Vanguard is on the Password Hall of Shame.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

mhc wrote:
tadamsmar wrote:
mhc wrote:I have never heard of any security issues with major fund companies or brokerages in the US.
I can fix that for you!:

http://datalossdb.org/primary_sources/0 ... nguard.pdf
That is not a case of someone from the outside getting in, but rather Vanguard sending out some inappropriate information.
You said you had never heard of "any security issues", I just fixed that. Now I will fix the fact you have never heard of someone from the outside getting in at a major fund company:

Here's one where someone got into Schwab:

http://www.washingtonpost.com/wp-dyn/co ... 01763.html
Last edited by tadamsmar on Mon Dec 03, 2012 11:30 am, edited 3 times in total.
SurfCityBill
Posts: 547
Joined: Tue May 01, 2012 10:15 pm

Re: Vanguard is on the Password Hall of Shame.

Post by SurfCityBill »

Some sites, including Vanguard, provide a security "image" to assure you you're not at a bogus site. I assume this is to protect against phishing but I always wonder if this offers any real value or whether a true hacker, infiltrator, etc couldn't just offer up your security image picture to fool you. Thoughts?

-B
Spirit Rider
Posts: 13977
Joined: Fri Mar 02, 2007 1:39 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Spirit Rider »

This focus on excessively strong passwords is overdone. This is because it is easy for IT to implement, and more importantly sell management on what a great job they have done. The likelyhood of online security breaches like most other security breaches are based on probabilities.

Security breaches are far more lilely from family, friends, coworkers, passwords sticky notes on computers, social engineering, etc... Excessively complex password requirements coupled with frequent password change requirements can in fact be counter productive. They prevent people from remembering, which causes them to be written and exposed, and excessive password retreivals/resets.

As hase been stated the single most effective remedy is the requirement for two factor authentication (something you know, something you have). This combined with unique, remembered passwords that are not deductible from the owners life (dates, names, places, etc..), yields the highest protection against breaches.
User avatar
mhc
Posts: 5240
Joined: Mon Apr 04, 2011 10:18 pm
Location: NoCo

Re: Vanguard is on the Password Hall of Shame.

Post by mhc »

tadamsmar wrote:
mhc wrote:
tadamsmar wrote:
mhc wrote:I have never heard of any security issues with major fund companies or brokerages in the US.
I can fix that for you!:

http://datalossdb.org/primary_sources/0 ... nguard.pdf
That is not a case of someone from the outside getting in, but rather Vanguard sending out some inappropriate information.
You said you had never heard of "any security issues", I just fixed that. Now I will fix the fact you have never heard of someone from the outside getting in at a major fund company:

Here's one where someone got into Schwab:

http://www.washingtonpost.com/wp-dyn/co ... 01763.html
Thank you. That is exactly the type of data I was hoping would be provided to show that there really is an issue at hand.
52% TSM, 23% TISM, 24.5% TBM, 0.5% cash
User avatar
SSSS
Posts: 1914
Joined: Fri Jun 18, 2010 11:50 am

Re: Vanguard is on the Password Hall of Shame.

Post by SSSS »

I'm not sure how a 10-character maximum password length is evidence that they're not hashing and salting the passwords. I'm pretty sure that Vanguard would be breaking at least a few laws if they were storing passwords in plain text. Financial institutions are pretty heavily regulated.

I'm going to believe (for now) that they do hash and salt the passwords. Someone getting hold of the salted password file is a valid concern, but the main risk would be to those who use their Vanguard password on other websites. Vanguard itself would probably notice pretty quickly and go into full lockdown until they were able to do an audit and force account re-validation with password changes.

I recall when one of the Bitcoin exchanges (probably much less secure than a regulated financial institution like Vanguard) had its password hashes stolen. There were a few fraudulent transactions, but they noticed very quickly and took the entire site offline for several weeks. The only people who really got screwed were those who were sharing passwords across sites.
User avatar
sperry8
Posts: 3065
Joined: Sat Mar 29, 2008 9:25 pm
Location: Miami FL

Re: Vanguard is on the Password Hall of Shame.

Post by sperry8 »

I complained to my Flagship advisor about this. He seemed to understand my concerns, but said VG isn't overly worried, since monies cannot be taken out of the acct for a few weeks after any address change. So someone getting my password wouldn't be able to 'steal' my money without me catching them.

Seemed an absurd answer to me... but that's the position they are taking.
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
User avatar
SSSS
Posts: 1914
Joined: Fri Jun 18, 2010 11:50 am

Re: Vanguard is on the Password Hall of Shame.

Post by SSSS »

sperry8 wrote:I complained to my Flagship advisor about this. He seemed to understand my concerns, but said VG isn't overly worried, since monies cannot be taken out of the acct for a few weeks after any address change. So someone getting my password wouldn't be able to 'steal' my money without me catching them.

Seemed an absurd answer to me... but that's the position they are taking.
Seems fairly sensible to me. You can only withdraw to linked accounts or by check to established addresses, and you're going to get e-mailed about any account changes such as new linked accounts. Even if they try to change the e-mail address, you should still get an e-mail to the old address. Plus I'm sure Vanguard has their own suspicious activity detection (i.e. foreign IP logs in for first time and immediately starts making changes). Somebody is going to notice something's up before they can actually do anything.
KyleAAA
Posts: 9496
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by KyleAAA »

SSSS wrote:
sperry8 wrote:I complained to my Flagship advisor about this. He seemed to understand my concerns, but said VG isn't overly worried, since monies cannot be taken out of the acct for a few weeks after any address change. So someone getting my password wouldn't be able to 'steal' my money without me catching them.

Seemed an absurd answer to me... but that's the position they are taking.
Seems fairly sensible to me. You can only withdraw to linked accounts or by check to established addresses, and you're going to get e-mailed about any account changes such as new linked accounts. Even if they try to change the e-mail address, you should still get an e-mail to the old address. Plus I'm sure Vanguard has their own suspicious activity detection (i.e. foreign IP logs in for first time and immediately starts making changes). Somebody is going to notice something's up before they can actually do anything.
This is only reasonable IF you assume all the other security systems are working as intended. Most major breaches are going to occur when two or more systems fail simultaneously. It happens more often than most people realize.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

sperry8 wrote:I complained to my Flagship advisor about this. He seemed to understand my concerns, but said VG isn't overly worried, since monies cannot be taken out of the acct for a few weeks after any address change. So someone getting my password wouldn't be able to 'steal' my money without me catching them.

Seemed an absurd answer to me... but that's the position they are taking.
I don't think it's absurd, but I think it's correct to assume that monitoring your snail mail from Vanguard and/or checking your Vanguard account every few weeks is important. This is true regardless of the length of your password, since cracking your password is certainly not the only way for a hacker to get your password. It's possible that having a longer password would do relatively little to increase your security given all the other methods.

Don't be fooled into thinking that monitoring emails about transactions is sufficient. Last I checked, you don't get notification at your old email address when your email is changed online at Vanguard. If a hacker gains access to your account and changes your email address before making any other changes, then you will be blind as far an monitoring your email is concerned.

When you log into your Vanguard account, your email address is shown on the first screen and it worth checking it each time you log in. The last login date is also shown, but it's useless if you have any kind of aggregator like Mint accessing your account daily.

Also, "hack pump and dump" attacks can steal your money in a few hours or less. But I don't think they can be used against an account that can only buy mutual funds. The can be used against a brokerage account that can buy stocks subject to pump and dump manipulation. I suppose IRAs that can invest in ETFs might be subject to this kind of an attack. I am not sure if a hacker can convert a Vanguard IRA into an account that can buy stocks.
Last edited by tadamsmar on Mon Dec 03, 2012 2:22 pm, edited 1 time in total.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

SSSS wrote:Even if they try to change the e-mail address, you should still get an e-mail to the old address.
Try changing the email on your Vanguard account and you will find that you do not get an e-mail at the old address.

At least, that's the way it worked when I tried in a while back. I don't know if that has changed recently.
Last edited by tadamsmar on Mon Dec 03, 2012 3:12 pm, edited 1 time in total.
khh
Posts: 342
Joined: Sat Dec 27, 2008 9:31 pm

Re: Vanguard is on the Password Hall of Shame.

Post by khh »

tadamsmar wrote:
KyleAAA wrote:Even if they try to change the e-mail address, you should still get an e-mail to the old address.
Try changing the email on your Vanguard account and you will find that you do not get an e-mail at the old address.

At least, that's the way it worked when I tried in a while back. I don't know if that has changed recently.
I raised the same concern earlier in the year (and upthread). http://www.bogleheads.org/forum/viewtop ... =2&t=89545
User avatar
SSSS
Posts: 1914
Joined: Fri Jun 18, 2010 11:50 am

Re: Vanguard is on the Password Hall of Shame.

Post by SSSS »

tadamsmar wrote:
SSSS wrote:Even if they try to change the e-mail address, you should still get an e-mail to the old address.
Try changing the email on your Vanguard account and you will find that you do not get an e-mail at the old address.

At least, that's the way it worked when I tried in a while back. I don't know if that has changed recently.
You're right, I tried it about an hour ago and as yet have not gotten a notification to either the old or new e-mail address. That's very bad form on the part of Vanguard & I'm pretty surprised by it. Every sensible company I've ever dealt with would send a notice to the old e-mail, new e-mail, and (for financial companies) postal mail.
Khuzud
Posts: 49
Joined: Wed Dec 29, 2010 10:16 am

Re: Vanguard is on the Password Hall of Shame.

Post by Khuzud »

SSSS wrote:I'm not sure how a 10-character maximum password length is evidence that they're not hashing and salting the passwords. I'm pretty sure that Vanguard would be breaking at least a few laws if they were storing passwords in plain text.
There's a link on that Wall of Shame site that goes to a page where the author explains his reasoning. For those too lazy to click the link, his basic argument is that if you hash the passwords, you don't need to restrict their length, since hashing always produces a string of fixed length. He's clear to state that a length restriction isn't proof that passwords are being stored in plain text, but it's strange to have that restriction if you're not.
Last edited by Khuzud on Mon Dec 03, 2012 5:48 pm, edited 1 time in total.
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by richard »

SurfCityBill wrote:Some sites, including Vanguard, provide a security "image" to assure you you're not at a bogus site. I assume this is to protect against phishing but I always wonder if this offers any real value or whether a true hacker, infiltrator, etc couldn't just offer up your security image picture to fool you. Thoughts?
It doesn't offer any protection. As you say, the infiltrator could just offer up your security image picture to fool you

You go to bogus site and enter your username
Bogus site takes your username to the real Vanguard site, enters it and saves the screen
Bogus site displays the screen image to you
You enter your password, because you see the Vanguard screen you expected to see, not realizing the bogus site is between you and Vanguard.

See http://en.wikipedia.org/wiki/Man-in-the-middle_attack for more information

Vanguard is making things worse. Because username is a separate screen, this makes it easier to discover usernames.
User avatar
HomerJ
Posts: 21240
Joined: Fri Jun 06, 2008 12:50 pm

Re: Vanguard is on the Password Hall of Shame.

Post by HomerJ »

richard wrote:Another problem with Vanguard's security is that they make it easier than many sites to find a username. Most sites have you enter username and password on the same screen. Vanguard has one screen for username, then a second for password. This lets you try to guess usernames until you get one right, rather than no being sure if your problem was username or password.

A password reset mechanism is often much more of a problem than insecure passwords, as stlutz mentioned. Using questions that are easily guessable or publicly discoverable is terrible security. It's much easier to figure out where you were born or your first job than to figure out your password.
If you set the security on your account to NOT allow access from unrecognized computer, that will shut down that avenue of attack.
nonnie
Posts: 3010
Joined: Thu Mar 13, 2008 8:05 pm

Re: Vanguard is on the Password Hall of Shame.

Post by nonnie »

Can someone explain to me why ATM and other PIN numbers are only 4 digits long and why this isn't an even *more* serious problem?

Nonnie
User avatar
HomerJ
Posts: 21240
Joined: Fri Jun 06, 2008 12:50 pm

Re: Vanguard is on the Password Hall of Shame.

Post by HomerJ »

SurfCityBill wrote:Some sites, including Vanguard, provide a security "image" to assure you you're not at a bogus site. I assume this is to protect against phishing but I always wonder if this offers any real value or whether a true hacker, infiltrator, etc couldn't just offer up your security image picture to fool you. Thoughts?

-B
It would take a lot of work to get a database with all the pictures matched to every account.

Unless you were creating a fake web-account to catch one or two super wealthy users. But it does stop mass phishing emails.
User avatar
HomerJ
Posts: 21240
Joined: Fri Jun 06, 2008 12:50 pm

Re: Vanguard is on the Password Hall of Shame.

Post by HomerJ »

When I changed my linked bank account, it took a week, and I got an email AND normal mail about it.

When I moved to a new house and changed my address, I got an email AND normal mail (at both the old address and the new address about it).

Vanguard isn't too bad.
MathWizard
Posts: 6542
Joined: Tue Jul 26, 2011 1:35 pm

Re: Vanguard is on the Password Hall of Shame.

Post by MathWizard »

nonnie wrote:Can someone explain to me why ATM and other PIN numbers are only 4 digits long and why this isn't an even *more* serious problem?

Nonnie
The ATM card is an example of something two factor authentication. Soemthing you physically have, the ATM
card, plus something you know.

Also, my account limits dispensing cash via ATM to $200/day max (unless I allow more for some specified period of time, which
I did for trips to Europe.) It would be difficult to drain $100K in $200/day increments without me noticing.

I don't allow my CC to be used in an ATM, so only my cash card is vulnerable in an ATM.

Lastly, this is your bank account, not your retirement account. It probably does not have multiples of
$100K in it.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

nonnie wrote:Can someone explain to me why ATM and other PIN numbers are only 4 digits long and why this isn't an even *more* serious problem?

Nonnie
In my view, it's a less serious problem because your bank account funds are protected under federal law so all you need to do to protect yourself from loss is to monitor your account and report anything odd in a timely manner, IIRC, the legal limit is 30 days.

With a brokerage/mutual fund account, all you have are some reimbursement pledges that tend to not impress lawyers.

With the TSP and (by association I assume) Fed Direct, you have a track record of not reimbursing people who have online fraud losses, but they have made online fraud harder since those losses.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

SSSS wrote:
tadamsmar wrote:
SSSS wrote:Even if they try to change the e-mail address, you should still get an e-mail to the old address.
Try changing the email on your Vanguard account and you will find that you do not get an e-mail at the old address.

At least, that's the way it worked when I tried in a while back. I don't know if that has changed recently.
You're right, I tried it about an hour ago and as yet have not gotten a notification to either the old or new e-mail address. That's very bad form on the part of Vanguard & I'm pretty surprised by it. Every sensible company I've ever dealt with would send a notice to the old e-mail, new e-mail, and (for financial companies) postal mail.
You will get a notice by postal mail.
User avatar
JamesSFO
Posts: 3404
Joined: Thu Apr 26, 2012 10:16 pm

Re: Vanguard is on the Password Hall of Shame.

Post by JamesSFO »

Khuzud wrote:
SSSS wrote:I'm not sure how a 10-character maximum password length is evidence that they're not hashing and salting the passwords. I'm pretty sure that Vanguard would be breaking at least a few laws if they were storing passwords in plain text.
There's a link on that Wall of Shame site that goes to a page where the author explains his reasoning. For those too lazy to click the link, his basic argument is that if you salt the passwords, you don't need to restrict their length, since salting always produces a hash of fixed length. He's clear to state that a length restriction isn't proof that passwords are being stored in plain text, but it's strange to have that restriction if you're not.
That just silly though, maybe they just felt that their UI worked better when the password field was shorter. Maybe they know that most people don't make long passwords so a big field and having to QA long passwords and browser, server, interactions was a pain. For example, Quicken might only take 10 character passwords (not true) so they felt just keeping the field 10 was better, etc. It also might just be a way to reduce denial of service/buffer overruns if people tried putting in a dictionary as a password.

The reality is a character password limit tells us nothing about their internal data handling practices.
Ed 2
Posts: 2692
Joined: Sat May 15, 2010 9:34 am

Re: Vanguard security ?

Post by Ed 2 »

KyleAAA wrote:
Ed 2 wrote:
Taylor Larimore wrote:
We need to write to Vanguard about this.
I am confident that Vanguard, the largest mutual fund company in the world, employs the top security consultants in the business. I suspect we have almost no idea what security measures they use. Vanguard is certainly not going to tell us.

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.

I'll invest the postage saved. :wink:

Best wishes.
Taylor
Agree!!!! It is naive to rave about this without any big security problems at this company been occur for many years. It is like we hear on TV "experts" telling us what CIA does wrong. LOL
The password policy hall of shame thing is very, very justified. Internet security isn't like the CIA.
OK, you won,paranoid geek!....good grief LOL:annoyed
Last edited by Ed 2 on Mon Dec 03, 2012 5:57 pm, edited 2 times in total.
"The fund industry doesn't have a lot of heroes, but he (Bogle) is one of them," Russ Kinnel
brianH
Posts: 666
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard is on the Password Hall of Shame.

Post by brianH »

SurfCityBill wrote:Some sites, including Vanguard, provide a security "image" to assure you you're not at a bogus site. I assume this is to protect against phishing but I always wonder if this offers any real value or whether a true hacker, infiltrator, etc couldn't just offer up your security image picture to fool you. Thoughts?

-B
This process, called mutual authentication, has its pluses and minuses. On one hand, as you identified, it can help to prevent phishing attacks where you are redirected to an attacker's site. On the other hand, as was mentioned in this thread, it allows an attacker to guess at usernames. In the regular name/password login, the system should never return which field was incorrect on an attempt. This prevents someone from knowing if they guessed a username correctly.

Personally, I'm far more concerned about my password being sniffed at some point in the transmission to Vanguard. SSL attacks are not unheard of, and keyloggers are common with users that aren't as computer savvy. Vanguard should offer a one time password option, like the standard https://tools.ietf.org/html/rfc6238 used by Google and others.
User avatar
Rob5TCP
Posts: 3811
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard is on the Password Hall of Shame.

Post by Rob5TCP »

nonnie wrote:Can someone explain to me why ATM and other PIN numbers are only 4 digits long and why this isn't an even *more* serious problem?

Nonnie
This is a major problem in Europe - but not because of the 4 digit code.

https://www.nytimes.com/2011/11/17/nyre ... .html?_r=0

http://www.npr.org/blogs/money/2012/10/ ... t-skimming

Here it has not been a major issue. But, that is no guarantee it won't be.
Biometrics would help a great deal with ATM's. Pins are starting to become to easily acquired.
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by richard »

HomerJ wrote:
richard wrote:Another problem with Vanguard's security is that they make it easier than many sites to find a username. Most sites have you enter username and password on the same screen. Vanguard has one screen for username, then a second for password. This lets you try to guess usernames until you get one right, rather than no being sure if your problem was username or password.

A password reset mechanism is often much more of a problem than insecure passwords, as stlutz mentioned. Using questions that are easily guessable or publicly discoverable is terrible security. It's much easier to figure out where you were born or your first job than to figure out your password.
If you set the security on your account to NOT allow access from unrecognized computer, that will shut down that avenue of attack.
How will it react - pretend you didn't enter a correct username or something else?

What happens if your old computer dies and you get a new computer?

I wonder how many have set that security option. My guess would be very very few.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Vanguard is on the Password Hall of Shame.

Post by Mudpuppy »

I feel like this thread is veering off into "security theatre" realms instead of focusing on the actual risks of the password length issue. That is my issue with websites such as the original one, it is focused more on raising alarm than on raising awareness via reasoned analysis. Let us back away from the paranoia and focus on a true risk analysis.

First off, password length does not speak to the lack of the use of a hashed password. DES passwords were restricted to 8 characters by the nature of the DES algorithm, but they were still salted and hashed. The length restriction likely comes from a legacy input system, not from storage requirements of the user's password. Fixed length data fields are exceedingly rare and there are many hashing algorithms that can work in a constrained space environment. Anyone who has taken any cryptography class should know this. It's rubbish to claim passwords are stored in plaintext based on the maximum length restrictions when there are a myriad of other technical reasons for length restrictions.

Secondly, the primary effect of a short length is making it easier to recover a password when one has obtained the hashes by any fashion. Length is not the only predictor of ease of password cracking. As others have mentioned, popular passwords and pattern generators are a great portion of modern GPU hashing programs. And again, this only becomes a factor if the hashes are recovered. Hence, the best advice is to use unique passwords for each site, utilizing the most amount of randomness the site's password policy will allow. Make use of password lockers with strong master passwords if necessary (and by the way, it's okay to write your passwords down, but do store the paper in a safe or safe deposit box when not in use, physical house thieves are rarely interested in your passwords since they aren't easy to fence).

Third, focusing on one component of the security is not conducive to analyzing the security of the company overall. As said early, security comes in layers and by focusing on only one component, one cannot fully evaluate one's probable risk. One should always evaluate the entire picture, not just one aspect. And yes, there are weaknesses in Vanguard's scheme, but there are counter-balancing protections as well. As I said previously, the risk of harm from the password length issue is present, but mitigated by other layers of security, such that one would be highly unlikely to be fiscally damaged by any attack. The overall risk is low, even though there are issues that could be addressed in future code revisions.

Finally, changing password lengths can be a non-trivial process, depending on how complex the authentication code is and what sort of legacy systems are involved. It might take months of planning and testing to even get to the point of being able to change the password scheme. And if there is truly some legacy code lurking in the belly of the beast, it might take specialists to accomplish as well. It is not as simple as changing a number and recompiling a program. Ideal? Of course not. But it is the reality.
User avatar
mas
Posts: 1511
Joined: Tue Feb 20, 2007 11:54 am

Re: Vanguard is on the Password Hall of Shame.

Post by mas »

JamesSFO wrote:The reality is a character password limit tells us nothing about their internal data handling practices.
Exactly. My crystal ball is telling me a few reasons that these password related "business rules" exist:
  1. Legacy systems
  2. Bureaucracy
Don't take me for a Vanguard apologist. I think that they would improve security with a few simple rule changes, and they should do so. However, I also understand how these types of non-changes happen and what looks simple from the outside may in fact involve complexity. Organizational inertia combined with targeted risk aversion can ensure that the issue is often considered, and never prioritized. I have no idea what Vanguard's technical infrastructure is like, but imagine a hypothetical case... A somewhat "modern" front end almost certainly was attached to a pre-existing authentication transaction. In fact it wouldn't be uncommon for data to pass through a chain of services for a large organization like Vanguard. Imagine again that the final "authenticator" is implemented as a mainframe CICS transaction with a fixed length input record and uses EBCDIC. Such a scenario would be exactly the type that risk averse bureaucracies would avoid making changes to.
Khuzud wrote:... his basic argument is that if you salt the passwords, you don't need to restrict their length, since salting always produces a hash of fixed length. He's clear to state that a length restriction isn't proof that passwords are being stored in plain text, but it's strange to have that restriction if you're not.
While much of what the article states is true, and certainly applies to some sites, concluding from this that any site with restrictions will retain the plain text password is silly.
User avatar
HomerJ
Posts: 21240
Joined: Fri Jun 06, 2008 12:50 pm

Re: Vanguard is on the Password Hall of Shame.

Post by HomerJ »

richard wrote:
HomerJ wrote:
richard wrote:Another problem with Vanguard's security is that they make it easier than many sites to find a username. Most sites have you enter username and password on the same screen. Vanguard has one screen for username, then a second for password. This lets you try to guess usernames until you get one right, rather than no being sure if your problem was username or password.

A password reset mechanism is often much more of a problem than insecure passwords, as stlutz mentioned. Using questions that are easily guessable or publicly discoverable is terrible security. It's much easier to figure out where you were born or your first job than to figure out your password.
If you set the security on your account to NOT allow access from unrecognized computer, that will shut down that avenue of attack.
How will it react - pretend you didn't enter a correct username or something else?

What happens if your old computer dies and you get a new computer?

I wonder how many have set that security option. My guess would be very very few.
It doesn't show you the picture... and it says "You either entered an invalid username or your account is set to not allow logins from unrecognized computers"... So it does keep people from discovering valid usernames.

If you get a new computer, you'll have to call Vanguard and have that setting removed. I had to do it just a few weeks ago.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Vanguard security ?

Post by Silence Dogood »

Taylor Larimore wrote:
I am confident that Vanguard, the largest mutual fund company in the world, employs the top security consultants in the business. I suspect we have almost no idea what security measures they use. Vanguard is certainly not going to tell us.

To my knowledge, we have never heard or had a post from anyone with a security problem at Vanguard.
Don't confuse strategy and outcome.
JeffX
Posts: 208
Joined: Thu Mar 01, 2007 3:28 pm
Location: MI

Re: Vanguard is on the Password Hall of Shame.

Post by JeffX »

I have been a long time vanguard fan. I am a web application and network penetration security professional. I break into websites and networks for a living, find the flaws, and disclose them to the developers, and help them fix the issues.

In all reality, the password policy for vanguard is horrible. All it takes is one SQL injection, file inclusion, or any other type of website attack to gain access to a database or file system that contains confidential information. I am not saying that Vanguard is vulnerable.. It is illegal for me to test their site. However, I guarantee foreign countries
are targeting vanguard.com on a daily basis and looking for vulnerabilities.

To have such a weak password policy would mean (we hope) they have other safeguards in place for money transfers , etc. Who knows. It will take one breach in the news, for the entire security team to be fired, and you will see job postings:) I am tending to lean towards weak security controls at Vanguard. Vanguard is made to be lean, cut costs everywhere, to have these low expense ratios. Security professionals are expensive. Building security into development is costly. Some companies cut corners. Does Vanguard?
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

Mudpuppy wrote:Finally, changing password lengths can be a non-trivial process, depending on how complex the authentication code is and what sort of legacy systems are involved. It might take months of planning and testing to even get to the point of being able to change the password scheme. And if there is truly some legacy code lurking in the belly of the beast, it might take specialists to accomplish as well. It is not as simple as changing a number and recompiling a program. Ideal? Of course not. But it is the reality.
I fully agree with this statement, and I think others here realize this as well. So it comes down to a cost / benefit analysis. For me, I think a company as large as VG would/should be embarrassed by this issue ( especially since they are in the financial industry). For that reason alone I think they should pay the $$$ to fix the structural problems preventing them from using up-to 30 char long passwords. Also, clearly a small group of their investors are actively campaigning for the fix. Eventually the compliance laws will also catch up with them, and it will be a mandated fix. All good reasons to fix it now.

So even though this is potentially a very expensive fix, isn't this just the "cost of doing business" in this day and age?
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

JeffX wrote:I have been a long time vanguard fan. I am a web application and network penetration security professional. I break into websites and networks for a living, find the flaws, and disclose them to the developers, and help them fix the issues.

In all reality, the password policy for vanguard is horrible. All it takes is one SQL injection, file inclusion, or any other type of website attack to gain access to a database or file system that contains confidential information. I am not saying that Vanguard is vulnerable.. It is illegal for me to test their site. However, I guarantee foreign countries
are targeting vanguard.com on a daily basis and looking for vulnerabilities.

To have such a weak password policy would mean (we hope) they have other safeguards in place for money transfers , etc. Who knows. It will take one breach in the news, for the entire security team to be fired, and you will see job postings:) I am tending to lean towards weak security controls at Vanguard. Vanguard is made to be lean, cut costs everywhere, to have these low expense ratios. Security professionals are expensive. Building security into development is costly. Some companies cut corners. Does Vanguard?

Great post. I love it that VG is lean and mean, but I hope one of the things they spend money on is physical security and electronic security. To me VG stands for excellence at better than average cost. That's how they need to go about structural problems with the password length fix. They need to get these security issues fixed, with industry best security at a better than average cost to their owners (you and me).
Alex Frakt
Founder
Posts: 11589
Joined: Fri Feb 23, 2007 12:06 pm
Location: Chicago
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by Alex Frakt »

This site has been the victim of a brute force distributed password attack. Using a complex password would have saved you from getting your account hacked. But you should never confuse a site like ours, where security primarily depends on your password, with that of a financial institution. They need multi-layer security policies, hardware and software that is of a completely different nature than what most of us are familiar with.

The truth is that we know nothing about Vanguard's internal security system and that is what matters. If a security system is properly set up, 10 characters is enough. If it is not, 1000 characters is not enough. Anyone who tells you something different is either trying to sell you something, is ignorant of the facts, or is making unwarranted assumptions about the target site. The 10 character limit tells you nothing, you should feel exactly as confident using Vanguard's security as you do any other financial institution.

In fact, I'm happy that Vanguard is unwilling to waste money to re-engineer whatever parts of their security system depends on the 10 character limit. It shows they still realize that any money spent on non-essentials comes right out our pockets. For exactly the same reason, I'm confident they will change this policy if the potential or actual costs of not changing it are sufficiently high.
BillyG
Posts: 427
Joined: Sat Nov 17, 2012 8:02 pm
Location: DC, USA

Re: Vanguard is on the Password Hall of Shame.

Post by BillyG »

Not that this is relevant to Vanguard's security, but for really poor security (based only on what I know about their password requirements) at a higher cost check out Fidelity's site!
http://www.fidelity.com

Billy
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Ellen Rinaldi "is responsible for protecting client information, among other key responsibilities."

http://www.vanguardblog.com/author/erinaldi

Ellen posted this Vanguard blog:

http://www.vanguardblog.com/2010.02.04/ ... sword.html

wherein she advised "The greater the combination of uppercase and lowercase letters, the better."

She elicited some advice for free in the blog comments: "You may want to share some of this info with the those responsible for security at Vanguard. As far as I can tell, the passwords at vanguard.com are not case sensitive." The posted had apparently not clicked over to Ellen's profile to find that she is responsible for security at Vanguard.

This blog has been up for almost 3 years.
Khuzud
Posts: 49
Joined: Wed Dec 29, 2010 10:16 am

Re: Vanguard is on the Password Hall of Shame.

Post by Khuzud »

tadamsmar wrote:She elicited some advice for free in the blog comments: "You may want to share some of this info with the those responsible for security at Vanguard. As far as I can tell, the passwords at vanguard.com are not case sensitive."
Wow, I just tried it and the comment is correct. You can switch upper/lower case for any letter in your Vanguard password and it still works.
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

tadamsmar wrote:Ellen Rinaldi "is responsible for protecting client information, among other key responsibilities."

This blog has been up for almost 3 years.
Yeah, and you aren't seeing about 1/2 the comments that people took time to write, edit, and post, that never showed up in the comments. I fully agree that VG has the right to edit and/or choose not to publish select comments to their blogs. But I know for a fact that several critical but informative comments were never published, including some of mine. I obviously don't need to see my own comments, but I'm sure I missed some very insightful comments other VG customer's posted that never saw the light of day on this password issue.

edit - For this very reason, I am very thankful for this forum. Bogleheads is a great place to Praise great companies like Vanguard, but also call them out when things are not ideal. Kudos to all the smart people here who take time to post.
User avatar
Rob5TCP
Posts: 3811
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard is on the Password Hall of Shame.

Post by Rob5TCP »

Wow - I sent a note to Vanguard at the beginning of this post. I just received a call about my security concerns.
I referred her to the Bogleheads post (she was aware of others). Additionally we spoke at length about my
concerns about the "apparent" lack of password security. She stated this has been brought up and while other
measures are in place, she will bring this to their attention.

I did setup a stronger security password for when I call in.

Good to know they are at least paying attention.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

From Vanguard:
Vanguard.com’s password guidelines are currently in line with industry “best practices” for encryption and hashing.
http://www.vanguardblog.com/2010.02.04/ ... ment-19206

The Password Hall of Shame claim that Vanguard probably uses plaintext is wrong. Vanguard is on record as not using plain text password storage. As others have pointed out the notion that a maximum length limit implied plain text storage is not solid since there are other reasons for having a maximum length.

Also, the blog comment and the reply at least represent that the poster and Rinaldi understand that very long passwords are required to limit the success of brute force attacks on stolen hash files in the case of a data breach:

http://www.vanguardblog.com/2010.02.04/ ... ment-19206
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

One thing to remember, even if Vanguard allowed much longer passwords, many users would still use easy to crack passwords. So, Vanguard might still have about the same level of financial risk from a data breach. It helps the specific users that use passwords that are very difficult to crack, but it does not help Vanguard that much. There are probably other security practices that do them more good.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

tadamsmar wrote:One thing to remember, even if Vanguard allowed much longer passwords, many users would still use easy to crack passwords. So, Vanguard might still have about the same level of financial risk from a data breach. It helps the specific users that use passwords that are very difficult to crack, but it does not help Vanguard that much. There are probably other security practices that do them more good.
Come to think of it, it does not do the user much good since they will get (mostly) reimbursed anyway.
User avatar
Jerilynn
Posts: 1929
Joined: Tue Sep 06, 2011 12:49 pm
Location: USA, Earth

Re: Vanguard is on the Password Hall of Shame.

Post by Jerilynn »

Alex Frakt wrote:This site has been the victim of a brute force distributed password attack. Using a complex password would have saved you from getting your account hacked. But you should never confuse a site like ours, where security primarily depends on your password, with that of a financial institution. They need multi-layer security policies, hardware and software that is of a completely different nature than what most of us are familiar with.

The truth is that we know nothing about Vanguard's internal security system and that is what matters. If a security system is properly set up, 10 characters is enough. If it is not, 1000 characters is not enough. Anyone who tells you something different is either trying to sell you something, is ignorant of the facts, or is making unwarranted assumptions about the target site. The 10 character limit tells you nothing, you should feel exactly as confident using Vanguard's security as you do any other financial institution.

In fact, I'm happy that Vanguard is unwilling to waste money to re-engineer whatever parts of their security system depends on the 10 character limit. It shows they still realize that any money spent on non-essentials comes right out our pockets. For exactly the same reason, I'm confident they will change this policy if the potential or actual costs of not changing it are sufficiently high.
Thanks Alex. This makes me feel a lot better. :sharebeer
Cordially, Jeri . . . 100% all natural asset allocation. (no supernatural methods used)
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

tadamsmar wrote:One thing to remember, even if Vanguard allowed much longer passwords, many users would still use easy to crack passwords. So, Vanguard might still have about the same level of financial risk from a data breach. It helps the specific users that use passwords that are very difficult to crack, but it does not help Vanguard that much. There are probably other security practices that do them more good.
This is true, but say VG made the current max length the new min length, and enforced other basic password requirements. The people who care (like people on Bogleheads) would be happy, and even people who don't think much about their passwords would in theory be more secure than they are currently are if the very next time they logged in, they were prompted to update their password. Even if most users continue to use weak passwords, they'll be better off than they are now. Any maybe VG could make helpful/insightful blog posts, videos, FAQ, etc. on the topic that will help educate people to get the rest of their electronic security house in order. Is that too optimistic? :P
nonnie
Posts: 3010
Joined: Thu Mar 13, 2008 8:05 pm

Re: Vanguard is on the Password Hall of Shame.

Post by nonnie »

Rob5TCP wrote:
This is a major problem in Europe - but not because of the 4 digit code.

https://www.nytimes.com/2011/11/17/nyre ... .html?_r=0

http://www.npr.org/blogs/money/2012/10/ ... t-skimming

Here it has not been a major issue. But, that is no guarantee it won't be.
Biometrics would help a great deal with ATM's. Pins are starting to become to easily acquired.
Seems as though I read about adulterated ATMs in the US almost monthly-- mostly a gas stations but I've also read about them being installed at self-checkout machines.
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Sidney »

MathWizard wrote:
nonnie wrote:Can someone explain to me why ATM and other PIN numbers are only 4 digits long and why this isn't an even *more* serious problem?

Nonnie
The ATM card is an example of something two factor authentication. Soemthing you physically have, the ATM
card, plus something you know.

Also, my account limits dispensing cash via ATM to $200/day max (unless I allow more for some specified period of time, which
I did for trips to Europe.) It would be difficult to drain $100K in $200/day increments without me noticing.

I don't allow my CC to be used in an ATM, so only my cash card is vulnerable in an ATM.

Lastly, this is your bank account, not your retirement account. It probably does not have multiples of
$100K in it.
You can backstop this by creating a separate account that is only used for ATM and maintain a very low balance. I don't do this because I normally keep very little cash in my checking account to begin with and I only use an ATM about once every two months. But with banks like USAA it is easy to create a separate account and fund it sparingly. I have friends who do this for their children so that they have access to a small amount of cash that they (the parents) can monitor and control.
I always wanted to be a procrastinator.
nonnie
Posts: 3010
Joined: Thu Mar 13, 2008 8:05 pm

Re: Vanguard is on the Password Hall of Shame.

Post by nonnie »

With all this discussion I decided to log into my Vanguard account to check out a couple things. I noticed that in Roboform-- where I store all my passwords-- it has created an entry, "Account Creation Data:password = xxxxXX (4 alpha, last two numbers). My pw is 8 digits-- mean anything?

Edit: then I deleted a linked bank account that I just closed, tried to print out the confirmation and got:
"Call Vanguard
new vg.LayerNG('cuicCallVanguardLayer', {"width":"310px","suppressLayout":false,"positionLeft":"centered","contentURL":"%s/XHTML/web/cuic/contactus/view/contactusphone.xhtml","closeable":true,"persist":false,"leader":false,"resizeable":false,"positionTop":"centered","transitionType":"fadeinout_open_only","disableDefaultFocus":false,"fixedPosition":false,"shadow":false,"processGeoEvents":true,"moveable":false,"height":"auto","modal":true} );
IE bug fix: first element can't be script
Top of Form
Are you sure you want to delete this bank account?

Click Yes to delete this bank account.

Click No to return to the previous page.

Bottom of Form
Your bank account was successfully deleted."

IE bug fix: first element can't be script
Top of Form
Your bank account was successfully deleted.

I know it doesn't mean anything and that my bank account was successfully deleted but why does it seem I always get the aberration?

Nonnie
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Vanguard is on the Password Hall of Shame.

Post by telemark »

Alex Frakt wrote:This site has been the victim of a brute force distributed password attack. Using a complex password would have saved you from getting your account hacked. But you should never confuse a site like ours, where security primarily depends on your password, with that of a financial institution. They need multi-layer security policies, hardware and software that is of a completely different nature than what most of us are familiar with.

The truth is that we know nothing about Vanguard's internal security system and that is what matters. If a security system is properly set up, 10 characters is enough. If it is not, 1000 characters is not enough. Anyone who tells you something different is either trying to sell you something, is ignorant of the facts, or is making unwarranted assumptions about the target site. The 10 character limit tells you nothing, you should feel exactly as confident using Vanguard's security as you do any other financial institution.

In fact, I'm happy that Vanguard is unwilling to waste money to re-engineer whatever parts of their security system depends on the 10 character limit. It shows they still realize that any money spent on non-essentials comes right out our pockets. For exactly the same reason, I'm confident they will change this policy if the potential or actual costs of not changing it are sufficiently high.
I hope you're right, but to me that sounds suspiciously like "I just checked the barn and the horse is still there, so we can save some money by not buying a new lock." Password cracking techniques are getting more and more sophisticated. 10 characters ignoring case wasn't enough in 2010 and it certainly isn't in 2012. There's no immediate to panic, but Vanguard seems to think there isn't a problem, and I emphatically disagree.
KyleAAA
Posts: 9496
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by KyleAAA »

telemark wrote:
Alex Frakt wrote:This site has been the victim of a brute force distributed password attack. Using a complex password would have saved you from getting your account hacked. But you should never confuse a site like ours, where security primarily depends on your password, with that of a financial institution. They need multi-layer security policies, hardware and software that is of a completely different nature than what most of us are familiar with.

The truth is that we know nothing about Vanguard's internal security system and that is what matters. If a security system is properly set up, 10 characters is enough. If it is not, 1000 characters is not enough. Anyone who tells you something different is either trying to sell you something, is ignorant of the facts, or is making unwarranted assumptions about the target site. The 10 character limit tells you nothing, you should feel exactly as confident using Vanguard's security as you do any other financial institution.

In fact, I'm happy that Vanguard is unwilling to waste money to re-engineer whatever parts of their security system depends on the 10 character limit. It shows they still realize that any money spent on non-essentials comes right out our pockets. For exactly the same reason, I'm confident they will change this policy if the potential or actual costs of not changing it are sufficiently high.
I hope you're right, but to me that sounds suspiciously like "I just checked the barn and the horse is still there, so we can save some money by not buying a new lock." Password cracking techniques are getting more and more sophisticated. 10 characters ignoring case wasn't enough in 2010 and it certainly isn't in 2012. There's no immediate to panic, but Vanguard seems to think there isn't a problem, and I emphatically disagree.
I for one am not even slightly worried about the password cracking thing. What I AM worried about is that Vanguard isn't taking a pretty obvious (even if it's only symbolic) step. The excuse that it would cost too much is nonsense. It would not be an overly complex change, even on a legacy system. It wouldn't even be all THAT expensive to completely replace the legacy system. Not for a company with nearly $2 trillion under management, at least.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Vanguard is on the Password Hall of Shame.

Post by Mudpuppy »

KyleAAA wrote:I for one am not even slightly worried about the password cracking thing. What I AM worried about is that Vanguard isn't taking a pretty obvious (even if it's only symbolic) step. The excuse that it would cost too much is nonsense. It would not be an overly complex change, even on a legacy system. It wouldn't even be all THAT expensive to completely replace the legacy system. Not for a company with nearly $2 trillion under management, at least.
It is clear from this comment that you do not understand the technical and logistical issues involved in such a change. Suffice it to say, it is a very, very non-trivial process to replace a legacy system. It IS a overtly complex change. It is a huge logistical nightmare, even with the best plan and flawless execution of said plan. Throw in regulatory issues and paperwork requirements and it's a can of worms so massive, one cannot just throw money or experts at it and expect it to be done in days.

Great, now I am having flashbacks to Y2K patches and the paperwork that had to be filed in triplicate for each patch installed.... stacks and stacks of paperwork....
Post Reply