Vanguard increasing password length

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard increasing password length

Post by cb474 »

Epsilon Delta wrote:I'm pretty sure that you can get the password reset by calling Vanguard and without answering a security question. If you think about it they really do need a way to do this. People will forget things, particularly if they give random answers to security questions or if they used two spaces instead of one.

Although I would be happier if the procedure involved swearing before a magistrate and having your fingerprints taken or the like. Perhaps this would be a good use for something like a medallion signature, having somebody trust worthy say "yup that's him, I've known him for years". Still it's not Vanguards job to set up a proper identity infrastructure, and I don't think there is any existing system they could use.
It is Vanguard's job to set up it's own secure system for verifying someone's identity before resetting a password, so I'm not sure I understand your point, when you say "it's not Vanguards job to set up...".

That aside, a simple solution to improving one's answer to security questions would be to just add a nonsense word after the real answer to each security question. So if the city in which one was born was Springfield, then the answer could be "Springfield bittyboop." And the answer for the name of one's childhood dog would be "Rex bittyboop." This is far from ideal, but it's easy to remember and way way more secure than using just the real answer to the question.

I am also not adverse, as has been discussed in other threads here, to people just making up random answers and then writing them down on a list at home. The odds of someone breaking into your house and looking for the answers to your security questions in a file are very small (as opposed to taking your TV and jewlery). Those are just not the kind of people breaking into houses. But the odds of someone trying to break into a financial institution by social engineering, malware, etc., are many thousands of times higher. So even if it's counter-intuitive, a written down list of random answers at home is a big improvement in security over what most people do.

There are of course better ways to deal with this. The "right" way, if you will. But there are also steps, such as I suggest, that are a vast improvement over what people actually do. A lot could be accomplished by not letting the perfect be the enemy of the good.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard increasing password length

Post by tadamsmar »

Call_Me_Op wrote:Actually, I am a bit uncomfortable that they had to be told [by clients] to do this.
It probably had to be client driven. Their security experts probably gave this a low priority. It's more of a client perception thing.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard increasing password length

Post by tadamsmar »

stevep001 wrote:I get frustrated when I read threads with this debate on this board. Of the thousands of facts about the security or non-security of Vanguard's operation, we as customers have visibility to a couple small parts of the process -- the login sequence, the validation mechanism when an account is linked to Vanguard, and a couple others. Nearly all of what Vanguard does to secure our accounts is invisible to us.

Here's an example. An earlier poster wants us to think that it's possible for new hardware to try 350 billion Vanguard password combinations per second, implying that the current password scheme weak. If you dig just a bit, the article linked to indicates that the crack was run at that rate against NTLM authentication -- a form of authentication that Microsoft stopped recommending over 10 years ago. While I won't pretend to know how Vanguard encrypts our passwords, I can say with 100% certainty that it does not use the NTLM crypto algorithm discussed in the article.

That said, support for longer passwords will make things more secure. But, if you look in detail at risk management procedures put in place, they all have that property -- doing more means more secure. The question is always "how much is enough."

Here are steps that you can personally take to minimize the chance that someone else will access your account:

1. Don't use the same password on the Vanguard site as other sites
2. Use a longer rather than a shorter password, one follows good password practices
3. Only log in from a computer that you control -- not your neighbor
4. Don't install [bloatware -- admin LadyGeek] (e.g., toolbars) from the internet on the computer you use to log in to the site
5. Use one highly regarded antivirus package on your computer.
In my view, you should give priority to doing all the things that you need to do to keep your fraud reimbursement protection in force:
At a minimum, in order for this protection to apply, you must take the following steps:

Review your accounts regularly:
Check your account frequently. Promptly and completely review all information we send you.
Report any errors or discrepancies in your account and any suspected unauthorized transactions or account changes to Vanguard immediately.

Protect your Vanguard.com user name, password, and other account-related information:
Make sure your user name, password, and answers to your security questions are unique and strong.
Never share your user name, password, or other account-related information with anyone.
Never store your user name, password, or answers to security questions in your browser.
Clear any temporarily stored copies of online information by closing your browser after signing off. Do not leave your computer unattended while logged on to Vanguard.com.

Protect your computer:
Make certain that any computer you use to access Vanguard.com has up-to-date security and anti-spyware, antivirus, and firewall software.
Do not reply to e-mail requests for personal or financial information.
Do not respond to, open an attachment in, or click on a link within an e-mail if you suspect the message is fraudulent. Vanguard will not ask for personal information such as your Social Security number, account numbers, or passwords in an e-mail.

Cooperate with us and stay informed:
Cooperate fully with Vanguard in investigating and prosecuting any unauthorized activity in your account, and follow our recommendations about how to protect your account. We may require you to file a police report, complete a notarized affidavit, or permit access to your computer.
https://personal.vanguard.com/us/help/S ... ontent.jsp
Last edited by tadamsmar on Mon Apr 01, 2013 12:59 pm, edited 1 time in total.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard increasing password length

Post by Epsilon Delta »

Sidney wrote:
Epsilon Delta wrote:People will forget things, particularly if they give random answers to security questions or if they used two spaces instead of one.
The key is to use a password storage system so you can use nonsense/passphrase answers to security questions rather than the real name of your first dog.
No. The key is to recognize that Vanguards security policies are not just for you. They are setup for the general user, which includes people who can't remember passwords. This introduces vulnerabilities that you can't do anything about. You have to hope (or in an ideal word verify) that some other parts of Vanguards policies limits the potential damage.
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard increasing password length

Post by cb474 »

tadamsmar wrote:In my view, you should give priority to doing all the things that you need to do to keep your fraud reimbursement protection in force:
At a minimum, in order for this protection to apply, you must take the following steps:

Review your accounts regularly:
Check your account frequently. Promptly and completely review all information we send you.
Report any errors or discrepancies in your account and any suspected unauthorized transactions or account changes to Vanguard immediately.

Protect your Vanguard.com user name, password, and other account-related information:
Make sure your user name, password, and answers to your security questions are unique and strong.
Never share your user name, password, or other account-related information with anyone.
Never store your user name, password, or answers to security questions in your browser.
Clear any temporarily stored copies of online information by closing your browser after signing off. Do not leave your computer unattended while logged on to Vanguard.com.

Protect your computer:
Make certain that any computer you use to access Vanguard.com has up-to-date security and anti-spyware, antivirus, and firewall software.
Do not reply to e-mail requests for personal or financial information.
Do not respond to, open an attachment in, or click on a link within an e-mail if you suspect the message is fraudulent. Vanguard will not ask for personal information such as your Social Security number, account numbers, or passwords in an e-mail.

Cooperate with us and stay informed:
Cooperate fully with Vanguard in investigating and prosecuting any unauthorized activity in your account, and follow our recommendations about how to protect your account. We may require you to file a police report, complete a notarized affidavit, or permit access to your computer.
https://personal.vanguard.com/us/help/S ... ontent.jsp
When I see that fairly long list of all the these you need to do, what I see is a list of potential excuses that Vanguard can use to try to weasel out of reimbursing people in the case of fraud.

I am very security conscious, I am the sort of person who does read the fine print, and I had never seen that list before people in this forum starting pointing it out. I do all those things anyway, but how many Vanguard customers are really aware of that list or carefully practice every single thing on the list? I supect it's a percentage in the single digits. Obviously if people are handing out their username and password on street corners, Vanguard can't be liable for lost funds. But when I see that list, it just seems like fine print to help Vanguard weasel out when the responsibility of the client is not so obvious.

People need to be educated about how to pratice better security. This does not work by hiding the information in the fine print that no one ever sees. Letting people choose bad password and dumb answers to security questions is just encouraging people to continue bad pratices. People, as a whole, will not change until the system requires better practices. Vanguard stands in a position to make people have no other option than to engage in better practices. When Vanguard chooses to do otherwise for the convenience of customers, this is just because Vanguard wants their business and doesn't want to annoy them with even moderately more effort on security. But fraud is a cost we all pay for in the long run. I want people to be required to do it right. I don't accept a let the buyer beware solution. In a domain like this it will never work to change most people's behavior.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard increasing password length

Post by tadamsmar »

cb474 wrote:
tadamsmar wrote:In my view, you should give priority to doing all the things that you need to do to keep your fraud reimbursement protection in force:
At a minimum, in order for this protection to apply, you must take the following steps:

Review your accounts regularly:
Check your account frequently. Promptly and completely review all information we send you.
Report any errors or discrepancies in your account and any suspected unauthorized transactions or account changes to Vanguard immediately.

Protect your Vanguard.com user name, password, and other account-related information:
Make sure your user name, password, and answers to your security questions are unique and strong.
Never share your user name, password, or other account-related information with anyone.
Never store your user name, password, or answers to security questions in your browser.
Clear any temporarily stored copies of online information by closing your browser after signing off. Do not leave your computer unattended while logged on to Vanguard.com.

Protect your computer:
Make certain that any computer you use to access Vanguard.com has up-to-date security and anti-spyware, antivirus, and firewall software.
Do not reply to e-mail requests for personal or financial information.
Do not respond to, open an attachment in, or click on a link within an e-mail if you suspect the message is fraudulent. Vanguard will not ask for personal information such as your Social Security number, account numbers, or passwords in an e-mail.

Cooperate with us and stay informed:
Cooperate fully with Vanguard in investigating and prosecuting any unauthorized activity in your account, and follow our recommendations about how to protect your account. We may require you to file a police report, complete a notarized affidavit, or permit access to your computer.
https://personal.vanguard.com/us/help/S ... ontent.jsp
When I see that fairly long list of all the these you need to do, what I see is a list of potential excuses that Vanguard can use to try to weasel out of reimbursing people in the case of fraud.

I am very security conscious, I am the sort of person who does read the fine print, and I had never seen that list before people in this forum starting pointing it out. I do all those things anyway, but how many Vanguard customers are really aware of that list or carefully practice every single thing on the list? I supect it's a percentage in the single digits. Obviously if people are handing out their username and password on street corners, Vanguard can't be liable for lost funds. But when I see that list, it just seems like fine print to help Vanguard weasel out when the responsibility of the client is not so obvious.

People need to be educated about how to pratice better security. This does not work by hiding the information in the fine print that no one ever sees. Letting people choose bad password and dumb answers to security questions is just encouraging people to continue bad pratices. People, as a whole, will not change until the system requires better practices. Vanguard stands in a position to make people have no other option than to engage in better practices. When Vanguard chooses to do otherwise for the convenience of customers, this is just because Vanguard wants their business and doesn't want to annoy them with even moderately more effort on security. But fraud is a cost we all pay for in the long run. I want people to be required to do it right. I don't accept a let the buyer beware solution. In a domain like this it will never work to change most people's behavior.
I did a poll here on some of the items in the list:

http://www.bogleheads.org/forum/viewtop ... e#p1525102

This lowest compliance on a single item was 8% (spouse sharing password with you), so the overall compliance measured by that poll would indeed be in single digits.

All the mutual funds companies that I have checked have some stipulations (fine print as you call it) for reimbursement. The others tend to be a less extensive list than Vanguard's, but all I have check preclude sharing your password with your spouse on personal accounts, which was the most ignored requirement on my poll.

I suppose we are all hoping for lax enforcement of the letter of the requirements unless our lax compliance proves to not be the cause of the breach.

Concerning Vanguard trying to weasel out of reimbursement, there is nothing to weasel out of because there is no law or regulation that requires reimbursement if your login credentials are stolen and Vanguard was not at fault or you wait too long to report unauthorized responsibilites. Same for all brokerages. Heck, the actual TSP uses have not been reimbursed in these cases. As far as I know TreasuryDirect will not reimburse in these situations. TSP and TreasuryDirect make on promises to cover you from losses due to breaches on the computers you use regardless of the safeguards you took. Even your bank and credit card will not reimburse if you wait to long to report the unauthorized activity. Everyone seems to thinK we live in a nanny state, but it seems that most of us are in need a nanny even better than the one the state is providing!

By the way, that was not actually the small print. The small print is below it. Among other things, the small print says that you could be SOL if you manage investments on your work computer and your login credentials are stolen by a third party. There is a third party issue. As far as I can see all the brokerages have third party stipulations that complicate reimbursement.

Also, I don't think the companies are trying to weasel out of anything. If they make it too easy, then they could easily be scammed by their own clients. Heck, if you reported a loss, I think it would be a certainty that the brokerage firm would have to make sure you are not scamming them before making you whole.
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard increasing password length

Post by cb474 »

I don't see why creating the conditions for weaseling out of reimbursing someone implies that there must be a law or regulation requiring reimbursement. Even without a law or regulation, any financial institution could be held civilly liable if it could be shown that their system was designed to tolerate a certain amount of fraud in the name of convenience and that the financial institution essentially knowingly created the conditions in which some of its customers would be defrauded.

In any case, one way financial institutions could avoid the sort of scams you suggest, is by making their security protocols a lot more difficult. If it were harder to break into people's accounts, if poorly designed security questions weren't allowed, if passwords had to have a minimum length that was genuinely secure and could not be a single real word, if there was two factor authentication, etc., there would be a lot less room for people to devise plausible scams in which they falsey claim their account was hacked. So financial institutions are not innocent in how the conditions get created for different sorts of scams to occur.

In the end, as I say above, people as a whole group (not the handful of generally more savvy people who frequent forums like this) are not going to change their behavior if they are not for the most part required to do so. This is in large part because they are not experts and do not even understand the limits and risks of the security protocols they are currently required to use. They have every reason to expect that if these are the security protocols Vanguard (or others) have instituted, then they are sufficient; the burden is on Vanguard if they are not. The people who understand these risks (the security people at large financial institutions) are the only people in a position to create real change (in addition to the state, if one wanted to go that route).

But whatever the mechanism, a solution has to be top down, because it's unreasonable to expect the general populous to all become sophisticated security experts. Instituting stricter requirements is no more the creation of a nanny state solution than is expecting medical care to be provided by doctors, rather than tellling patients they should just perform surgery on themselves. Where specialized knowledge is required the solution involves those with that knowledge using it, not blaming everyone else for not having the knowlege.

I was going to end this post, by saying that I don't really expect Vanguard to change, given that like all financial institutions Vanguard has conflicts of interest when it comes to fraud prevention (and laxness in the name of convenience seems to be the norm in the U.S.). But given that Vanguard's website login security, even with the upcoming password changes, are far from the best out there (even some email providers have better security than Vanguard) it does seem not entirely unreasonable to expect that Vanguard might at least meet the standards of those who are doing a better job. On the other hand, given Vanguard's history for being way way behind the times in this regard, any expectation for a change is probably not very likely to be gratified.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard increasing password length

Post by tadamsmar »

I think you are right that a financial institution could be held civilly liable for not providing something like 2FA in spite of the weasel words. Here is a case of that sort:

http://www.wired.com/threatlevel/2009/0 ... cial-sued/
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard increasing password length

Post by cb474 »

That's an interesting article. Thanks for the link.
Post Reply