Bogleheads.org

[Timmay!]

I'm not sure if this is new news, but like many of you I'm concerned about password strength for accessing my accounts. I recently emailed my VG representative on this, and he replied that VG now allows symbols as part of the password login:

I have spoken with our Web Technical Support Services and they told me that you can now put symbols in your password, but not your user name. We haven't really advertised this yet because of how many people use third
party vendors to access their Vanguard accounts.

I haven't tried it yet, but am now going to add some symbols!

[Steelersfan]

With just alpha and numeric choices in ten digits, there were 3.65 quadrillion possibilities for someone to guess from. More actually since that's using exactly ten characters and there are more if you include using less than ten characters.

I don't know how many special characters you can choose from, but if there are ten additional characters, that gives 42.4 quadrillion possibilities, plus.....

I'm still OK with 3.65 quadrillion possibilities to attack, but if it makes you feel safer it's a prudent thing to do.

[Guest422]

Right password length provides a exponential defense against brute force attacks. My primary concern is against keystroke loggers or session sniffing.

I would like to see vanguard use a mouse keypad for part of auth to reduce keystroke loggers

Some of the ciphers vg accepts are very weak be sure to force you browser to only accept sslv3 or tls. I would like to see them only accept 128 bit and above.

www:~# sslscan vanguard.com | grep Accepted
Accepted SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits ADH-DES-CBC3-SHA
Accepted SSLv3 56 bits ADH-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Accepted SSLv3 128 bits ADH-RC4-MD5
Accepted SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5

[chaz]

Is a password of 8 digits safe?

Is it hard to change a password?

[JimHalpert]

i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.

[Opponent Process]

Is it hard to change a password?

very simple. we change our passwords every month.

[Guest422]

i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.

Thats a good idea

[CarlZ993]

i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.

How do I do this? I'm running Vista if that matters.

[Drain]

Is a password of 8 digits safe?

Not counting keylogging and similar strategies...if the hacker gets only three attempts before the account is locked, then yes, an eight-character password is safe.

[JimHalpert]

i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.

[Carl53]

i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.

Cool, I just logged into vg using this program and to log onto reply to this message. Thanks!

[blacktupelo]

Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."

[Steelersfan]

i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.

That's pretty slick and even works on my Windows XP system.

I'm not interested, but thanks for posting that for those who are concerned about key loggers.

[chaz]

There are programs that can defeat key loggers.

[FNK]

Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.

[Drain]

Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.

I'm unhappy Vanguard limits passwords to 10 characters.

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

[Drain]

Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.

I'm unhappy Vanguard limits passwords to 10 characters.

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

[chaz]

Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.

Why are you migrating to LastPass? Isn't keepass OK?

[garg33]

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.

[Drain]

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.

Good point. I don't know how common or uncommon that sort of theft is, but I agree that a stronger password is better. As someone who uses a password manager (Lastpass), I'd certainly prefer the ability to use as strong as password as I want.

[FNK]

Why are you migrating to LastPass? Isn't keepass OK?

Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.

[FNK]

...

[greensky]

Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.

Why are you migrating to LastPass? Isn't keepass OK?

Didn't LastPass get hacked or was that some other online password service?

Okay, it looks like they MAY have been hacked:
http://techcrunch.com/2011/05/05/passwo ... ly-hacked/

Either way I'm not sure I'd save my passwords, especially banking or anything important in an online service.

[Drain]

Didn't LastPass get hacked or was that some other online password service?

If you had a strong master password, it didn't matter if LP's servers were hacked. That's the appeal of the security model.

[FabLab]

Balky connection, double posting. Sorry.

[sperry8]

Thanks for letting me know... I always wanted a symbol in there. Now if they just made it case sensitive we'd be getting somewhere!

[FabLab]

Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."

I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.

Cheers,
Ron

[chaz]

Why are you migrating to LastPass? Isn't keepass OK?

Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.

Thanks for the pros and cons.

[JustwannaRetire]

Why are you migrating to LastPass? Isn't keepass OK?

Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.

I have been a satisfied user of RoboForm for many years. They now offer an online version, but I like the "thick" version on my computer. I also have the "portable" version on a USB stick when away from home.

I am not sure how the features totally compare to the two options above, but I am totally happy with Roboform.

[sperry8]

Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."

I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.

Cheers,
Ron

You are correct - I just added special characters and it didn't require re-registering. Easy as pie.