Vanguard is on the Password Hall of Shame.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Mudpuppy wrote:
magellan wrote:Cyber-security reporter Brian Krebs posted on his blog today about a new botnet that's believed to be targeting investment accounts, instead of the more typical bank accounts that these criminal enterprises usually go after.

This doesn't change anything in terms of what we've been discussing in this thread, but it does drive home that point that the threat is real and probably growing.

http://krebsonsecurity.com/2012/12/new- ... ecurity%29
Brian Krebs wrote:“The last victim we documented was November 30, 2012, so it shows there has been activity subsequent to his posting,” Sherstobitoff said. “Our research indicates the operation has been in the planning stages for months.”

Sherstobitoff posits that vorVzakone most likely intended to hire botmasters who already had access to substantial numbers of login credentials for the U.S. financial institutions targeted in the scheme. As detailed in a screen shot published on this blog in early October, there are some banks you’d expect to see on the list — Bank of America, Capital One and Suntrust, for example — but many of the targets of Project Blitzkrieg are in fact investment banks, such as American Funds, Ameritrade, eTrade, Fidelity, OptionsExpress, and Schwab.
Jim
That botnet uses stolen credentials from keylogging malware to break into the accounts, not password cracking. It more emphasizes the previous threads on having a dedicated machine for investment purposes than anything to do with passwords. Once you have been compromised with a keylogger, it doesn't matter what the password policy is or how complex the password is, the game has already been lost.
Also, the plan was for the compromised PC to be cloned. I assume that means that it would be trusted as if it was your home PC so that the hacker would not be challenged with security questions.

Of course, this was just talk on a newsgroup, not a report about an actual attack, so there was skepticism on the matter.
globalexpat
Posts: 21
Joined: Sat Jul 21, 2012 7:17 am

Re: Vanguard is on the Password Hall of Shame.

Post by globalexpat »

With the proliferation of keylogging malware, it's hard to believe that more financial institutions haven't implemented two-factor authentication. I understand that most people find it to be an inconvenience and would not activate it, but I believe that institutions have an obligation to at least make this an option for their customers. I think most of us would even be willing to pay for it, if offered.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

globalexpat wrote:With the proliferation of keylogging malware, it's hard to believe that more financial institutions haven't implemented two-factor authentication. I understand that most people find it to be an inconvenience and would not activate it, but I believe that institutions have an obligation to at least make this an option for their customers. I think most of us would even be willing to pay for it, if offered.
I think this is an interesting piece on how multi-factor authentication was side-stepped:

http://en.wikipedia.org/wiki/Multi-fact ... Compliance

Also, if you ever wondered how security images and challenge-questions came from, it provides an answer.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

I had an illustration of why you can't trust email links the other day. I got a email from my sister-in-law. When I clicked on a link in it, I got an attack warning from Symantec that was installed on the machine. A few days later I got an email from my sister-in-law indicating that her email had been taken over by malware.
globalexpat
Posts: 21
Joined: Sat Jul 21, 2012 7:17 am

Re: Vanguard is on the Password Hall of Shame.

Post by globalexpat »

tadamsmar wrote:I think this is an interesting piece on how multi-factor authentication was side-stepped:

http://en.wikipedia.org/wiki/Multi-fact ... Compliance

Also, if you ever wondered how security images and challenge-questions came from, it provides an answer.
True, there have been exploits of various forms of 2FA, but not all 2FA is created equal, either. I'd like Vanguard (and other institutions) to provide something along the lines of a YubiKey (see LastPass) or an RSA token. They're not foolproof -- much of it depends on how these institutions implement 2FA -- but it would make things substantially more difficult for would-be hackers and thieves. This is not new technology. The time is right for this to become mainstream.
User avatar
Cosmo
Posts: 1385
Joined: Mon Mar 05, 2007 8:46 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Cosmo »

Bob.Beeman wrote:Previous posts have discussed Vanguard's bad password policies, which appear to indicate that the site may have poor security, possibly even including storing passwords as plaintext (a BIG security NO-NO).

Today I discovered that Vanguard is on the https://defuse.ca/password-policy-hall-of-shame.htm Password Policy Hall of Shame at the Defuse Security website.

The issue: unreasonably short maximum password length (10 characters), which becomes a huge issue if their password file is stolen. Can't happen? Ask eHarmony or LinkedIn. It happened to them and countless others.

We need to write to Vanguard about this. Also about their policy on re-registration, which depends on public information like your birthplace, mother's maiden name, etc. all of which are incredibly insecure for the purposes for which they are used.

- Bob Beeman.

I have a long list of things to worry about. This is on the top -of page 12 of my list...
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: Vanguard is on the Password Hall of Shame.

Post by magellan »

globalexpat wrote:They're not foolproof -- much of it depends on how these institutions implement 2FA -- but it would make things substantially more difficult for would-be hackers and thieves. This is not new technology. The time is right for this to become mainstream.
IMO, this isn't quite right. With today's malware-as-criminal-enterprise model and widely available exploit kits with remote access features, 6-factor authentication wouldn't help much.

The key to understanding this is to forget about key-loggers and form-grabbers, and instead consider session highjacking. Today's malware enterprises use 'call centers' that are staffed 24x7 with folks standing by, waiting for a user on an infected machine to authenticate to their FI. Once a user authenticates, a 'call center' worker uses remote-control software to create what's essentially a hidden browser window to highjack the user's authenticated session. At this point, they have full access to the user's online account through the user's own infected machine. The most sophisticated versions of this attack are customized to specific FIs and use html injection to hide any transactions that the malware creates. So when the user on the infected machine views their account, everything looks normal.

Keep in mind a key rule of online security: if a user on a malware infected machine can access their account, the criminal that controls the malware can too. It's really that simple and no amount of heroics in the authentication system can overcome this. Their have been attempts to lock-down browser code and prevent installation of remote access trojans (eg see trusteer), but so far they've fallen short.

As I said before, authentication is important as a first line of defense and FIs should follow best practices. OTOH, IMO it's a huge mistake for FIs to dedicate excessive resources trying to make their authentication system bullet proof. 2FA may make it tougher for family members and ex-spouses to gain unauthorized access to an account, but it's no match at all for today's malware.

Jim
wander
Posts: 4419
Joined: Sat Oct 04, 2008 9:10 am

Re: Vanguard is on the Password Hall of Shame.

Post by wander »

Best practice is to change the password regularly.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Vanguard is on the Password Hall of Shame.

Post by Mudpuppy »

wander wrote:Best practice is to change the password regularly.
This too has been debunked as a best practice, unless it is also combined with the use of a password locker. Human brains just aren't that good at memorizing things (particularly long, complex passwords) and frequent change makes the memorization process even harder. The net result for those not using password lockers is a trend towards using simpler, shorter passwords that are easy to memorize. But these are also easier to crack, which defeats the purpose of changing the password in the first place (password changing only guards against cracking attacks). It's a bit of a zero sum game for the average user.
User avatar
Jerilynn
Posts: 1929
Joined: Tue Sep 06, 2011 12:49 pm
Location: USA, Earth

Re: Vanguard is on the Password Hall of Shame.

Post by Jerilynn »

wander wrote:Best practice is to change the password regularly.

How does changing my password from qAjeineong83TSbywaty6532 to ju78ejTGb7@*yte444452fg help with security? I guess someone could hack it and decide to wait 2 months before using the information, at which time the password has been changed?
Cordially, Jeri . . . 100% all natural asset allocation. (no supernatural methods used)
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: Vanguard is on the Password Hall of Shame.

Post by magellan »

Jerilynn wrote:How does changing my password from qAjeineong83TSbywaty6532 to ju78ejTGb7@*yte444452fg help with security? I guess someone could hack it and decide to wait 2 months before using the information, at which time the password has been changed?
The theory is that if a password database is stolen and no one detects it, the bad guys have all the time in the world to crack the passwords and it's conceivable that with a large enough botnet, they could have success in as little as a few months with a brute force attack. Imagine the case where a crook somehow gained unfettered and undetected access to an FI's encrypted password database and set 10,000 or 100,000 computers off to work for several months attempting to crack the passwords.

Changing your password regularly eliminates or greatly reduces the risk in this situation because by the time the crook can crack your password, it won't be valid anymore.

Jim
User avatar
JamesSFO
Posts: 3404
Joined: Thu Apr 26, 2012 10:16 pm

Re: Vanguard is on the Password Hall of Shame.

Post by JamesSFO »

magellan wrote: The theory is that if a password database is stolen and no one detects it, the bad guys have all the time in the world to crack the passwords and it's conceivable that with a large enough botnet, they could have success in as little as a few months with a brute force attack. Imagine the case where a crook somehow gained unfettered and undetected access to an FI's encrypted password database and set 10,000 or 100,000 computers off to work for several months attempting to crack the passwords.

Changing your password regularly eliminates or greatly reduces the risk in this situation because by the time the crook can crack your password, it won't be valid anymore.

Jim
That it does; however, it creates other tradeoffs when people are forced and don't use password generators of requiring people to update their passwords too frequently and tend to pick easier and/or repetitive passwords and/or write them down (insecurely) and/or have to call customer service for resets, etc.
User avatar
Jerilynn
Posts: 1929
Joined: Tue Sep 06, 2011 12:49 pm
Location: USA, Earth

Re: Vanguard is on the Password Hall of Shame.

Post by Jerilynn »

magellan wrote:
Jerilynn wrote:How does changing my password from qAjeineong83TSbywaty6532 to ju78ejTGb7@*yte444452fg help with security? I guess someone could hack it and decide to wait 2 months before using the information, at which time the password has been changed?
The theory is that if a password database is stolen and no one detects it, the bad guys have all the time in the world to crack the passwords and it's conceivable that with a large enough botnet, they could have success in as little as a few months with a brute force attack. Imagine the case where a crook somehow gained unfettered and undetected access to an FI's encrypted password database and set 10,000 or 100,000 computers off to work for several months attempting to crack the passwords.

Changing your password regularly eliminates or greatly reduces the risk in this situation because by the time the crook can crack your password, it won't be valid anymore.

Jim
Thanks Jim, makes sense.
Cordially, Jeri . . . 100% all natural asset allocation. (no supernatural methods used)
brianH
Posts: 666
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard is on the Password Hall of Shame.

Post by brianH »

globalexpat wrote: provide something along the lines of a YubiKey
As a software developer who has played around with one, I really like the Yubikey. It's pretty easy to implement (use their webservice or roll your own), and from a user's perspective, it's simple to plug in (USB) and push the button. My current software offering uses the Google Authenticator (https://tools.ietf.org/html/rfc6238) method, which is an okay tradeoff to forcing users to purchase a Yubikey. I'd prefer the Yubikey for financial sites, because phones are frequently lost/stolen, and many users don't password protect them. Still, these options add hurdles for an attacker, and I think should be required for web-based financial access.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Small business is very exposed to losses because nobody gives them a reimbursement guarantee and the scams can be completed quickly. The small business guidelines call for use of a dedicated computer that never uses email or anything but a banking site:

http://www.merchantcouncil.org/merchant ... rojans.php

Where the rubber hits the road, malware prevention is emphasized over strong passwords.

The relative immunity of Vanguard users to losses explains how it is that they indulge themselves in fretting about much less important issues.

PS: Even dedicated computers have been known to fail, in that Microsoft Update was once used to deliver malware. This was due to an error by Microsoft while updating the security of their update processes: they allowed a weak hash to remain in use after it was suppose to be replaced and the hash was cracked allowing hackers to trick PCs into thinking malware wasa legit Microsoft update.
User avatar
Electron
Posts: 2656
Joined: Sat Mar 10, 2007 7:46 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Electron »

stlutz wrote:What I worry about is how easy it is to reset your password at various financial institutions. When someone can get a new password for your account by answering some non-secure "security questions", that's where the problem lies.
Has anyone experimented with incorrect answers to security questions? It appears that Vanguard tolerates one wrong character, and that includes being short one character or having one extra character. Note that it is possible to force the use of security questions on every log-in. That could enhance security significantly.

Vanguard allows up to 50 characters for security questions. I wonder if it would be a good idea to use multiple words to answer the questions. Another possibility would be answering each question with something other than the correct answer. In that case one must make certain that they can remember or have access to the required information.
Enjoying the Outdoors
User avatar
bUU
Posts: 608
Joined: Sun Nov 25, 2012 10:41 am

Re: Vanguard is on the Password Hall of Shame.

Post by bUU »

Electron wrote:Note that it is possible to force the use of security questions on every log-in.
How do you reset that setting once set?
User avatar
Electron
Posts: 2656
Joined: Sat Mar 10, 2007 7:46 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Electron »

bicker wrote:
Electron wrote:Note that it is possible to force the use of security questions on every log-in.
How do you reset that setting once set?
They give you the option at each log-in. It comes up when they ask whether you are using a public computer. Note also that one can delete cookies and that should force the use of security questions on the next log-in.
Enjoying the Outdoors
User avatar
bUU
Posts: 608
Joined: Sun Nov 25, 2012 10:41 am

Re: Vanguard is on the Password Hall of Shame.

Post by bUU »

You must enter the website some other way because I am given no such option that I can see. I'll look into clearing cookies.
yosef
Posts: 355
Joined: Tue May 24, 2011 2:10 pm

Re: Vanguard is on the Password Hall of Shame.

Post by yosef »

magellan wrote:
Jerilynn wrote:How does changing my password from qAjeineong83TSbywaty6532 to ju78ejTGb7@*yte444452fg help with security? I guess someone could hack it and decide to wait 2 months before using the information, at which time the password has been changed?
The theory is that if a password database is stolen and no one detects it, the bad guys have all the time in the world to crack the passwords and it's conceivable that with a large enough botnet, they could have success in as little as a few months with a brute force attack. Imagine the case where a crook somehow gained unfettered and undetected access to an FI's encrypted password database and set 10,000 or 100,000 computers off to work for several months attempting to crack the passwords.

Changing your password regularly eliminates or greatly reduces the risk in this situation because by the time the crook can crack your password, it won't be valid anymore.

Jim
Assuming the passwords listed there are actually representative of the passwords being used, I'd wager heavily the risk of them being brute forced is nil. If the password database was compromised, the attackers will be content with the probably 80% or more of passwords that they are able to easily crack via rainbow tables. As long as you're using long random passwords that are unique per site, I agree that changing them frequently doesn't add much additional security.
User avatar
Electron
Posts: 2656
Joined: Sat Mar 10, 2007 7:46 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Electron »

bicker wrote:You must enter the website some other way because I am given no such option that I can see. I'll look into clearing cookies.
One does need to start without a cookie from Vanguard. You will then be given options, and at that point you can force the use of security questions on every log-in.

With 50 characters allowed for security questions, one can effectively wind up with a very long combined password.
Enjoying the Outdoors
User avatar
sperry8
Posts: 3065
Joined: Sat Mar 29, 2008 9:25 pm
Location: Miami FL

Re: Vanguard is on the Password Hall of Shame.

Post by sperry8 »

I just updated my password to contain 12 characters (the max allowed by VG). According to this site http://howsecureismypassword.net/ it would take 2 thousand years to crack my password. I'm feeling pretty confident now :-)
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

sperry8 wrote:I just updated my password to contain 12 characters (the max allowed by VG). According to this site http://howsecureismypassword.net/ it would take 2 thousand years to crack my password. I'm feeling pretty confident now :-)
There's a lot of debate about how to properly measure password strength. You may want to take a look at this password checker also: http://rumkin.com/tools/password/passchk.php. A password that the checker you link to says would take 2 million years to crack, the checker I link to says it would only take a hacker "some good computing power" to crack.

Note also that the checker you link to says that it would take "2 thousand years" (or whatever) for "a desktop PC." Someone trying to crack a password using brutforce, who was serious about it, would more likely use a botnet deployed through malware on thousands of PCs (which can be purchased cheaply on the black market). So that would radically reduce the time required. And of course, PCs are becoming more powerful all the time.

Here's a couple other links about password strength you might find useful: https://en.wikipedia.org/wiki/Password_strength, https://www.grc.com/haystack.htm.

In any case, after three attempts on Vanguard's site, the site would lock you out and require further security questions to be answered (be sure your security question answers are as random as your password, of you have totally defeated the point of having a good password). The scenario in which someone was trying to brute force crack you password, I believe, would require someone having infiltrated Vanguard's backend systems (not impossible) and acquired the file with people's passwords, which they could then work on cracking offline. Or something like that, others who know more about it can explain more.
User avatar
Rob5TCP
Posts: 3811
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard is on the Password Hall of Shame.

Post by Rob5TCP »

Different tests give different results. Five years ago password crackers did a few million passwords per second. Now they
do over a billion. Super computers (go after banks, not us, can do hundreds of billions per second).
Here are some stricter password testers.

http://rumkin.com/tools/password/passchk.php

Gibson Research - how long Brute force would take
on various strength computers:
This is brute force only - it does not test common dictionary passwords:

https://www.grc.com/haystack.htm
User avatar
Rob5TCP
Posts: 3811
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard is on the Password Hall of Shame.

Post by Rob5TCP »

sperry8 wrote:I just updated my password to contain 12 characters (the max allowed by VG). According to this site http://howsecureismypassword.net/ it would take 2 thousand years to crack my password. I'm feeling pretty confident now :-)
I just went to the Vanguard site and I was still limited to 10 characters. How did you get that expanded to 12 (better than nothing).
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

Rob5TCP wrote:Different tests give different results. Five years ago password crackers did a few million passwords per second. Now they
do over a billion. Super computers (go after banks, not us, can do hundreds of billions per second).
Here are some stricter password testers.

http://rumkin.com/tools/password/passchk.php

Gibson Research - how long Brute force would take
on various strength computers:
This is brute force only - it does not test common dictionary passwords:

https://www.grc.com/haystack.htm
I'm not sure who you're responding to. Your post immediately follows mine, but you seem not to have noticed that I linked to both of those password checkers already. Is there some additional point you're making?
User avatar
sperry8
Posts: 3065
Joined: Sat Mar 29, 2008 9:25 pm
Location: Miami FL

Re: Vanguard is on the Password Hall of Shame.

Post by sperry8 »

Rob5TCP wrote:
sperry8 wrote:I just updated my password to contain 12 characters (the max allowed by VG). According to this site http://howsecureismypassword.net/ it would take 2 thousand years to crack my password. I'm feeling pretty confident now :-)
I just went to the Vanguard site and I was still limited to 10 characters. How did you get that expanded to 12 (better than nothing).
It just let me. According to this, it allows up to 12 chars. https://personal.vanguard.com/us/help/S ... ontent.jsp
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

sperry8 wrote:
Rob5TCP wrote:
sperry8 wrote:I just updated my password to contain 12 characters (the max allowed by VG). According to this site http://howsecureismypassword.net/ it would take 2 thousand years to crack my password. I'm feeling pretty confident now :-)
I just went to the Vanguard site and I was still limited to 10 characters. How did you get that expanded to 12 (better than nothing).
It just let me. According to this, it allows up to 12 chars. https://personal.vanguard.com/us/help/S ... ontent.jsp
That link says your username can be up to 12 characters, but your password only up to 10 characters.

I also tried changing my password to 12 characters and the website won't let me type any more than 10 charaters.

Are you sure it's not just ignoring the last two characters? For example, right now the password is case insensative. So if you have a capital letter it will accept that, but it won't pay any attention to whether you actually capitalize or not when you type in the password. Similarly, I wonder if it accepted the extra two characters from you for some reason, without objecting, but it's just ignoring them when you log in. So perhaps if you typed in only the first ten characters it would still log you in.

Or did you just perhaps not notice that when you selected your password, it stopped accepting characters after 10 characters? You can, of course, keep typing, but if you look no more dots are actually appearing in the webform. So you could have typed the extra characters when selecting a password, not noticed that the webform did not actually accept them, and now when you go and type your "12 character password" the website is really just looking at the first ten characters (which are correct) and not even noticing that you're typing two more.
User avatar
sperry8
Posts: 3065
Joined: Sat Mar 29, 2008 9:25 pm
Location: Miami FL

Re: Vanguard is on the Password Hall of Shame.

Post by sperry8 »

cb474 wrote:
sperry8 wrote:
Rob5TCP wrote:
sperry8 wrote:I just updated my password to contain 12 characters (the max allowed by VG). According to this site http://howsecureismypassword.net/ it would take 2 thousand years to crack my password. I'm feeling pretty confident now :-)
I just went to the Vanguard site and I was still limited to 10 characters. How did you get that expanded to 12 (better than nothing).
It just let me. According to this, it allows up to 12 chars. https://personal.vanguard.com/us/help/S ... ontent.jsp
That link says your username can be up to 12 characters, but your password only up to 10 characters.

I also tried changing my password to 12 characters and the website won't let me type any more than 10 charaters.

Are you sure it's not just ignoring the last two characters? For example, right now the password is case insensative. So if you have a capital letter it will accept that, but it won't pay any attention to whether you actually capitalize or not when you type in the password. Similarly, I wonder if it accepted the extra two characters from you for some reason, without objecting, but it's just ignoring them when you log in. So perhaps if you typed in only the first ten characters it would still log you in.

Or did you just perhaps not notice that when you selected your password, it stopped accepting characters after 10 characters? You can, of course, keep typing, but if you look no more dots are actually appearing in the webform. So you could have typed the extra characters when selecting a password, not noticed that the webform did not actually accept them, and now when you go and type your "12 character password" the website is really just looking at the first ten characters (which are correct) and not even noticing that you're typing two more.
Ha! Look at that, you right. I tried to log in just using 10 characters, and it let me. When I set up my password I used 12, but as you said, I guess it just ignores the last 2. Ridiculous.
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
leonard
Posts: 5993
Joined: Wed Feb 21, 2007 10:56 am

Re: Vanguard is on the Password Hall of Shame.

Post by leonard »

There is nothing that is preventing the user from using a more secure password. Even if Vanguard doesn't enforce - "strong" passwords - users can still use them.

Also, who regularly uses a strong password (letters, numbers, and symbols) that are 10 characters long? I doubt many.
Leonard | | Market Timing: Do you seriously think you can predict the future? What else do the voices tell you? | | If employees weren't taking jobs with bad 401k's, bad 401k's wouldn't exist.
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

leonard wrote:There is nothing that is preventing the user from using a more secure password. Even if Vanguard doesn't enforce - "strong" passwords - users can still use them.
Well, Vanguard's system is currently case insensitive, only recently started accepting special characters (although nothing on the website indicates this and even Vanguard's phone representatives are unaware of it), and is limited to ten characters (but this is supposed to change to twenty characters later in the year). Many security people consider fourteen characters the minimum for a good password.

So there is in fact quite a bit preventing the user from using a more secure password at Vanguard's site. That's what's so stupid about Vanguard's system, not only do they not force users to use better passwords (and any fraud that occurs as a result is an expense we all bear) but the one thing Vanguard is doing is to prevent users from using more secure passwords if they want to.

*
sperry8 wrote:Ha! Look at that, you right. I tried to log in just using 10 characters, and it let me. When I set up my password I used 12, but as you said, I guess it just ignores the last 2. Ridiculous.
Yeah, it is ridiculous.
tibbitts
Posts: 23589
Joined: Tue Feb 27, 2007 5:50 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tibbitts »

cb474 wrote:
leonard wrote:There is nothing that is preventing the user from using a more secure password. Even if Vanguard doesn't enforce - "strong" passwords - users can still use them.
Well, Vanguard's system is currently case insensitive, only recently started accepting special characters (although nothing on the website indicates this and even Vanguard's phone representatives are unaware of it), and is limited to ten characters (but this is supposed to change to twenty characters later in the year). Many security people consider fourteen characters the minimum for a good password.

So there is in fact quite a bit preventing the user from using a more secure password at Vanguard's site. That's what's so stupid about Vanguard's system, not only do they not force users to use better passwords (and any fraud that occurs as a result is an expense we all bear) but the one thing Vanguard is doing is to prevent users from using more secure passwords if they want to.

*
sperry8 wrote:Ha! Look at that, you right. I tried to log in just using 10 characters, and it let me. When I set up my password I used 12, but as you said, I guess it just ignores the last 2. Ridiculous.
Yeah, it is ridiculous.
But isn't it also ridiculous to complain about something that is already in the process of being changed (well, apparently q3 2013)?

Paul
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

tibbitts wrote:But isn't it also ridiculous to complain about something that is already in the process of being changed (well, apparently q3 2013)?

Paul
Vanguard will still place an arbitrary twenty character limit on password length (a limit which this forum itself does not have). Vanguard still will not offer two factor authentication. Vanguard still employs a security question protocol that encourages people to use easily socially engineered information. If you forget your password, Vanguard verifies your identity (at least in part) using information that could be purchased online from background check websites.

So I don't know what exactly you think is being changed that meaningfully addresses the issue. But Vanguard is basically updating an incredibly behind the times subpar website security protocol, to one that is only very behind the times and subpar. In the end, any fraud that occurs as a result of this system is a cost that we all bear as clients of Vanguard. You may think that's ridiculous. I think it's ridiculous to be blase about these sorts of problems once one knows they exist.

After all, in the end these are people's life savings. It's sad that in the end it will probably take some truly horrible large scale fraud in which a lot of people are irrevocably harmed, before security really improves at financial institutions like Vanguard. (And we're only talking about improving to conform to well known already existing standards and technologies.)
gkaplan
Posts: 7034
Joined: Sat Mar 03, 2007 7:34 pm
Location: Portland, Oregon

Re: Vanguard is on the Password Hall of Shame.

Post by gkaplan »

If you're so upset by Vanguard's policy, why not use another financial institution, instead of continually and constantly complaining here?
Gordon
User avatar
Taylor Larimore
Posts: 32839
Joined: Tue Feb 27, 2007 7:09 pm
Location: Miami FL

Vanguard security ?

Post by Taylor Larimore »

Bogleheads:

I know nothing about internet security. However, I've achieved a limited amount of common sense:

* Vanguard is the largest mutual fund company in the United States.
* Vanguard and other mutual fund companies could not operate if security were a significant problem.
* Vanguard undoubtedly employs the best security experts and consultants.
* It is to Vanguard advantage to keep their security systems secret.
* I have never heard of Vanguard's security being successfully attacked.

Vanguard's security controls are way, way down on my list of worries.

Best wishes.
Taylor
"Simplicity is the master key to financial success." -- Jack Bogle
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard security ?

Post by tadamsmar »

Taylor Larimore wrote: * I have never heard of Vanguard's security being successfully attacked
I can fix that:
SEC says latest wave victimizes 7 online firms, earning fraudsters $732,941 in illicit profits....

The brokerages affected include E*Trade (Charts), Scottrade, TD Ameritrade (Charts), Vanguard Brokerage Services, Fidelity Investments, Merrill Lynch (Charts), and Charles Schwab (Charts).
http://money.cnn.com/2007/03/08/markets ... /index.htm
Last edited by tadamsmar on Thu Apr 04, 2013 11:54 am, edited 1 time in total.
User avatar
Taylor Larimore
Posts: 32839
Joined: Tue Feb 27, 2007 7:09 pm
Location: Miami FL

Vanguard brokerage fraud

Post by Taylor Larimore »

tadamsmar:

Thank you for the information.

Best wishes.
Taylor
"Simplicity is the master key to financial success." -- Jack Bogle
User avatar
Phineas J. Whoopee
Posts: 9675
Joined: Sun Dec 18, 2011 5:18 pm

Re: Vanguard security ?

Post by Phineas J. Whoopee »

Taylor Larimore wrote:Bogleheads:

I know nothing about internet security. However, I've achieved a limited amount of common sense:

* Vanguard is the largest mutual fund company in the United States.
* Vanguard and other mutual fund companies could not operate if security were a significant problem.
* Vanguard undoubtedly employs the best security experts and consultants.
* It is to Vanguard advantage to keep their security systems secret.
* I have never heard of Vanguard's security being successfully attacked.

Vanguard's security controls are way, way down on my list of worries.

Best wishes.
Taylor
[Emphasis added.]

Taylor and other Bogleheads,

I want to respond to Taylor's fourth point.

There was a time when secrecy was an essential element of security systems, but those days are gone. Modern security algorithms are completely public, and knowing the steps in their sequence doesn't help anybody break in. That was a major advance in digital security which came in 1976, when the original paper on Public-key cryptography was published.

Modern cryptography algorithms are known by those of us who are interested in such things as NP-complete problems. In practice, that means the only known method of attack guaranteed to be successful is to generate all possible encryption keys and try them until you get a readable result. This technique is called "brute force." If the text you're trying to read is limited to passwords which have known rules you can improve your efficiency a little by trying all possible passwords. The fact that you can crack a lot of people's accounts by guessing commonly used passwords is a different issue.

If anyone ever solves NP-completeness an awful lot of our digital world will turn on us. Nobody has shown it is impossible to solve an NP-complete problem using other than brute force, but it is easy to show (and is a common subject in computer science education) that every NP-complete problem is as hard as every other; and that if you ever solve one, you can use your work to solve them all.

To tie my response together, modern cryptography relies not on their ignorance, but rather on our own.

PJW
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

gkaplan wrote:If you're so upset by Vanguard's policy, why not use another financial institution, instead of continually and constantly complaining here?
I like Vanguard as an institution. I don't reduce it to it's security protocols. No one out there is perfect. Vanguard has many advantages, as everyone here knows. That being said, I'd like Vanguard to be better. If you feel fine with a good enough, just trust us, attitude toward's Vanguard's policy, then good luck to you. That attitude in the world on internet fraud sooner or later tends to lead to trouble.

That aside, I don't really agree with your characterization of my posts. This is a thread about Vanguard's password policy and by extension security policies. If it doesn't interest you then why don't you just ignore it rather than rudely telling other users what discussions they can have with each other? I just ignore threads that aren't interesting (or are annoying) to me. It's easier to do than going out of one's way to be rude. There are many many other threads out there to follow.
Taylor Larimore wrote:Bogleheads:

I know nothing about internet security. However, I've achieved a limited amount of common sense:

* Vanguard is the largest mutual fund company in the United States.
* Vanguard and other mutual fund companies could not operate if security were a significant problem.
* Vanguard undoubtedly employs the best security experts and consultants.
* It is to Vanguard advantage to keep their security systems secret.
* I have never heard of Vanguard's security being successfully attacked.

Vanguard's security controls are way, way down on my list of worries.

Best wishes.
Taylor
As other's have noted, for some time secrecy has been considered a flaw in security portocols, not an advantage. If your protocols are open for others to review you are more likely to discover loopholes and bugs, before someone with malicious intent does. As far as I understand, openness has long been considered the gold standard for this type of security.

That aside, I'm sure as you suggest that Vanguard does put a lot of effort into security. However, as I mentioned in another thread, institutions like Vanguard have conflicts of interest when it comes to how they make decisions about security, between convenience of customers (which is good for business), cost (which is always a high priority for Vanguard), and security. I know someone who works in website security at a major bank and they know quite well the trade offs they're making between these interests and the risk it creates for their customers. And they're also pretty freaked out about the increasingly unmanageable security problems out there. So, I guess the "we should just trust that Vanguard knows what they're doing and always has our best interests at heart" attitude is not very reassuring to me. I can see just from using it that Vanguard's website security is subpar, even for an industry that tends to be behind the times in general. I don't know why anyone should just assume that this must mean magically behind the scenes it's all okay. That's a comforting thought. But I don't think it's a very logical one.

Ultimately, I think people are being naive if they think somehow security is more or less in control. One of these days there's going to be a big fraud scandal, with people losing a lot of money, at one financial institution or another and then suddenly things like two factor authentication won't seem so onerous.
lostInFinance
Posts: 218
Joined: Sun Mar 03, 2013 2:57 pm

Re: Vanguard is on the Password Hall of Shame.

Post by lostInFinance »

cb474 wrote: Ultimately, I think people are being naive if they think somehow security is more or less in control. One of these days there's going to be a big fraud scandal, with people losing a lot of money, at one financial institution or another and then suddenly things like two factor authentication won't seem so onerous.
Let's assume the worst case: Vanguard loses a billion dollars in a year. Note that vastly exceeds any documented computer fraud anywhere. Spread over Vanguard's AUM, that adds about 5 basis points to that year's expense ratio, which isn't great news, but most investors wouldn't even notice the difference on their statements. The other question is a billion dollars in fraud even slightly plausible. I bet if Vanguard had anywhere close to a billion dollars in fraud, the FBI and other government agencies would be taking very aggressive actions to unwind the transactions. I doubt anyone could get away with fraud on that scale.
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

lostInFinance wrote:Let's assume the worst case: Vanguard loses a billion dollars in a year. Note that vastly exceeds any documented computer fraud anywhere. Spread over Vanguard's AUM, that adds about 5 basis points to that year's expense ratio, which isn't great news, but most investors wouldn't even notice the difference on their statements. The other question is a billion dollars in fraud even slightly plausible. I bet if Vanguard had anywhere close to a billion dollars in fraud, the FBI and other government agencies would be taking very aggressive actions to unwind the transactions. I doubt anyone could get away with fraud on that scale.
Yeah, that could be true. Although I'm not sure why we should assume the worst case scenario has to be limited to a billion dollar loss. Why couldn't it be a lot more? I assume that we don't really know what the worst case scenario is and that if/when it happens it will potentially be something that no one anticipated.

Here's an interesting article, I posted elsewhere, about how large U.S. corporations, including financial institutions, are increasingly coming under large scale cyber attacks that they're not really prepared for: http://www.nytimes.com/2013/03/29/techn ... -data.html. One interesting element here is that the attackers are not interested in fraud, but rather simply in destruction. The potential for harm there may be even worse than with fraud. And it wouldn't really be relevant if the FBI could "catch" the attackers or not.

But I was thinking after the last post I wrote that the most insidious scenario may not be some huge scandalous fraud, but a certain low but increasing level of relatively minor fraud that financial institutions decide to tolerate in the name of preserving features of convenience for customers (which is basically already how credit cards work--convenience is deliberately chosen over fraud).

In this case, naive customers, who do not assiduously follow all of the security protocols that Vanguard suggests in the fine print and that Vanguard does not enforce as a requirement either, may on a regular basis find themselves defrauded and not getting reimbursed. Because the level of fraud isn't large enough and scandalous enough, institutions like Vanguard won't be forced to change their system to protect these cusotmers.

But in essence, by not requiring better security, Vanguard and other financial institutions have set up the more ignorant and naive amongst us to potentially suffer devastating losses, for which they will not be reimbursed (even though Vanguard knew it was going to happen to some people and could have prevented it with different security protocols). A business decision is essentially made to let some people fall through the cracks, in order not to alienate other customers with more onerous security protocols.

Indeed, I would not be surprised if this is not basically already what happens. I'm sure Vanguard is not going to advertise when customers are defrauded, let alone when it happens and Vanguard refuses to reimburse them. So who really knows what the level of this sort of activity is. All we can know is what Vanguard's website security protocols are and based on their outdated nature guess that this leaves the door open to a certain level of fraud.

In the end, I'm not making any assumptions about what may or may not happen in the future or be happening now. I don't understand the logic of accepting security protocols based on the assumption that's eveyrhing must be okay the way it is, otherwise it would be different. That is an argument for never changing or improving anything. There are plenty of long known better security protocols for websites out there. Vanguard is demonstrably way behind the times. They should do better. They should require customers to use better passwords, etc. I don't know why anyone would prefer worse security and unreasonably lenient requirements. We're not talking about our Facebook accounts. We're talking about people's life savings.
lostInFinance
Posts: 218
Joined: Sun Mar 03, 2013 2:57 pm

Re: Vanguard is on the Password Hall of Shame.

Post by lostInFinance »

cb474 wrote:
lostInFinance wrote:Let's assume the worst case: Vanguard loses a billion dollars in a year. Note that vastly exceeds any documented computer fraud anywhere. Spread over Vanguard's AUM, that adds about 5 basis points to that year's expense ratio, which isn't great news, but most investors wouldn't even notice the difference on their statements. The other question is a billion dollars in fraud even slightly plausible. I bet if Vanguard had anywhere close to a billion dollars in fraud, the FBI and other government agencies would be taking very aggressive actions to unwind the transactions. I doubt anyone could get away with fraud on that scale.
Yeah, that could be true. Although I'm not sure why we should assume the worst case scenario has to be limited to a billion dollar loss. Why couldn't it be a lot more? I assume that we don't really know what the worst case scenario is and that if/when it happens it will potentially be something that no one anticipated.

Here's an interesting article, I posted elsewhere, about how large U.S. corporations, including financial institutions, are increasingly coming under large scale cyber attacks that they're not really prepared for: http://www.nytimes.com/2013/03/29/techn ... -data.html. One interesting element here is that the attackers are not interested in fraud, but rather simply in destruction. The potential for harm there may be even worse than with fraud. And it wouldn't really be relevant if the FBI could "catch" the attackers or not.

But I was thinking after the last post I wrote that the most insidious scenario may not be some huge scandalous fraud, but a certain low but increasing level of relatively minor fraud that financial institutions decide to tolerate in the name of preserving features of convenience for customers (which is basically already how credit cards work--convenience is deliberately chosen over fraud).
I'll admit a billion is somewhat arbitrary, but the fraud just has to be large enough for the FBI to make the case a priority and reverse the transactions. I'm sure you can get to that point well short of a billion dollars. I don't really understand your point about credit cards. If credit card fraud happens, the credit card company absorbs the loss.
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

lostInFinance wrote:I'll admit a billion is somewhat arbitrary, but the fraud just has to be large enough for the FBI to make the case a priority and reverse the transactions. I'm sure you can get to that point well short of a billion dollars. I don't really understand your point about credit cards. If credit card fraud happens, the credit card company absorbs the loss.
Credit card companies treat fraud as an operating cost. They want to make it as convenient as possible to use credit cards, so that people are likely to use credit cards for as many transactions as possible. This leads to more porfits (through merchant fees, interest on payments, etc.). If credit card companies instituted extra security measures (like having to enter a pin code with every credit card transaction--as is the case in other countries), people would use the cards less and they would make less money.

The more lax security measures make fraud more likely, but it is outweighed by the extra profits from a higher rate of credit card transactions. So it's a conscious trade off made by credit card companies. Fraud is just an operating cost accepted for higher profits. Of course, in the end we all pay the cost of this fraud in the higher merchant fees, etc., which get incorporated into the prices stores charge for their goods.

I know this from someone who works in the credit industry. I also know from someone, as I mentioned above, in online banking security that these same sort of trade offs are made in choices about bank website security. And so I have every reason to believe these sorts of calculations and trade offs also factor into the thinking behind websites security for financial institutions like Vanguard.

In the end, as I said, I don't know what kind of fraud is going to happen in the future. But from what I hear from people working behind the scenes, it's a lot messier and out of control than many people in this thread seem willing to believe and the problem is getting worse. This is why I think people should be demanding better security from all angles and not just assuming, with no evidence, that it must all be okay behind the scenes. But given the complacency and ignorance of most people, this is also why I think fraud is just going to increase one way or another (including in ways none of us can anticipate) until it becomes a big enough problem to generate more concern and outrage. In the mean time, a lot of people are going to fall through the cracks and have nightmare experiences. Maybe some or many of them will be reimbursed in the end, but I think it would be hard to recover from watching much of one's life savings evaporate only to reappear later. I don't know how one would feel secure after that.

That said, can the FBI just reverse any old financial transaction it wants to? What if someone wires money out of the country to some place we don't have good relations with? How does the FBI reverse that? I find it hard to believe it's that simple, but I don't really know anything about what the FBI does with cases like this.
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

I was trying to search around and find more information about what sort of online fraud is actually happening. It's a little tricky because all sorts of other things come up about securities fraud, embezzlement, and other types of activities. But I did find a company that works with online banking fraud that did a study with another company and published this information regarding small businesses in August 2012 "Independent study finds that financial institutions are losing clients as a result of a single fraud attack": http://www.guardiananalytics.com/newsan ... 062012.php.

These people were subject to account takeover type of attacks.

Some excerpts:
The study revealed that 73 percent of online fraud attacks result in the successful transfer of money. Despite efforts by financial institutions to recover funds, 61 percent of reported fraud attacks result in lost funds. Reimbursement of losses varies - in some cases the business takes the full loss, in some instances losses are shared, and in one quarter of instances, banks reimburse the business fully for any losses. In the end all parties suffer significant financial loss as a result of fraud.
SMBs expect their financial institution to be the expert, but think they're not doing enough

Seventy two percent indicate that they hold the FI primarily accountable for ensuring that their online bank account is secure
However, only 43 percent say their FI takes appropriate action to limit risky transactions
Anyway, maybe the company is making it sound worse that it is to get business. Supposedly it's an independent study. But I think it does give a sense of how much more of a free for all online security is than people seem to be willing to believe.

I'm sure a great deal of this fraud occurs because people have bad passwords, etc. That of course could be easily overcome by financial institutions just requiring people to have better passwords and to use other less convenient measures. And interestingly the study also notes that courts are siding with clients and saying the banks should have done a better job.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

I think it has little or nothing to do with bad passwords. A keylogger or trojan can get your password regardless of whether it's good or bad.

Here's an article on theft from TSP accounts. They used keyloggers.

http://www.scmagazine.com/keyloggers-st ... cle/34451/

I am not sure the TSP reimburses. They have a stated policy that they don't reimburse in this situation. But since 2007 they have eliminated online transfers of funds.

Many of the online fraud cases that become public are against small business, because most banks don't reimburse. Small business is kind of like the canary in the coal mine.
cb474
Posts: 900
Joined: Tue Jan 19, 2010 5:32 am

Re: Vanguard is on the Password Hall of Shame.

Post by cb474 »

Yes, I agree that the small businesses are like the canary in the coal mine. So are the very different type of attacks on large corporations mentioned in the NY Times article I link to above.

Part of the reason I linked to the study in my last post, however, was because it explained that even when fraud is clearly occuring banks were most of the time unable to recover funds and clients most of the time suffered significant losses. LostinFinance was suggesting that somehow it would be easy for the FBI to reverse transactions and recover funds. It just seems messier than that to me.

it is also true, as you say, that keyloggers are a big problem and will defeat any password. But that doesn't mean that bad passwords are not also a problem. It's not an either/or. I don't understand pointing to one problem as a way to excuse and be blase about another.

In addition, one point the report I linked to makes is that fraud techniques are constantly and rapidly evolving. This is why I keep saying that people shouldn't just assume that they know what the risks are and where the vulnerabilties are. Even if you're right now, you probably won't be tomorrow. So this is why people and financial institutions shouldn't be remiss about any potential line of attack.

The point of the canary in the coal mine is that it's an early warning of a bigger unseen problem. People should be seriously concerned about any laxiness in online security protocols, not complacent.
mike127
Posts: 57
Joined: Sun Aug 19, 2012 1:26 am

Re: Vanguard is on the Password Hall of Shame.

Post by mike127 »

I've been reading this thread but just discovered something about Vanguard's security that, to me, is far worse than 10 or 12 character passwords (particularly since in reality the number of consumers who will actually choose a 13+ character password is quite small): you can hijack a Vanguard account simply by re-registering for a new online account. The only piece of authentication information that is not already a matter of public record that they wanted was my SSN. Other than that, I was asked for my date of birth, zip code, and city where I was married -- all of which are public. I was then shown my existing login name and given the opportunity to change it and change the password on the account. I did not go through with the process, but am I missing something? This seems like an inexcusable way to protect people's life savings. I'm thinking about moving my money to Schwab to get the two-factor authentication (recognizing that even that is not foolproof, but at least gets around social engineering). Am I wrong to be so worried about this?
User avatar
LadyGeek
Site Admin
Posts: 95466
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by LadyGeek »

You may be going to an extreme effort, as I'd venture that you can do this just about anywhere.

It's the classic convenience vs. security trade-off. Making the login easy means it's not secure. OTOH, a long and difficult password (or forcing someone to track down a lot of public information) makes the process too hard to use. Choose one.

BTW, don't forget to put a long and difficult to guess password on your email account. Most websites (including this one) provide an "I forgot my password" feature. Just click on the link, enter the email address, and a new one is sent to the address on record. If you have the email password, there's no need to register for a new account (or change to Schwab).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
mike127
Posts: 57
Joined: Sun Aug 19, 2012 1:26 am

Re: Vanguard is on the Password Hall of Shame.

Post by mike127 »

LadyGeek wrote:You may be going to an extreme effort, as I'd venture that you can do this just about anywhere.
Not sure that's completely right. To recover my Schwab password without calling in for verification (which is its own issue), I need to have access to my email account (which illustrates how critical your last point is) and know my existing login ID. To create a fresh account, I need some public or quasi-public information (SSN, DOB, home phone number) but also my non-public brokerage account number. I then need to authenticate by answering multiple choice questions about my existing (non-public) account activity. Clearly not foolproof, but this strikes me as much more robust than Vanguard -- so I'm not sure that all security regimes are created equal in this regard.
LadyGeek wrote:BTW, don't forget to put a long and difficult to guess password on your email account. Most websites (including this one) provide an "I forgot my password" feature. Just click on the link, enter the email address, and a new one is sent to the address on record. If you have the email password, there's no need to register for a new account (or change to Schwab).
Incredibly important. I'd guess that this is the biggest vulnerability that most people have and don't focus on.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Epsilon Delta »

mike127 wrote:I've been reading this thread but just discovered something about Vanguard's security that, to me, is far worse than 10 or 12 character passwords (particularly since in reality the number of consumers who will actually choose a 13+ character password is quite small): you can hijack a Vanguard account simply by re-registering for a new online account. The only piece of authentication information that is not already a matter of public record that they wanted was my SSN. Other than that, I was asked for my date of birth, zip code, and city where I was married -- all of which are public. I was then shown my existing login name and given the opportunity to change it and change the password on the account. I did not go through with the process, but am I missing something? This seems like an inexcusable way to protect people's life savings. I'm thinking about moving my money to Schwab to get the two-factor authentication (recognizing that even that is not foolproof, but at least gets around social engineering). Am I wrong to be so worried about this?
You are not wrong to be worried, but you may be wrong to imagine the Schwab is better. Just because they require 2 factor to log into your account does not mean they require 2 factor to re-register an account, or to get a new dongle sent to you. They can't use the dongle as a second factor if you call them and say you've lost the dongle.
Post Reply