Bogleheads.org

[Bob.Beeman]

Previous posts have discussed Vanguard's bad password policies, which appear to indicate that the site may have poor security, possibly even including storing passwords as plaintext (a BIG security NO-NO).

Today I discovered that Vanguard is on the https://defuse.ca/password-policy-hall-of-shame.htm Password Policy Hall of Shame at the Defuse Security website.

The issue: unreasonably short maximum password length (10 characters), which becomes a huge issue if their password file is stolen. Can't happen? Ask eHarmony or LinkedIn. It happened to them and countless others.

We need to write to Vanguard about this. Also about their policy on re-registration, which depends on public information like your birthplace, mother's maiden name, etc. all of which are incredibly insecure for the purposes for which they are used.

- Bob Beeman.

[chaz]

Thanks for this alert. Security is paramount.

[Rob5TCP]

My primary reason for considering leaving Vanguard is its pathetic password policy. Alpha numeric plus symbols without regard to caps/small is notoriously inadequate. A 1 1/2 trillion operation should have the best security in the business, not among the weakest. I hope Vanguard monitors these boards. Most of the other sites are not ones that have your retirement money.
If it also stores in plain-text, that is a great concern.

I wouldn't mind a $10 or $25 fee just for extra security for the peace of mind it would provide.
But that is unlikely to happen.
BTW Fidelity does not have a great password policy either (12 characters)

[stlutz]

I would like to see Vanguard at least offer security devicies like Interactive Brokers does.

Because accounts get locked after X number of incorrect login attempts, I don't know that a 45 character password is more secure than a 10 character one.

What I worry about is how easy it is to reset your password at various financial institutions. When someone can get a new password for your account by answering some non-secure "security questions", that's where the problem lies.

[geekpryde]

I have written to Vanguard about this several times from within my account, and blast them on this issue each time I'm asked to do a Vanguard survey (did another survey tonight about new website look). I have been written back from VG a few times, but mostly now they just dont publish my comments on blog replies (happened last week and other times). I have also posted here in other threads on this issue. I LOVE Vanguard, and consider them my #1 brand, followed by Amazon. I feel like at this point I have to shutup, since I am worried Vanguard will kick me out (not sure that can happen, or ever has happened before). I dont want to loose my VG account, and even though I am VERY concerned about the password length issue, I am risking it because VG is that good. I've told them that this security issue is the only blemish they have that I am aware of. But it's been probably two years since I have started on this crusade, and they dont even placate users with a "maybe, in the future" answer. The only answers I get can be summed up as "trust us, your money is safe here".

I am glad that other people are highlighting this defficency, but I'm ashamed about having the majority of my money at a company on this Password Hall of Shame list.

So strange they just dont invest the time and money to fix this issue. The $million this might cost to implement would be worth it, instead of wasting more money on ANOTHER homepage redesign (take the survey?)

[geekpryde]

Because accounts get locked after X number of incorrect login attempts, I don't know that a 45 character password is more secure than a 10 character one.

Offline password cracks dont get locked out, they could brute force you password to hearts content. That's the worry here. That some VG employee leaves a laptop at Starbcuks, or someone hacks into the site and download a database of account profiles. Dont think it happens? Do a google search. Dont think it happens to Big, Safe banks? Do a google search.

[Jacotus]

Because accounts get locked after X number of incorrect login attempts, I don't know that a 45 character password is more secure than a 10 character one.

Offline password cracks dont get locked out, they could brute force you password to hearts content. That's the worry here. That some VG employee leaves a laptop at Starbcuks, or someone hacks into the site and download a database of account profiles. Dont think it happens? Do a google search. Dont think it happens to Big, Safe banks? Do a google search.

Yes. Computers are fast enough now that basically any 8-character-or-under password can be easily brute forced if a password database is hacked. Short passwords really should be avoided, and Vanguard's limit is a travesty. Another major problem is that leaks of passwords have given a lot of insight into the types of passwords people usually use. A quote from a very informative article:

Most importantly, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.

"It has been night and day, the amount of improvement," said Rick Redman, ... "It's been an exciting year for password crackers because of the amount of data. Cracking 16-character passwords is something I could not do four or five years ago, and it's not because I have more computers now."

After reading that article I concluded that the only way to truly be secure is to use password managers which generate and store long random passwords, and use a different password for each site. It is not difficult to do with free tools today, but it is definitely inconvenient. And it doesn't help at Vanguard unless they change their laughably obsolete password limitations.

[mhc]

How many times has Vanguard been hacked?

Have you ever heard of a user's password being brute forced?

I have never heard of any security issues with major fund companies or brokerages in the US.

I sleep just fine at night.

[Rob5TCP]

How many times has Vanguard been hacked?

Have you ever heard of a user's password being brute forced?

I have never heard of any security issues with major fund companies or brokerages in the US.

I sleep just fine at night.

I have no idea if Vanguard or any firm has been hacked. If it's minor, it could be kept quiet and just those people compensated (if there was financial damage).
Only major hacks make the news. I do know that there is constant testing of security of many major firms.

If I have to move to a more secure site, I will ultimately do so (admittedly with reluctance).

[sscritic]

I sleep just fine at night.

So do I, but then I never look under the bed.

[Gort]

If someone hacked into your account, what would they do to it? Transfer money to your bank account?

[Taylor Larimore]

We need to write to Vanguard about this.

I am confident that Vanguard, the largest mutual fund company in the world, employs the top security consultants in the business. I suspect we have almost no idea what security measures they use. Vanguard is certainly not going to tell us.

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

I'll invest the postage saved.

Best wishes.
Taylor

[Ed 2]

We need to write to Vanguard about this.

I am confident that Vanguard, the largest mutual fund company in the world, employs the top security consultants in the business. I suspect we have almost no idea what security measures they use. Vanguard is certainly not going to tell us.

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

I'll invest the postage saved.

Best wishes.
Taylor

Agree!!!! It is naive to rave about this without any big security problems at this company been occur for many years. It is like we hear on TV "experts" telling us what CIA does wrong. LOL

[sscritic]

I don't understand the theory behind password policies that divide characters into distinct groups and require that you take 2 from column A, at least 1 from column B, no more than 2 from column C, and at least 2 from column D. It is a mathematical certainty that the number of legal passwords is much smaller than the total number of passwords and in fact might be less than the number of non-legal passwords. By restricting the form of the password, you are giving the hackers clues as to what to try. And this is supposed to make things more secure?

[Mudpuppy]

Yes, it is true that a 10 character password is easily cracked with current GPU cracking techniques. BUT, if you use a unique password that has never been used at another website, then the only way a hacker could get to the hashes needed to crack your password is by violating some other part of Vanguard's security. That would make the compromise Vanguard's fault, and you would be protected and made whole for any damages that resulted.

If you're worried about hackers draining your accounts in such a way that you would not be protected against loss, look into the cases surrounding bank accounts being drained after a keylogger was installed on a system (such as the Zeus malware theft ring). That's a far more pressing concern in day-to-day online financial transactions, provided that you use unique passwords for each website.

[Index Fan]

If someone hacked into your account, what would they do to it? Transfer money to your bank account?

Interesting that nobody has addressed this pertinent question

[StaTiK]

I don't understand the theory behind password policies that divide characters into distinct groups and require that you take 2 from column A, at least 1 from column B, no more than 2 from column C, and at least 2 from column D. It is a mathematical certainty that the number of legal passwords is much smaller than the total number of passwords and in fact might be less than the number of non-legal passwords. By restricting the form of the password, you are giving the hackers clues as to what to try. And this is supposed to make things more secure?

On a grand scale, yes. History has shown that if you don't use such rules then an unbelievably large number of people will use the password "password". If you make it alphanumeric it will be "abc123". Making it a minimum of 8 characters with at least one capital letter, one lower case letter, one number, and one symbol will shrink the overall potential combinations but will make the average password more secure than the average password without. Also, Vanguard wouldn't want the publicity or legal headache of dealing with people who had their life savings stolen because someone guessed that their password was "money".

I still agree that a 40-character password field (for example) would be easy to implement and would make the potential password pool so large that the requirements listed above, while still valuable, would shrink the pool by a practically insignificant amount.

[Bob.Beeman]

I am confident that Vanguard, the largest mutual fund company in the world, employs the top security consultants in the business. I suspect we have almost no idea what security measures they use. Vanguard is certainly not going to tell us.

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

Taylor: I respect your opinion about nearly everything, but eHarmony, LinkedIn and others told a great story about their world-class security. I'm not buying it. Other large, competent organizations have made astounding errors due to arrogance. A case in point:

"Even if hot gasses did breach the first little rubber "O" ring, there is a second ring to stop them." http://science.ksc.nasa.gov/shuttle/missions/51-l/docs/rogers-commission/Appendix-F.txt
Before the Challenger accident, the NASA brass told us to expect one failure with loss of crew in 100,000 launches. The actual rate turned out to be 1 in 65 launches. Administrators ALWAYS have their heads in the sand, at least when it is to their advantage to do so and it involves issues they believe to be improbable.

If someone hacked into your account, what would they do to it? Transfer money to your bank account?

No. They would open a fraudulent bank account, change the transfer instructions, and transfer the money to that.

Security is in LAYERS. The most obvious layer is keeping user passwords safe when the password file is stolen. If Vanguard used standard, verified good, cryptosystems they wouldn't limit the length of passwords. The author of the paper I quoted is mostly convinced that they use plaintext passwords. If they do that, and have massive losses they will be unable to repay the losses.

- Bob Beeman.

[Jacotus]

No. They would open a fraudulent bank account, change the transfer instructions, and transfer the money to that.

I am in complete agreement with you that stronger passwords should be usable at Vanguard. However, there are extra layers to deal with the above issue. Someone correct me if I'm wrong, but I believe Vanguard sends e-mail to the address on file if anything on the account is changed, and if anything major is changed, such as linking a new bank account, then snail mail is also sent. These would hopefully alert the watchful owner that something is amiss.

[telemark]

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

We shouldn't accept a poor process merely because so far it has produced a good outcome.

[Eric]

I don't understand the theory behind password policies that divide characters into distinct groups and require that you take 2 from column A, at least 1 from column B, no more than 2 from column C, and at least 2 from column D.

I recall seeing this xkcd comic recently. Possibly on this forum, in which case I'm sorry for the repetition -- but it seems relevant.

[Epsilon Delta]

Security is in LAYERS. The most obvious layer is keeping user passwords safe when the password file is stolen.

The most obvious layer is not letting the password file be stolen.

Many of the arguments about passwords are by people who think you can replace a 5 foot fence with a line of 50 foot poles ten feet apart.

[thebogledude]

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

I think the statistics is half of companies don't know they've been hacked and they certainly don't want the media to know about a breach in security.
Having said that, all you can do is stick to best practices ie.
1. use strong passwords.
2. change your password periodically.
3. frequently monitor your accounts.
4. don't click on url links from vanguard email or any website's email for that matter since it could be a phishing attempt.
Type the url by hand, that way you will guarantee the site is geniune.

[Jerilynn]

How many times has Vanguard been hacked?

Have you ever heard of a user's password being brute forced?

I have never heard of any security issues with major fund companies or brokerages in the US.

I sleep just fine at night.

Just because someone has been golfing in lightning storms for 35 years and has NEVER been hit by lightning, doesn't mean it can't happen to them.

I think(hope?) Taylor is right and Vanguard has security measures in place that we don't know about. I'm not too concerned about it. [but, I admit that maybe I should be]

Oh, and my Boglehead password is 100 characters.

[thebogledude]

Just because someone has been golfing in lightning storms for 35 years and has NEVER been hit by lightning, doesn't mean it can't happen to them.

I think(hope?) Taylor is right and Vanguard has security measures in place that we don't know about. I'm not too concerned about it. [but, I admit that maybe I should be]

It depends on how they are regulated. I don't think they are regulated like a financial institution, which means they can get away with minimum security features.

[stlutz]

Excellent article on the subject:

http://www.wired.com/gadgetlab/2012/11/ ... acker/all/

[Mudpuppy]

Security is in LAYERS. The most obvious layer is keeping user passwords safe when the password file is stolen. If Vanguard used standard, verified good, cryptosystems they wouldn't limit the length of passwords. The author of the paper I quoted is mostly convinced that they use plaintext passwords. If they do that, and have massive losses they will be unable to repay the losses.

Yes, the best security relies upon layers to avoid being crunchy on the outside but chewy on the inside (the "crunchy-chewy" security model with only perimeter defenses is unfortunately widely employed). However, preventing the loss of the password file should not be the only security layer there is. There should also be layers to guard against the consequences of such a loss and to stop resulting attacks before losses are too great for insurance and reserves to handle.

For example, one cannot transfer money out of Vanguard without using an associated banking account. The thieves would have to associate accounts controlled by them if the goal was to drain the money (there are of course other attacks such as trading specific stocks that would not require this step). If Vanguard were to suddenly note a surge in traffic with all accounts suddenly trying to add new banking information to untraceable accounts, they would be wise to put a halt to such activity until the matter could be sorted out. Even if such a control were not in place, the legitimate account holders would receive notice of the change and it would be so wide-spread that many people would call Vanguard about it and that would raise a manual alarm, in most cases before any money could even have been transferred (due to delays in associating accounts and ACHing money). Likewise, a surge in trading specific stocks could indicate a trade-based attack and this would trip trading safeguards if done too quickly. These are just a few examples of additional layers of security to guard against another layer (the protection of the password file/database) being compromised.

So yes, it is poor to have an artificially low password length. But I don't think even a password file compromise would have catastrophic fiscal consequences due to other layers of security present. Any massively wide enough attack to threat the fiscal stability of Vanguard would be such a bull in a china shop that it would raise alarms long before it could bring Vanguard down.

[SpringMan]

I see Fidelity also made the list. Having accounts only at Fidelity and Vanguard I am batting 1000.

[richard]

Another problem with Vanguard's security is that they make it easier than many sites to find a username. Most sites have you enter username and password on the same screen. Vanguard has one screen for username, then a second for password. This lets you try to guess usernames until you get one right, rather than no being sure if your problem was username or password.

A password reset mechanism is often much more of a problem than insecure passwords, as stlutz mentioned. Using questions that are easily guessable or publicly discoverable is terrible security. It's much easier to figure out where you were born or your first job than to figure out your password.

[bberris]

If someone hacked into your account, what would they do to it? Transfer money to your bank account?

They might buy thinly traded penny shares, driving up the price, while selling them from their own account.

[khh]

I'll add my 2 cents. I changed the email address for my Vanguard account. I received confirmation of the change at my new email address, but not at the original. There was a message in my inbox at VG that said " You will receive a confirmation of this change at your new e-mail address as well as your mailing address."

It seems to me that they should send confirmation to the old email address as well. Snail mail is fine as a security check, but if someone got into your account and changed it, it might be several days before you were aware.

[KyleAAA]

How many times has Vanguard been hacked?

Have you ever heard of a user's password being brute forced?

I have never heard of any security issues with major fund companies or brokerages in the US.

I sleep just fine at night.

How often has Vanguard been hacked? Likely dozens if not hundreds of times. It happens to every large website. You don't think they would announce it, do you? Almost nobody announces it unless it's too big to keep quiet. For every big hack announced in the media, thousands happen with no fanfare. The "have you ever heard of..." defense is not valid. Of course you wouldn't have heard about it. They don't advertise these things.

[KyleAAA]

We need to write to Vanguard about this.

I am confident that Vanguard, the largest mutual fund company in the world, employs the top security consultants in the business. I suspect we have almost no idea what security measures they use. Vanguard is certainly not going to tell us.

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

I'll invest the postage saved.

Best wishes.
Taylor

Agree!!!! It is naive to rave about this without any big security problems at this company been occur for many years. It is like we hear on TV "experts" telling us what CIA does wrong. LOL

No, it's naive to think just because we haven't heard about it, no big security problems have occurred. In fact, it's naive to think just because Vanguard hasn't NOTICED it that no big security problems have occurred. I don't have THAT much faith in their IT department based on what I've seen over the years. The password policy hall of shame thing is very, very justified. Internet security isn't like the CIA. It's a very large, very vocal, and very open community. There are literally tens of thousands of people out there more than qualified to criticize Vanguard for their security practices.

[KyleAAA]

I don't understand the theory behind password policies that divide characters into distinct groups and require that you take 2 from column A, at least 1 from column B, no more than 2 from column C, and at least 2 from column D. It is a mathematical certainty that the number of legal passwords is much smaller than the total number of passwords and in fact might be less than the number of non-legal passwords. By restricting the form of the password, you are giving the hackers clues as to what to try. And this is supposed to make things more secure?

In practice, if you don't require them to do otherwise most people will just use "password" or their kid's names or whatever. There are entire lists of most-used passwords on the web. Even if you just had access to the top 100 or so, you could probably crack a non-insignificant number of accounts. Password requirements prevent users from picking those obvious passwords. It just cuts off the low-hanging fruit.

[khh]

A few years back I was at an internet cafe and tried to log on to my Chase account. I got a message that this was an unrecognized computer and I would need to have a one-time PIN to access it. They sent me the PIN via the cell phone number that was on file. The PIN was only valid for a short amount of time, around 5 minutes as I recall.

I'd like to see something like that used at VG and elsewhere. When you log on to your account, VG could automatically contact you with a one-time PIN that was good for 5 minutes. That seems like it would be more secure than a password.

[JamesSFO]

Reading the website more carefully the front page there is a bit of scare mongering, he has great factual information on what to do with password security on the linked pages but his headlines are assumptions about insecure password storage based on password length limits. Mind you he won't remove you from the scare mongering page as a business unless your security team talks to him and gives him details. That's a bit of a racket IMHO.

Reading the detailed pages he recommends around ~12 characters for a secure password so VG's limit of 10 is not completely out of whack and he has absolutely no proof/knowledge of how VG handles the passwords on than an assumption.

Quite honestly, taking any account closure actions based on his assumptions page seems odd to me unless: (1) you already are using securely generated random passwords for all websites of >10 characters, (2) you are using different passwords for every website, (3) you are using 2-factor authentication where ever possible. If you are doing all of those things already and feel that 10 random characters plus VG's other measures are insufficient then go for a change...

[geekpryde]

If someone hacked into your account, what would they do to it? Transfer money to your bank account?

Interesting that nobody has addressed this pertinent question

Yes, a valid question. But then again, if someone broken into your home, and only watched you sleep, and stole nothing, would that bother you or not?

[geekpryde]

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

We shouldn't accept a poor process merely because so far it has produced a good outcome.

Agreed. There have been plenty of banks that have been hacked, for many tens of millions of dollars, and the whole thing in hushed up and often times the banks don't even involve their own insurance companies. The long term cost of making a breach publicly known is much larger than simply restoring customer funds from company funds.

I guess I technically sleep well at night too (as some posters brush this off as a non-issue), again, this I why I don't move funds out of VG.

However, if we KNOW something can be done about this password problem, and we KNOW it is basically something EVERY SINGLE OTHER Large Bank and Brokerage site ALREADY implements, WHY must we just accept this BS 10 char password? Even if VG is already secure against 99% of all the worlds ills, WHY would they not close the loop on the last 1%, even if the possibility of a hacked account is very small????

There are plenty of things about VG security that we don't know about, and maybe they have extremely robust security that they don't share (and should not share). But this is something WE DO KNOW about, and it's extremely lacking. VG KNOWS that customers and hackers KNOW about this weakness, and yet they do nothing.

[Calm Man]

This may be heresy but I take the opposite approach. If the password is not one that I can easily remember, as happens at some companies with policies requiring a whole bunch of letters, numbers, symbols and capitals, then I write it down. More easily stolen than a computer hacked. Also, if they did breach your account there is nothing they could do other than transfer money to your bank. Vanguard locks your account for 2 weeks after a password change for withdrawals and you receive a letter, So the thieves would need to rob your mailbox too and hope you don't try to log on within the 2 week period. If you check your account daily or weekly, all is good.

[blackstone]

I don't understand this blind trust in Vanguard's IT security. Absence of evidence of break-ins is not evidence of absence of break-ins.

Unfortunately, both Vanguard and Fidelity have extremely poor password policies, with Fidelity being worse. Did you know that your fidelity password is actually a number (letters translated to phone key pad digits) ? This was so that it could work at the ATM's they used to have and I believe is still true. In this day and age, not having at-least 2-factor authentication for login access is just terrible. That is not to say that 2-factor has been compromised too in the past (RSA server hack a couple of years ago).

[geekpryde]

Quite honestly, taking any account closure actions based on his assumptions page seems odd to me unless: (1) you already are using securely generated random passwords for all websites of >10 characters, (2) you are using different passwords for every website, (3) you are using 2-factor authentication where ever possible. If you are doing all of those things already and feel that 10 random characters plus VG's other measures are insufficient then go for a change...

I don't plan on ever closing my VG account, unless something about the company's reputation and philosophies change for the extreme worse, and I don't think that will ever happen. I fully agree with your list, but it sounds as if you don't think anyone here has already done those things? Many millions of people use KeePass, LastPass, and their various siblings. I use KeePass and have very long, very random passwords at about 200 sites. I use 30 char long passwords wherever possible. No password is ever used more than once. I use multi-factor authentication where possible.

Again, not sure why otherwise very smart people here want to come up with a checklist of why VG should not fix the issue. Even if this passwords problem is a red herring, WHY NOT fix it, and shut everyone up? Would it not be better to fix this blemish and then announce from the tallest peak that Vanguard had the absolute best security in the financial industry, including allowing passwords twice as long as the next largest financial institution? Why not make this a selling point/ bragging right, instead of something people complain / debate about on forums?

[JamesSFO]

I don't plan on ever closing my VG account, unless something about the company's reputation and philosophies change for the extreme worse, and I don't think that will ever happen. I fully agree with your list, but it sounds as if you don't think anyone here has already done those things? Many millions of people use KeePass, LastPass, and their various siblings. I use KeePass and have very long, very random passwords at about 200 sites. I use 30 char long passwords wherever possible. No password is ever used more than once. I use multi-factor authentication where possible.

Again, not sure why otherwise very smart people here want to come up with a checklist of why VG should not fix the issue. Even if this passwords problem is a red herring, WHY NOT fix it, and shut everyone up? Would it not be better to fix this blemish and then announce from the tallest peak that Vanguard had the absolute best security in the financial industry, including allowing passwords twice as long as the next largest financial institution? Why not make this a selling point/ bragging right, instead of something people complain / debate about on forums?

I am not giving a checklist of why VG should avoid addressing the issue. I also don't think most--many?--people are doing all of the things I highlighted--good that you are--so to me this discussion is a reminder that security is a two way street.

[mhc]

How many times has Vanguard been hacked?

Have you ever heard of a user's password being brute forced?

I have never heard of any security issues with major fund companies or brokerages in the US.

I sleep just fine at night.

How often has Vanguard been hacked? Likely dozens if not hundreds of times. It happens to every large website. You don't think they would announce it, do you? Almost nobody announces it unless it's too big to keep quiet. For every big hack announced in the media, thousands happen with no fanfare. The "have you ever heard of..." defense is not valid. Of course you wouldn't have heard about it. They don't advertise these things.

If you read my post as a defense, you took it the wrong way. What I want to do is make an informed decision based on facts and not speculation. Can you provide the sources for your statements?

[jacksprat]

On the bottom of the website mentioned by the OP, there is a link to crackstation ! "Free Password Hash Cracker"
So we're actually supposed to believe these folks are acting in our best interest? Really ? This all looks like some snotty nose high schoolers attempt to gain notoriety ..

[tadamsmar]

I have never heard of any security issues with major fund companies or brokerages in the US.

I can fix that for you!:

http://datalossdb.org/primary_sources/0 ... nguard.pdf

[tadamsmar]

If someone hacked into your account, what would they do to it? Transfer money to your bank account?

They might buy thinly traded penny shares, driving up the price, while selling them from their own account.

Can you do that with a mutual fund account?

I suppose it's a risk for EFT owners, right? It has happened:

http://www.washingtonpost.com/wp-dyn/co ... 01763.html

[KyleAAA]

How many times has Vanguard been hacked?

Have you ever heard of a user's password being brute forced?

I have never heard of any security issues with major fund companies or brokerages in the US.

I sleep just fine at night.

How often has Vanguard been hacked? Likely dozens if not hundreds of times. It happens to every large website. You don't think they would announce it, do you? Almost nobody announces it unless it's too big to keep quiet. For every big hack announced in the media, thousands happen with no fanfare. The "have you ever heard of..." defense is not valid. Of course you wouldn't have heard about it. They don't advertise these things.

If you read my post as a defense, you took it the wrong way. What I want to do is make an informed decision based on facts and not speculation. Can you provide the sources for your statements?

My source is I work at a very large .com and have run quite a few myself. Security is a never-ending arms race. It is common practice not to publicly acknowledge security breaches unless there is no choice. My point was that not having heard of any security problems at Vanguard does not mean they haven't occurred regularly in the past. Why would they announce it? They have nothing to gain and a lot to lose. If you just throw up a website that gets even just a few hundred visitors per day you will notice daily hacking activity in your logs, and these are sites that DON'T handle billions of dollars in financial transactions. It is a virtual certainty there have been at least a dozen attacks or so just since this thread was started. It's highly unlikely any were successful, but if you try a billion different attacks in a billion different ways, eventually you'll probably be successful. There's no point making it any easier than it needs to be which, unfortunately, is what Vanguard seems to do. I personally like the Chase approach mentioned above.

[tadamsmar]

This may be heresy but I take the opposite approach. If the password is not one that I can easily remember, as happens at some companies with policies requiring a whole bunch of letters, numbers, symbols and capitals, then I write it down. More easily stolen than a computer hacked. Also, if they did breach your account there is nothing they could do other than transfer money to your bank. Vanguard locks your account for 2 weeks after a password change for withdrawals and you receive a letter, So the thieves would need to rob your mailbox too and hope you don't try to log on within the 2 week period. If you check your account daily or weekly, all is good.

I don't think they lock it for 2 weeks after a password change. Maybe after a bank account change?

But brokerage accounts are open to "hack pump and dump" attacks that can be completed in a period of hours or less and do not involve your linked bank account.

[geekpryde]

On the bottom of the website mentioned by the OP, there is a link to crackstation ! "Free Password Hash Cracker"
So we're actually supposed to believe these folks are acting in our best interest? Really ? This all looks like some snotty nose high schoolers attempt to gain notoriety ..

There are many different kinds of hackers, some malicious, some not. Some people do things to excersise their mind, or prove that something can be done. Some people want to help others, Some people do things for money, some do it for fame, as you said.

The point is, EVERY type of hacker is valuable to normal people, like you and me. They throw themselves at the eclectic fence and test for weaknesses. Some sell their findings to the hacker black market, some disclose findings publically, some disclose findings privately to the company affected, and there are other means to disseminate hacks.

The point is, eventually the company knows about the hack, either because they are breached or because it is disclosed to them prior to a breach. Either way WE ARE ALL SAFER because of the hackers and companies struggle to outdo each other. But that concept fails if a company like VG decides, "Im not going to play the game".

You might be right about "snotty nose high schoolers", that group has certainly been known to include individuals that can also be labeled the "genius hacker" type. Either way, shining light into darkness should be considered a public service IMHO.

[mhc]

I have never heard of any security issues with major fund companies or brokerages in the US.

I can fix that for you!:

http://datalossdb.org/primary_sources/0 ... nguard.pdf

That is not a case of someone from the outside getting in, but rather Vanguard sending out some inappropriate information.