Symbols Available in Passwords at Vanguard

Have a question about your personal investments? No matter how simple or complex, you can ask it here.

Symbols Available in Passwords at Vanguard

Postby Timmay! » Mon May 23, 2011 12:01 pm

I'm not sure if this is new news, but like many of you I'm concerned about password strength for accessing my accounts. I recently emailed my VG representative on this, and he replied that VG now allows symbols as part of the password login:

I have spoken with our Web Technical Support Services and they told me that you can now put symbols in your password, but not your user name. We haven't really advertised this yet because of how many people use third
party vendors to access their Vanguard accounts.


I haven't tried it yet, but am now going to add some symbols!
Timmay!
 
Posts: 10
Joined: Fri Jan 15, 2010 10:03 pm

Postby Steelersfan » Mon May 23, 2011 12:35 pm

With just alpha and numeric choices in ten digits, there were 3.65 quadrillion possibilities for someone to guess from. More actually since that's using exactly ten characters and there are more if you include using less than ten characters.

I don't know how many special characters you can choose from, but if there are ten additional characters, that gives 42.4 quadrillion possibilities, plus.....

I'm still OK with 3.65 quadrillion possibilities to attack, but if it makes you feel safer it's a prudent thing to do.
User avatar
Steelersfan
 
Posts: 2467
Joined: Thu Jun 19, 2008 9:47 pm

Postby Guest422 » Mon May 23, 2011 12:44 pm

Right password length provides a exponential defense against brute force attacks. My primary concern is against keystroke loggers or session sniffing.

I would like to see vanguard use a mouse keypad for part of auth to reduce keystroke loggers

Some of the ciphers vg accepts are very weak be sure to force you browser to only accept sslv3 or tls. I would like to see them only accept 128 bit and above.

www:~# sslscan vanguard.com | grep Accepted
Accepted SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits ADH-DES-CBC3-SHA
Accepted SSLv3 56 bits ADH-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Accepted SSLv3 128 bits ADH-RC4-MD5
Accepted SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
"The hardest victory is over self" | Aristotle
User avatar
Guest422
 
Posts: 523
Joined: Tue Jun 02, 2009 9:19 pm

Postby chaz » Mon May 23, 2011 11:19 pm

Is a password of 8 digits safe?

Is it hard to change a password?
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
chaz
 
Posts: 13255
Joined: Tue Feb 27, 2007 3:44 pm

Postby JimHalpert » Tue May 24, 2011 3:20 pm

i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.
JimHalpert
 
Posts: 212
Joined: Fri Apr 25, 2008 2:34 pm

Postby Opponent Process » Tue May 24, 2011 3:29 pm

chaz wrote:Is it hard to change a password?


very simple. we change our passwords every month.
30/30/20/20 | US/International/Bonds/TIPS | Average Age=37
User avatar
Opponent Process
 
Posts: 5159
Joined: Tue Sep 18, 2007 10:19 pm

Postby Guest422 » Tue May 24, 2011 3:34 pm

JimHalpert wrote:i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.


Thats a good idea
"The hardest victory is over self" | Aristotle
User avatar
Guest422
 
Posts: 523
Joined: Tue Jun 02, 2009 9:19 pm

Onscreen Keyboard?

Postby CarlZ993 » Tue May 24, 2011 3:46 pm

JimHalpert wrote:i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.


How do I do this? I'm running Vista if that matters.
Carl Z
CarlZ993
 
Posts: 169
Joined: Tue Feb 20, 2007 4:00 pm
Location: Austin, Texas

Postby Drain » Tue May 24, 2011 3:48 pm

chaz wrote:Is a password of 8 digits safe?

Not counting keylogging and similar strategies...if the hacker gets only three attempts before the account is locked, then yes, an eight-character password is safe.
Darin
User avatar
Drain
 
Posts: 1309
Joined: Mon Feb 26, 2007 2:27 pm
Location: Silver Spring, MD

Postby JimHalpert » Tue May 24, 2011 3:57 pm

i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
JimHalpert
 
Posts: 212
Joined: Fri Apr 25, 2008 2:34 pm

Postby Carl53 » Tue May 24, 2011 4:16 pm

JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.


Cool, I just logged into vg using this program and to log onto reply to this message. Thanks!
Carl53
 
Posts: 789
Joined: Sun Mar 07, 2010 9:26 pm

Postby blacktupelo » Tue May 24, 2011 5:08 pm

Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
Larry
User avatar
blacktupelo
 
Posts: 181
Joined: Mon Feb 19, 2007 7:43 pm
Location: St. Louis Missouri USA

Postby Steelersfan » Tue May 24, 2011 6:15 pm

JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.


That's pretty slick and even works on my Windows XP system.

I'm not interested, but thanks for posting that for those who are concerned about key loggers.
User avatar
Steelersfan
 
Posts: 2467
Joined: Thu Jun 19, 2008 9:47 pm

Postby chaz » Tue May 24, 2011 6:47 pm

There are programs that can defeat key loggers.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
chaz
 
Posts: 13255
Joined: Tue Feb 27, 2007 3:44 pm

Postby FNK » Tue May 24, 2011 10:32 pm

Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.
User avatar
FNK
 
Posts: 1357
Joined: Tue May 17, 2011 8:01 pm

Postby Drain » Tue May 24, 2011 10:41 pm

FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.

I'm unhappy Vanguard limits passwords to 10 characters.

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
Darin
User avatar
Drain
 
Posts: 1309
Joined: Mon Feb 26, 2007 2:27 pm
Location: Silver Spring, MD

Postby Drain » Tue May 24, 2011 10:41 pm

FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.

I'm unhappy Vanguard limits passwords to 10 characters.

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
Darin
User avatar
Drain
 
Posts: 1309
Joined: Mon Feb 26, 2007 2:27 pm
Location: Silver Spring, MD

Postby chaz » Wed May 25, 2011 11:14 am

FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.


Why are you migrating to LastPass? Isn't keepass OK?
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
chaz
 
Posts: 13255
Joined: Tue Feb 27, 2007 3:44 pm

Postby garg33 » Wed May 25, 2011 11:36 am

Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.
garg33
 
Posts: 43
Joined: Sat Sep 19, 2009 1:10 pm

Postby Drain » Wed May 25, 2011 11:51 am

garg33 wrote:
Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.

Good point. I don't know how common or uncommon that sort of theft is, but I agree that a stronger password is better. As someone who uses a password manager (Lastpass), I'd certainly prefer the ability to use as strong as password as I want.
Darin
User avatar
Drain
 
Posts: 1309
Joined: Mon Feb 26, 2007 2:27 pm
Location: Silver Spring, MD

Postby FNK » Wed May 25, 2011 12:35 pm

chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?


Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.
User avatar
FNK
 
Posts: 1357
Joined: Tue May 17, 2011 8:01 pm

Postby FNK » Wed May 25, 2011 12:37 pm

...
Last edited by FNK on Wed May 25, 2011 1:28 pm, edited 1 time in total.
User avatar
FNK
 
Posts: 1357
Joined: Tue May 17, 2011 8:01 pm

Postby greensky » Wed May 25, 2011 12:48 pm

chaz wrote:
FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.


Why are you migrating to LastPass? Isn't keepass OK?


Didn't LastPass get hacked or was that some other online password service?

Okay, it looks like they MAY have been hacked:
http://techcrunch.com/2011/05/05/passwo ... ly-hacked/

Either way I'm not sure I'd save my passwords, especially banking or anything important in an online service.
greensky
 
Posts: 108
Joined: Tue Aug 05, 2008 10:55 pm

Postby Drain » Wed May 25, 2011 12:59 pm

greensky wrote:Didn't LastPass get hacked or was that some other online password service?

If you had a strong master password, it didn't matter if LP's servers were hacked. That's the appeal of the security model.
Last edited by Drain on Wed May 25, 2011 1:25 pm, edited 1 time in total.
Darin
User avatar
Drain
 
Posts: 1309
Joined: Mon Feb 26, 2007 2:27 pm
Location: Silver Spring, MD

Postby FabLab » Wed May 25, 2011 1:06 pm

Balky connection, double posting. Sorry.
Last edited by FabLab on Wed May 25, 2011 1:15 pm, edited 2 times in total.
The fundamental things apply as time goes by -- Herman Hupfeld
User avatar
FabLab
 
Posts: 1090
Joined: Mon Oct 18, 2010 1:15 pm

Postby sperry8 » Wed May 25, 2011 1:08 pm

Thanks for letting me know... I always wanted a symbol in there. Now if they just made it case sensitive we'd be getting somewhere!
Certainty is a requirement of ignorance.
User avatar
sperry8
 
Posts: 639
Joined: Sat Mar 29, 2008 10:25 pm
Location: Los Angeles, CA

Postby FabLab » Wed May 25, 2011 1:09 pm

blacktupelo wrote:Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."


I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.

Cheers,
Ron
The fundamental things apply as time goes by -- Herman Hupfeld
User avatar
FabLab
 
Posts: 1090
Joined: Mon Oct 18, 2010 1:15 pm

Postby chaz » Wed May 25, 2011 2:25 pm

FNK wrote:
chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?


Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.


Thanks for the pros and cons.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
chaz
 
Posts: 13255
Joined: Tue Feb 27, 2007 3:44 pm

Postby JustwannaRetire » Wed May 25, 2011 8:36 pm

FNK wrote:
chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?


Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.


I have been a satisfied user of RoboForm for many years. They now offer an online version, but I like the "thick" version on my computer. I also have the "portable" version on a USB stick when away from home.

I am not sure how the features totally compare to the two options above, but I am totally happy with Roboform.
JustwannaRetire
 
Posts: 27
Joined: Mon Sep 28, 2009 9:29 pm

Postby sperry8 » Thu May 26, 2011 2:09 pm

RonV wrote:
blacktupelo wrote:Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."


I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.

Cheers,
Ron


You are correct - I just added special characters and it didn't require re-registering. Easy as pie.
Certainty is a requirement of ignorance.
User avatar
sperry8
 
Posts: 639
Joined: Sat Mar 29, 2008 10:25 pm
Location: Los Angeles, CA


Return to Investing - Help with Personal Investments

Who is online

Users browsing this forum: Bing [Bot], JamesHongKong and 59 guests