Bogleheads.org

[OldOne]

If you've read enough about password management, you might want to avoid this NY Times Personal Tech article. If not, it might be worth reading. My problem is that I read and understand but fail to DO IT. One of these days I'll regret it. Any way, see what you think . .

http://www.nytimes.com/2012/11/08/technology/personaltech/how-to-devise-passwords-that-drive-hackers-away.html?src=me&ref=general

[czeckers]

My annoyance with the whole password thing is that each site has a different set of restrictions. I find that many websites, especially the financial ones, limit the length and use of special characters, thus eliminating the possibility of very strong passwords.

This is my one large gripe with Vanguard and I pray they will remedy this sometime soon.

-K

[wilpat]

I once made a password by taking the Gettysburg Address and translating it into French then reversing the entire text (fourscore and 7 years became -- sraey 7 dna erocsruof) then using every 16th letter (or number) ( I used 16 because I have 16 Grandchildren) and used the first 12 selections as a password.

[Rob5TCP]

That has been a big peeve of mine and probably one of the main reason I have considered moving my money elsewhere. Ten characters, no cap/small is absurd. I use meaningless symbols and letters/number, but 10 characters is not enough in this day and age. How do we complain to Vanguard about this?

[Fallible]

If you've read enough about password management, you might want to avoid this NY Times Personal Tech article. If not, it might be worth reading. My problem is that I read and understand but fail to DO IT. One of these days I'll regret it. ...

Excellent article, especially by someone who writes about cybersecurity (vs. yet another clueless soul who failed to appreciate it until he/she was hacked). I also failed to devise good passwords (but apparently didn't get hacked) until a web developer I started working with last year lectured me on the extreme need for them - and to change them often, plus how to keep track of them. Also, here's a good BH forum on passwords: viewtopic.php?f=3&t=97719

[ataloss]

are folks worried that someone can guess a random 10 character vanguard password in 3 tries?

[Rob5TCP]

are folks worried that someone can guess a random 10 character vanguard password in 3 tries?

If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).

[Mudpuppy]

are folks worried that someone can guess a random 10 character vanguard password in 3 tries?

If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).

They do have to violate Vanguard's security first to get the hashes, which means any passwords cracked as a result of such a violation would be due to Vanguard's security deficits, not the user's security deficits. So in such a situation, you would be covered by Vanguard's policies to make you whole for any consequences to your Vanguard account as a result of an attacker using the hash file to come up with your password.

What would be a security deficit on your part is if you used your 10 character Vanguard password for another place, and that other place had their password hashes stolen and cracked, which then led to someone compromising your Vanguard account. In that case, you would be responsible since you did not follow best security practices. This is why the number 1 thing to remember about passwords is to never reuse them at multiple places. I covered this in my previous thread on password security: viewtopic.php?f=11&t=97664&p=1410534

[NAVigator]

are folks worried that someone can guess a random 10 character vanguard password in 3 tries?

If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).

The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so....

Jerry

[Rob5TCP]

I tried to change my UserName to something more complex. There seemed to be no easy way to do that.

[tetractys]

I use keyboard patterns, but somewhat unsystematically, so it's easy to remember about 20 different passwords. Really not worried even if a breach occurs, since other redundant security measures cover that pretty good. -- Tet

[Epsilon Delta]

The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so....

Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.

[NAVigator]

The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so....

Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.

I was addressing a concern about Vanguard. They use my real name in the email salutation not my username.

Jerry

[Epsilon Delta]

The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so....

Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.

I was addressing a concern about Vanguard. They use my real name in the email salutation not my username.

Jerry

I was a little glib the first time, but it still probably won't help much.

The attack your trying to protect against is somebody hacking Vanguard's computer and getting hold of a file containing hashed passwords. Using long complex passwords means that the hacker has to work hard(er) to figure out your password from the hash. But your username is probably in plain text in the password file, so complexity in the username does not help. The reason your username is unlikely to be obscured inside Vanguard's system is that it is a username and not a password, so Vanguard will not take extraordinary efforts to keep it secret.

A complex username helps a little if somebody is trying random passwords and username's on Vanguards login page, but Vanguard should be monitoring login attempts closely enough that even very short passwords make this attack very unlikely to succeed.

[overst33r]

I haven't made a new password in ages. www.Lastpass.com

[ataloss]

I use Keypass with the "random" password generator. If I use 10 characters using just lower case and numbers I have (36)^10 = 36,000,000,000,000,000 possible combinations. It seems like the odds of guessing the right one in 3 tries would be rather low. Vanguard turns off your account after a few wrong guesses (it happened to me years ago) So other than having friends who tell us that adding more characters would be better an anyone actually explain how this would really be more secure?

[Mudpuppy]

I use Keypass with the "random" password generator. If I use 10 characters using just lower case and numbers I have (36)^10 = 36,000,000,000,000,000 possible combinations. It seems like the odds of guessing the right one in 3 tries would be rather low. Vanguard turns off your account after a few wrong guesses (it happened to me years ago) So other than having friends who tell us that adding more characters would be better an anyone actually explain how this would really be more secure?

People are not concerned about online, live password guessing (e.g. the three guesses at Vanguard's website) when they are concerned about a short password length. They are concerned about someone cracking the hashed password file. But as I said previously, they would have to violate Vanguard's security to get that first. As long as you don't reuse your Vanguard password at another site, any breaches would be primarily Vanguard's responsibility. But if you do reuse your Vanguard password elsewhere, it becomes your responsibility because you used poor security practices.

[paulsiu]

On forum websites and such, I don't always use really long password, especially if there's nothing sensitive to get into.

On email and financial sites, I often use somewhat hard to guess but easier to remember sentences (ex: "chasLikeMenudoWithOnion1911").

While this maybe a bad idea in a secured environment, writing the password in a piece of paper and then storing it physically somewhere secure (not near your computer) is good enough. Hackers can't hack into it and if your computer is stolen, it's not so likely they'll get to the password. You may not even need to lock it. Hide the sheet in something people won't bother stealing, a copy of War and Peace, or the Holy BIble.

Paul

[mike143]

Type your password into google and see if you get any hits. My better ones get no hits.

[ataloss]

People are not concerned about online, live password guessing (e.g. the three guesses at Vanguard's website) when they are concerned about a short password length. They are concerned about someone cracking the hashed password file.

I understand your concern and it is legitimate although none of us know the details of the hashing and salting at Vanguard and increased password length may not be useful depending on the unknowns. Rob5tc finds the Vanguard restrictions absurd but can't really articulate why. I think the fact that login attempts are limited enhances security far more than increasing pw length, especially considering that many users will try using "password" and if you require a number will try "password1." The image at login is a nice idea to prevent password losses to fake sites although I am not sure if most users pay attention. Making the password requirements too onerous results in people calling in so that the phone rep can ask them their first pet's name and their favorite Beatle. I think the "security" questions as usually completed are probably a weaker target for thieves.

[Mudpuppy]

Type your password into google and see if you get any hits. My better ones get no hits.

Except Google now has a record of your password to add to its search term statistics.... all of those auto-complete features of Google don't just happen out of thin air after all, Google keeps a log of search terms entered: http://www.google.com/goodtoknow/data-o ... arch-logs/