the numeric password is all you need to log in by either phone or web. In other words, Fidelity's passwords are numeric, not alphanumeric. So it's just a simpler domain to crack, but the method of cracking remains the same.


Ouch. I tried that with my Fidelity account and it does just check the numbers on the web -- which makes it even worse!
Last edited by patrick on Sun Mar 31, 2013 6:04 pm, edited 1 time in total.
patrick
 
Posts: 818
Joined: Fri Sep 04, 2009 4:39 am

Re: Vanguard increasing password length

Postby ogd » Sun Mar 31, 2013 5:44 pm

Leesbro63 wrote:Can someone explain to me what the SERIOUS risk is of someone getting into your Vanguard account? OK, they could sell stuff and cause a taxable event, market loss or missed market gain. The REAL risk is in getting the money. And how can they do that? Change the address? Won't that generate an Email (or an Email to an old Email address for an Email change)? Wire the money? How do you do that online?


The taxable event would be pretty disastrous by itself. I could also add:
* Destroying the money by friction with illiquid securities (no benefit for the attacker, but out of sheer malice).
* Pumping and dumping a penny stock, profiting on the other side.
* Finding some loophole for money transfer (a particular sequence of email / bank account changes that the client can't notice fast enough).

I don't even want to think about it. It would be terrible. In fact, the first two almost make me think linked VBS is a bad idea! Much less damage can be done with a pure MF account.

Leesbro63 wrote:What is the REAL risk of the current, allegedly weak password?


The above, plus: if the password is reused on other sites, it spreads out the damage. See recent LinkedIn incident. Don't reuse passwords!
User avatar
ogd
 
Posts: 2581
Joined: Fri Jun 15, 2012 12:43 am

Re: Vanguard increasing password length

Postby tadamsmar » Sun Mar 31, 2013 5:54 pm

Munir wrote:Excuse my ignorance, but are there any statistics (numbers) on how many investment web sites have been hacked, and money lost for their owners? Have any Bogleheads had their accounts hacked?


All these have been hacked:

The brokerages affected include E*Trade (Charts), Scottrade, TD Ameritrade (Charts), Vanguard Brokerage Services, Fidelity Investments, Merrill Lynch (Charts), and Charles Schwab (Charts).


http://money.cnn.com/2007/03/08/markets ... /index.htm


But this hack only works on brokerage accounts. I only know of two web sites being hacked where mutual funds were involved.

I think the client was reimbursed for losses on all cases, except cases involving the federal TSP account and the TSP account has since eliminated online money transfers.

I think that means that all the major investment sites have been hacked. But I don't think the total number of clients that have had money removed from their accounts via hacking is large.

Note that reimbursement is not automatic, here are your responsibilities to Vanguard,for instance:

https://personal.vanguard.com/us/help/S ... ontent.jsp

BTW, it's very likely that none of these hacks would have been prevented by stronger passwords, since I think it's the case that a breach that allowed a hacker to get to a password hash file would have become public. These probably all involved stolen passwords or perhaps some kind of social engineering to impersonate the client and get the password.

PS: There is no obligation to make hacks public, so there could be many that were handled privately.
Last edited by tadamsmar on Mon Apr 01, 2013 11:31 am, edited 1 time in total.
User avatar
tadamsmar
 
Posts: 6313
Joined: Mon May 07, 2007 1:33 pm

Re: Vanguard increasing password length

Postby cb474 » Sun Mar 31, 2013 7:59 pm

Mudpuppy wrote:Also, do not discount the GPU cracking rig due to its number of graphics cards and electrical consumption. A similar cracking rate could be achieved by distributing the workload amongst many smaller GPU cracking rigs. The crowdsourcing of password cracking is not to be discounted. It is not very expensive to set up a GPU rig capable of a couple billion tries per second against MD5 passwords. Even a gaming laptop would be capable of such rates.


patrick wrote:As far as I know all the large distributed cracking efforts have been done by groups that (I would hope!) are ethical enough not to use it to steal financial accounts. Of course, you could crowdsource secretly by tricking lots of people into installing your password cracker (for instance, by claiming it is an anti spyware program).

Indeed, it's my understanding that the malware route is exactly how people do this kind of cracking. No one sets up their own distributed cracking rig (just as few people run their own web servers anymore). People use botnets running on thousands of infected computers (out of the millions of infected computers out there), which can be purchased inexpensively on blackmarkets (and normally you would make the purchase using a stolen credit card number that you also bought on a black market, just as the icing on the cake). So there's basically no set up time for this. You just have to have the resources (which are trivial) to buy a botnet that's already up and running. Now you have the power of thousands of computers at your disposal. As far as I understand, this is not hypothetical. This is what's actually going on today. In fact, in the NY Times article I link to below, the attackers infected server farms and used those systems to coordinate an attack; in this case a denial of service attack, but when you're harnessing the power of commerical server farms that is some serious computing power.

*

Munir wrote:Excuse my ignorance, but are there any statistics (numbers) on how many investment web sites have been hacked, and money lost for their owners? Have any Bogleheads had their accounts hacked?

You might be interested in this article from a couple days ago: http://www.nytimes.com/2013/03/29/techn ... -data.html. Appparently financial institutions are increasingly coming under attack of all different types. At the same time, the industry has been reistent to being open about the attacks that are happening (the reason why people are so unaware of how much this happens). The White House is trying to pressure industry to be more open and willing to participate in more centralized coordinated responses to these types of attacks (which they're finally conceding is probalby going to be necessary).

*

ogd wrote:
stevep001 wrote:I get frustrated when I read threads with this debate on this board. Of the thousands of facts about the security or non-security of Vanguard's operation, we as customers have visibility to a couple small parts of the process -- the login sequence, the validation mechanism when an account is linked to Vanguard, and a couple others. Nearly all of what Vanguard does to secure our accounts is invisible to us.


As a professional, I completely agree with this sentiment. Stop worrying about it. The password length is the very small tip of a very large iceberg. The real security work is in protecting the backend, and on our side in protecting our computers.

When an online system locks you out after a small number of attempts, and the backend password storage is periodically updated to keep up with computing power (example: PBKDF2 is an industry standard password-encryption function with strength as a parameter), then password length pretty much doesn't matter, and you definitely don't need to increase it over time.

I really don't buy the just trust us don't worry approach to this. Yes there are many avenues of attack, but that doesn't mean one should leave onself open to one avenune (bad password protocol), because it's not necessarily the most important avenue of attack.

In addition, to me the extremely substandard password limitations of Vanguard's website, even by the standards of years ago, functions like an advertisement for how seriously they take security in general. It may or may not reflect what Vanguard is doing on the backend. But it certainly is not reassuring. And again, the just trust us don't worry respsonse, when people complain, I do not find reassuring at all. For many in the security industry the gold standard of security protocols is transperancy (including the benefits of using opensource protocols), not secrecy. If you don't explain what your protocols are, then you limit the number of people who can examine them and discover bugs and loopholes. This is a limitation on the robustness of one's security, not a benefit. More often than not, what people don't want you to know is in fact not good for you.

Lastly, I know someone who works with online security in banking, and from what he tells me, although they're very serious and concerned about security, they also care a lot about consumer convenience and often let the latter trump the former. Financial instituions essentially look at fraud as an operating cost. Is the cost of fraud counterbalanced by the extra business an institution derives from making their services more convenient? Whatever adds up to more profits will determine the outcome. (And please don't tell me we're safe because Vanguard is non-profit; it's a business like any other, it wants customers, it wants to grow, and it follows the same decision making process; it may be better than other institutions on this account, but it is not immune to this type of thinking.)

*

That aside, I would add that if people are worrying about their passwords, they should also be worrying about the answers to their security questions. These answers are essentially second passwords and because they can be socially engineered are much more vulnerable than even bad passwords. People need to have answers to their security questions that are as random and long as their passwords. And this goes for your username also. And you better be sure that your email account is as secure as your financial institution, since email is a treasure trove of personal information and the destination for password communications, therefore a prime way to discover and for finding one's way into other accounts that belong to a particular person.
cb474
 
Posts: 714
Joined: Tue Jan 19, 2010 7:32 am

Re: Vanguard increasing password length

Postby elgob.bogle » Sun Mar 31, 2013 8:11 pm

If someone has already said this - please accept my apologies. I think that a long, complicated password may somewhat discourage "day trading"

elgob
User avatar
elgob.bogle
 
Posts: 477
Joined: Fri Feb 29, 2008 2:29 pm

Re: Vanguard increasing password length

Postby grabiner » Sun Mar 31, 2013 8:41 pm

cb474 wrote:That aside, I would add that if people are worrying about their passwords, they should also be worrying about the answers to their security questions. These answers are essentially second passwords and because they can be socially engineered are much more vulnerable than even bad passwords. People need to have answers to their security questions that are as random and long as their passwords.


This is not as much of an issue at Vanguard as at most other places, because your security question does not give the same level of access as a password. Vanguard uses the questions for additional security; when I logged onto my Vanguard account from my mother's computer, Vanguard required a security question as well, as additional protection against unauthorized access to my account from an unrecognized computer.

It is a serious problem at many other sites, at which a security question allows you to reset the password with full, immediate access. If anyone who knows your "mother's maiden name" can make a payment from your bank account, or make an online purchase shipped to an arbitrary address, then you have to make sure your mother doesn't know it and nobody else can figure it out. (My own "mother's maiden name" is not her name.)
David Grabiner
User avatar
grabiner
Advisory Board
 
Posts: 13291
Joined: Wed Feb 21, 2007 12:58 am
Location: Columbia, MD

Re: Vanguard increasing password length

Postby cb474 » Sun Mar 31, 2013 10:24 pm

grabiner wrote:This is not as much of an issue at Vanguard as at most other places, because your security question does not give the same level of access as a password. Vanguard uses the questions for additional security; when I logged onto my Vanguard account from my mother's computer, Vanguard required a security question as well, as additional protection against unauthorized access to my account from an unrecognized computer.

It is a serious problem at many other sites, at which a security question allows you to reset the password with full, immediate access. If anyone who knows your "mother's maiden name" can make a payment from your bank account, or make an online purchase shipped to an arbitrary address, then you have to make sure your mother doesn't know it and nobody else can figure it out. (My own "mother's maiden name" is not her name.)

What happens if you forget your password? I've never forgotten mine, so I haven't seen how the Vanguard website handles that.
cb474
 
Posts: 714
Joined: Tue Jan 19, 2010 7:32 am

Re: Vanguard increasing password length

Postby grabiner » Sun Mar 31, 2013 11:38 pm

cb474 wrote:
grabiner wrote:This is not as much of an issue at Vanguard as at most other places, because your security question does not give the same level of access as a password. Vanguard uses the questions for additional security; when I logged onto my Vanguard account from my mother's computer, Vanguard required a security question as well, as additional protection against unauthorized access to my account from an unrecognized computer.

It is a serious problem at many other sites, at which a security question allows you to reset the password with full, immediate access. If anyone who knows your "mother's maiden name" can make a payment from your bank account, or make an online purchase shipped to an arbitrary address, then you have to make sure your mother doesn't know it and nobody else can figure it out. (My own "mother's maiden name" is not her name.)

What happens if you forget your password? I've never forgotten mine, so I haven't seen how the Vanguard website handles that.


You can re-set it with a security question, but your account is temporarily restricted from certain transactions, just as it is when you change your address. (And that is a second protection; someone who breaks into your account can change your address, but cannot then send a check to that new address before you receive a change-of-address notification at the old address.)

I don't know what Vanguard does about transactions in penny stocks after a password reset. I have traded ordinary ETFs immediately after resetting my password, but there isn't enough money in my account to make much profit from such manipulations.
David Grabiner
User avatar
grabiner
Advisory Board
 
Posts: 13291
Joined: Wed Feb 21, 2007 12:58 am
Location: Columbia, MD

Re: Vanguard increasing password length

Postby cb474 » Mon Apr 01, 2013 12:11 am

grabiner wrote:You can re-set it with a security question, but your account is temporarily restricted from certain transactions, just as it is when you change your address. (And that is a second protection; someone who breaks into your account can change your address, but cannot then send a check to that new address before you receive a change-of-address notification at the old address.)

I don't know what Vanguard does about transactions in penny stocks after a password reset. I have traded ordinary ETFs immediately after resetting my password, but there isn't enough money in my account to make much profit from such manipulations.

I was just looking at it and the first step after clicking that I forgot my password was that it asked for my name, birthday, social security number, and email address. I didn't go beyond that step, because I didn't want to reset my password. Does it ask for a security question after that? The name, birthday, etc., is really worse than the security quesitons, since that information is easily garned from publicly available information (background check sites, etc.). If someone has hacked into your email account (on which most people have less security and worse passwords than with a financial institution) then from saved emails they probably have figured out your name, may have seen that you are a Vanguard customers, may even have access to your birthday in the account settings. I'd rather have a security question, to which I can make up a random answer.

Anyway, after that I suppose the restriction on a change of address is good as long as you're not out of town or something. Someone could also put your mail on hold through the USPS website (I had something like this happen to me once)--USPS would not notify you via mail that your mail has been put on hold (only for a change of address). So that way you don't see the mail from Vanguard, although you'd probably notice relatively quickly that you weren't getting any mail. Perhaps someone could intercept the letter from Vanguard somehow else (again I and other people I know have had first hand experience with this sort of scam, this is not hypothetical).

I haven't figured out every angle, but then I'm just making this up in two minutes off the top of my head. I feel like someone who was putting a lot of thought to this sort of scam probably can figure a way around the hurdles. It might not fool everyone, by a long shot, but it only has to work a small percentage of the time to have a pay off that's worth it. And then it could be a real nightmare for someone. It's also still a pain for those people who catch it in time.

To me this all really is a good example of putting convenience over security. There's really no reason at an institution like Vanguard that you should be able to reset the password online. If you forget it, then you should just have to deal with some sort of pain in the ass, but more secure method for resetting the password.
cb474
 
Posts: 714
Joined: Tue Jan 19, 2010 7:32 am

Re: Vanguard increasing password length

Postby Epsilon Delta » Mon Apr 01, 2013 1:54 am

I'm pretty sure that you can get the password reset by calling Vanguard and without answering a security question. If you think about it they really do need a way to do this. People will forget things, particularly if they give random answers to security questions or if they used two spaces instead of one.

Although I would be happier if the procedure involved swearing before a magistrate and having your fingerprints taken or the like. Perhaps this would be a good use for something like a medallion signature, having somebody trust worthy say "yup that's him, I've known him for years". Still it's not Vanguards job to set up a proper identity infrastructure, and I don't think there is any existing system they could use.
User avatar
Epsilon Delta
 
Posts: 3437
Joined: Thu Apr 28, 2011 8:00 pm

Re: Vanguard increasing password length

Postby Sidney » Mon Apr 01, 2013 2:12 am

Epsilon Delta wrote:People will forget things, particularly if they give random answers to security questions or if they used two spaces instead of one.

The key is to use a password storage system so you can use nonsense/passphrase answers to security questions rather than the real name of your first dog.
I always wanted to be a procrastinator.
Sidney
 
Posts: 5804
Joined: Thu Mar 08, 2007 7:06 pm

Next

Return to Investing - Theory, News & General

Who is online

Users browsing this forum: 1210sda, ClosetIndexer, #Cruncher, dthorne, Exabot [Bot], ftobin, hexagon, jkrm, jrh, Kevin M, larryswedroe, leonard, lowerleisureclass, ProdigalSon, rjc32000, saladdin, staythecourse, Steadfast, tnjj, Tristan, Yahoo [Bot], zanian and 66 guests