Vanguard implements 20 character passwords

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
Archie Sinclair
Posts: 409
Joined: Sun Mar 06, 2011 2:03 am

Re: Vanguard implements 20 character passwords

Post by Archie Sinclair » Sat Nov 09, 2013 10:06 pm

Nope.

Image

BradMajors
Posts: 396
Joined: Sun Mar 18, 2007 1:56 pm

Re: Vanguard implements 20 character passwords

Post by BradMajors » Sun Nov 10, 2013 3:02 am

The security feature I want is for Vanguard to prohibit logins from Eastern Europe.

User avatar
Doc
Posts: 7610
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: Vanguard implements 20 character passwords

Post by Doc » Sun Nov 10, 2013 10:59 am

BradMajors wrote:The security feature I want is for Vanguard to prohibit logins from Eastern Europe.


Hey, I know a whole lot of Americans in the banking services industry that are based in Eastern Europe. (Their firm's HQ is in the US heartland.)

If Vanguard prohibited them from logins who knows what might happen to Vanguard's banking arrangements. :P

Be careful what you wish for. :D
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

User avatar
Electron
Posts: 1656
Joined: Sat Mar 10, 2007 8:46 pm

Re: Vanguard implements 20 character passwords

Post by Electron » Wed Nov 20, 2013 4:55 pm

geoff2 wrote:That's a good question, and I tested this and also tested to see if it were case sensitive. First, I entered the first 17 characters of my password, omitting the last three. It wouldn't let me log in. Next, I swapped the last character in the password, a lowercase letter, with its uppercase equivalent, keeping everything else the same. It wouldn't let me log in then either. So, as far as I can tell, the longer passwords are case sensitive and are verified using the entire length of the password.

Great to hear that the 20 character password is case sensitive on both letters and numbers and also that all password characters are required.

That does not appear to be the case with the answers to the security questions. Those answers apparently can have a single character error in content or length and still work. One can add extra security by forcing the use of the security questions at every log on and the answers can be up to 50 characters. It's a little surprising that they tolerate a single character error on the answers.
Electron

blevine
Posts: 1696
Joined: Sat Feb 27, 2010 3:57 pm
Location: Paradise

Re: Vanguard implements 20 character passwords

Post by blevine » Tue Dec 10, 2013 9:51 pm

Not far enough. Paypal and Etrade have the random password token generator, or multi-factor authentication.
Much more secure, and these days very low cost to implement since you no longer need to mail a key fob
to customers, they can download the generator on iphone etc, and generate the random part of your password
there, keeping a traditional password as part of the total password.

I feel more secure using etrade and paypal than Vanguard or other online companies who do not offer this optional
extra level of security.

User avatar
TomatoTomahto
Posts: 6784
Joined: Mon Apr 11, 2011 1:48 pm

Re: Vanguard implements 20 character passwords

Post by TomatoTomahto » Tue Dec 10, 2013 10:28 pm

blevine wrote:I feel more secure using etrade and paypal than Vanguard or other online companies who do not offer this optional extra level of security.

I would too, except that my PayPal account was hacked and my Vanguard account wasn't. I was watching transactions taking place as I was on the phone with PayPal pleading that they please freeze the account. They did within a half hour or so, and I got all my money back within a few weeks, after promising that I wasn't purchasing gun accessories for someone in Estonia.

blevine
Posts: 1696
Joined: Sat Feb 27, 2010 3:57 pm
Location: Paradise

Re: Vanguard implements 20 character passwords

Post by blevine » Tue Dec 10, 2013 10:34 pm

TomatoTomahto wrote:
blevine wrote:I feel more secure using etrade and paypal than Vanguard or other online companies who do not offer this optional extra level of security.

I would too, except that my PayPal account was hacked and my Vanguard account wasn't. I was watching transactions taking place as I was on the phone with PayPal pleading that they please freeze the account. They did within a half hour or so, and I got all my money back within a few weeks, after promising that I wasn't purchasing gun accessories for someone in Estonia.


Did you have the extra paypal "Security Key" ?

https://www.paypal.com/us/cgi-bin/websc ... ey-outside

User avatar
TomatoTomahto
Posts: 6784
Joined: Mon Apr 11, 2011 1:48 pm

Re: Vanguard implements 20 character passwords

Post by TomatoTomahto » Tue Dec 10, 2013 10:40 pm

blevine wrote:
TomatoTomahto wrote:
blevine wrote:I feel more secure using etrade and paypal than Vanguard or other online companies who do not offer this optional extra level of security.

I would too, except that my PayPal account was hacked and my Vanguard account wasn't. I was watching transactions taking place as I was on the phone with PayPal pleading that they please freeze the account. They did within a half hour or so, and I got all my money back within a few weeks, after promising that I wasn't purchasing gun accessories for someone in Estonia.


Did you have the extra paypal "Security Key" ?

https://www.paypal.com/us/cgi-bin/websc ... ey-outside


No, this was actually a while ago. I don't think they had the security key then. Issue is moot; I closed my account.

555
Posts: 4955
Joined: Thu Dec 24, 2009 7:21 am

Re: Vanguard implements 20 character passwords

Post by 555 » Tue May 19, 2015 10:48 pm

Duckie wrote:Either from the top or the bottom of the page mine works like this:

My Accounts >> Account maintenance >> Security profile >> Timeout settings


I realize this is 18 months old, but I cannot find this.
How do you change timeout settings these days.

User avatar
Duckie
Posts: 5076
Joined: Thu Mar 08, 2007 2:55 pm

Re: Vanguard implements 20 character passwords

Post by Duckie » Wed May 20, 2015 3:52 pm

555 wrote:I realize this is 18 months old, but I cannot find this.
How do you change timeout settings these days.

I am Flagship and don't have the brokerage account so your pages may look different, but mine work like this when logged in >> My Accounts >> Account maintenance (bottom of 3rd column) >> under Security profile (bottom of 2nd column) click Timeout settings >> 2 options available:
    The default setting of 15 minutes of inactivity or 2 hours regardless of activity
    The custom setting of 4 hours regardless of activity

555
Posts: 4955
Joined: Thu Dec 24, 2009 7:21 am

Re: Vanguard implements 20 character passwords

Post by 555 » Wed May 20, 2015 5:22 pm

Duckie wrote:
555 wrote:I realize this is 18 months old, but I cannot find this.
How do you change timeout settings these days.

I am Flagship and don't have the brokerage account so your pages may look different, but mine work like this when logged in >> My Accounts >> Account maintenance (bottom of 3rd column) >> under Security profile (bottom of 2nd column) click Timeout settings >> 2 options available:
    The default setting of 15 minutes of inactivity or 2 hours regardless of activity
    The custom setting of 4 hours regardless of activity

When I go to Account maintenance --> Security profile
there is no Timeout settings option available.

User avatar
tyler_cracker
Posts: 309
Joined: Sat Dec 03, 2011 2:50 pm
Location: sending out the kicking team

Re: Vanguard implements 20 character passwords

Post by tyler_cracker » Wed May 20, 2015 9:37 pm

i don't have Duckie's option either. i'm a voyager fwiw.

wbrianwhite
Posts: 38
Joined: Fri Dec 19, 2014 9:44 am

Re: Vanguard implements 20 character passwords

Post by wbrianwhite » Fri May 22, 2015 4:00 am

tibbitts wrote:
Epsilon Delta wrote:
Clever_Username wrote:Well, they aren't (yet) accepting correcthorsebatterystaple as a password, but it's still a step in the right direction.

This is great news; thanks for letting me know.


I'm still going to [complain - admin LadyGeek]. It's a partial fix when the full fix (going to 100+ characters) had almost exactly the same cost. It does not speak well of Vanguard's IT department or management.

I don't see how you can say that the cost would have been the same unless you're intimately familiar with VG's IT. I can imaging possibly being a little, or... more than a little. Certainly I can see the cost varying at different length breakpoints depending on how it's implemented.


There is literally no extra storage cost if they follow the standard model of storing passwords hashed. When you hash any character input, big or small, using the same hah algorithm you get exactly the same size of text as output. This is why it's feasible for people to post the MD5 hash of large downloaded software or audio/video files. So MD5(8charact) outputs a value the same length as MD5(100characters++++++++++++++++++++++++++++++++)

http://www.danstools.com/md5-hash-generator/
Your Hash: eabe8804c0236f1c62ab9c2b7546715d
Your String: 8charact

Your Hash: 71feacf80c41ea31049868248bd13455
Your String: 100characters++++++++++++++++++++++++++++++++

You can put the entire contents of this Web page in there and it will be the same length hash output. . There is a trivially higher amount of computation involved, but it's really trivial. . Your smart phone could hash millions of passwords a day.

User avatar
telemark
Posts: 2056
Joined: Sat Aug 11, 2012 6:35 am

Re: Vanguard implements 20 character passwords

Post by telemark » Fri May 22, 2015 8:36 am

wbrianwhite wrote:You can put the entire contents of this Web page in there and it will be the same length hash output. . There is a trivially higher amount of computation involved, but it's really trivial. . Your smart phone could hash millions of passwords a day.

Which is why MD5 is no longer considered acceptable for password hashing. Use bcrypt or scrypt instead.

tibbitts
Posts: 6943
Joined: Tue Feb 27, 2007 6:50 pm

Re: Vanguard implements 20 character passwords

Post by tibbitts » Sat May 23, 2015 2:44 pm

wbrianwhite wrote:
tibbitts wrote:
Epsilon Delta wrote:
Clever_Username wrote:Well, they aren't (yet) accepting correcthorsebatterystaple as a password, but it's still a step in the right direction.

This is great news; thanks for letting me know.


I'm still going to [complain - admin LadyGeek]. It's a partial fix when the full fix (going to 100+ characters) had almost exactly the same cost. It does not speak well of Vanguard's IT department or management.

I don't see how you can say that the cost would have been the same unless you're intimately familiar with VG's IT. I can imaging possibly being a little, or... more than a little. Certainly I can see the cost varying at different length breakpoints depending on how it's implemented.


There is literally no extra storage cost if they follow the standard model of storing passwords hashed. When you hash any character input, big or small, using the same hah algorithm you get exactly the same size of text as output. This is why it's feasible for people to post the MD5 hash of large downloaded software or audio/video files. So MD5(8charact) outputs a value the same length as MD5(100characters++++++++++++++++++++++++++++++++)

http://www.danstools.com/md5-hash-generator/
Your Hash: eabe8804c0236f1c62ab9c2b7546715d
Your String: 8charact

Your Hash: 71feacf80c41ea31049868248bd13455
Your String: 100characters++++++++++++++++++++++++++++++++

You can put the entire contents of this Web page in there and it will be the same length hash output. . There is a trivially higher amount of computation involved, but it's really trivial. . Your smart phone could hash millions of passwords a day.

What I meant was that I don't know how many software packages interface with passwords, and how many of them are homegrown VG packages vs. third-party packages, each of which might have a different cost associated with increasing password (input) length limits. It may be that VG increased the limit to some lowest-common-denominator level based on the existing versions of software available. Or it could be that VG chose the new limit based on what they felt was some kind of behavioral limit as to what they could handle without increasing costs from a customer support perspective.

dolphinsaremammals
Posts: 2094
Joined: Tue Jul 22, 2014 4:18 pm

Re: Vanguard implements 20 character passwords

Post by dolphinsaremammals » Sat May 23, 2015 3:03 pm

555 wrote:
Duckie wrote:
555 wrote:I realize this is 18 months old, but I cannot find this.
How do you change timeout settings these days.

I am Flagship and don't have the brokerage account so your pages may look different, but mine work like this when logged in >> My Accounts >> Account maintenance (bottom of 3rd column) >> under Security profile (bottom of 2nd column) click Timeout settings >> 2 options available:
    The default setting of 15 minutes of inactivity or 2 hours regardless of activity
    The custom setting of 4 hours regardless of activity

When I go to Account maintenance --> Security profile
there is no Timeout settings option available.


I'm not seeing it either. I called V and the guy was clueless, and the group that really knows has left for the day. My guess is it's partly available, like the two accounts into one stuff.

dolphinsaremammals
Posts: 2094
Joined: Tue Jul 22, 2014 4:18 pm

Re: Vanguard implements 20 character passwords

Post by dolphinsaremammals » Wed May 27, 2015 5:03 pm

I emailed Vanguard about the timeout feature. You only get the option to change it if you have $1 million with them. I can see perks based on balance, but this one is quite annoying.

555
Posts: 4955
Joined: Thu Dec 24, 2009 7:21 am

Re: Vanguard implements 20 character passwords

Post by 555 » Wed May 27, 2015 5:17 pm

dolphinsaremammals wrote:I emailed Vanguard about the timeout feature. You only get the option to change it if you have $1 million with them. I can see perks based on balance, but this one is quite annoying.
It looked like that must be the case from the comments, so I'm not surprised. It's annoying getting timed out, but Vanguard is one of many financial websites (investments, retirement accounts, banks, credit cards). They basically all time out after 15 minutes or less, so even if you could lengthen it with Vanguard, you'd still have the same problem with all the other sites, so I'm not going to worry about this.

dolphinsaremammals
Posts: 2094
Joined: Tue Jul 22, 2014 4:18 pm

Re: Vanguard implements 20 character passwords

Post by dolphinsaremammals » Thu May 28, 2015 2:41 am

555 wrote:
dolphinsaremammals wrote:I emailed Vanguard about the timeout feature. You only get the option to change it if you have $1 million with them. I can see perks based on balance, but this one is quite annoying.
It looked like that must be the case from the comments, so I'm not surprised. It's annoying getting timed out, but Vanguard is one of many financial websites (investments, retirement accounts, banks, credit cards). They basically all time out after 15 minutes or less, so even if you could lengthen it with Vanguard, you'd still have the same problem with all the other sites, so I'm not going to worry about this.


My primary credit union allows any lowly member to adjust their timeout.

User avatar
TomatoTomahto
Posts: 6784
Joined: Mon Apr 11, 2011 1:48 pm

Re: Vanguard implements 20 character passwords

Post by TomatoTomahto » Thu May 28, 2015 10:40 am

We are in the esteemed >$1M cohort, but tbh, it doesn't seem like such an amazing perk not to be timed out in 15 minutes. I'm not sure that I often spend more than that amount of time there anyway.

Post Reply