sperry8 wrote:I complained to my Flagship advisor about this. He seemed to understand my concerns, but said VG isn't overly worried, since monies cannot be taken out of the acct for a few weeks after any address change. So someone getting my password wouldn't be able to 'steal' my money without me catching them.
Seemed an absurd answer to me... but that's the position they are taking.
I don't think it's absurd, but I think it's correct to assume that monitoring your snail mail from Vanguard and/or checking your Vanguard account every few weeks is important. This is true regardless of the length of your password, since cracking your password is certainly not the only way for a hacker to get your password. It's possible that having a longer password would do relatively little to increase your security given all the other methods.
Don't be fooled into thinking that monitoring emails about transactions is sufficient. Last I checked, you don't get notification at your old email address when your email is changed online at Vanguard. If a hacker gains access to your account and changes your email address before making any other changes, then you will be blind as far an monitoring your email is concerned.
When you log into your Vanguard account, your email address is shown on the first screen and it worth checking it each time you log in. The last login date is also shown, but it's useless if you have any kind of aggregator like Mint accessing your account daily.
Also, "hack pump and dump" attacks can steal your money in a few hours or less. But I don't think they can be used against an account that can only buy mutual funds. The can be used against a brokerage account that can buy stocks subject to pump and dump manipulation. I suppose IRAs that can invest in ETFs might be subject to this kind of an attack. I am not sure if a hacker can convert a Vanguard IRA into an account that can buy stocks.