Alex Frakt wrote:It is impossible to draw the conclusion that Vanguard is not doing enough to ensure the security of their systems based on the data available to us. I have discussed the 10 character password limit extensively above. Could you please show me where I have erred before continuing with your claim that it is somehow indicative of lax security on Vanguard's part?
Speaking as a moderator... Absent any supporting information, insinuations of unlawful behavior - in this case that Vanguard would be willing to cover up major security breaches in violation of the GLBA - are not acceptable on this site.
I completely agree with you: It is impossible to conclude anything about the security of Vanguard's infrastructure based on the information available to us. I am merely voicing my concern that Vanguard's security may be like Vanguard's website, which I perceive to be amateurish. In a world of rising numbers of hacking attempts and successes, I see this as a threat to Vanguard's low-cost structure.
I believe where we disagree is on what you call "...extremely low-probability scenarios..." I don't see this as an error on your part. Rather I see this as a point where we disagree. I posted some links that show that approximately 20% of internet users have had their online accounts compromised in some fashion
http://www.thawte.com/about/news/?story=368849). If 20% of internet users have been affected, then it is not extremely low-probability IMHO that there are more direct attacks going on.
If you're interested, I think you might enjoy reading "Ghost in the Wires" by Kevin Mitnick. It is absolutely astounding what he was able to do. For example, he wire tapped the people that were wire tapping him.
Here's where I am coming from: In the late 90's I was part of the Digital Display Working Group (DDWG), the group that created the Digital Visual Display (DVI) standard. The Motion Picture Association of America (MPAA) was very troubled by the idea of their copyrighted content being sent over an unencrypted digital interface. Intel, the promoter of DVI, created the High-Bandwidth Digital Content Protection (HDCP) standard to assuage their fears. I sat in numerous meetings where "cryptology experts" expounded on the difficulty of cracking HDCP. They put into place elaborate key revocation and protection methods. The MPAA was happy. DVI rolled out (if my memory serves) in 1999. On November 5, 2001, Scott Crosby from Carnegie Mellon and some others from Berkley presented a paper "A Cryptanalysis of the High-bandwidth Digital Content Protection System" (
http://www.cypherpunks.ca/~iang/pubs/hdcp-drm01.pdf) that outlined how to get around HDCP. HDCP lasted less than two years before it was compromised. In 2010 the HDCP master key was hacked with $250 worth of hardware (
http://www.engadget.com/2010/09/14/hdcp ... y-protect/). At this point HDCP is nearly useless.
During roughtly the same time frame, I was also sitting on the IEEE 802.11 committee. Wireless security was a huge concern. I sat in the audience during one presentation on the new "unbreakable" encryption system. Apparently unfamiliar with the term "hubris", they named the new standard "Wired Equivalent Privacy" or WEP. In less than 18 months I sat in another conference room and watched another "crypto expert" hack the WEP password and break into a random audience member's laptop in less than 8 minutes. That led to TKIP which led to WPA. I understand that WPA can now be hacked in less than 1 minute:
http://www.pcmag.com/article2/0,2817,2352231,00.asp
Numerous other encryption systems have fallen. The Content Scrambling System (CSS) used to encrypt DVD's is now considered worthless. The RSA tokens were hacked. Just today the WSJ and the NY Times announced they were hacked (
http://www.cnn.com/2013/01/31/tech/chin ... index.html
With all of these experiences I think you can probably forgive me if I remain skeptical that the Vanguard 10 character passwords that treat upper and lower case letters as equal are that difficult to crack. You say it would require access to the hashed password file. Read "Ghost in the Wires" and see if that doesn't change your mind about how hard that file is to obtain. The vast majority of Kevin Mitnick's hacks had an element of social-engineering. Don't assume that the hack is going to be a straightforward assault on the network. Read the first chapter of "Ghost in the Wires" for a description of a typical hack.
I apologize if it seems like I'm itching for a fight. I really am not. I am quite concerned about online security in general and Vanguard's security in particular. It seems to me that at a minimum Vanguard should permit longer passwords as that exponentially increases the time it takes to hack them.
EDIT: Defuse Security lists Vanguard in their "Password Policy Hall of Shame":
https://defuse.ca/password-policy-hall-of-shame.htm They apparently believe Vanguard passwords might be stored as plain text. I am dubious of this claim.
In any case, according to this Wiki article Vanguard passwords (10 character single-case) can be cracked in less than a day:
http://en.wikipedia.org/wiki/Password_strength. Read the paragraph labeled "Password guess validation".