[Rant] Vanguard Letters

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Topic Author
inverter
Posts: 318
Joined: Mon Jul 27, 2015 1:40 pm

[Rant] Vanguard Letters

Post by inverter » Fri May 15, 2020 8:13 am

I use LastPass and once a year change my password at to all of my financial institutions, including Vanguard. Every year, the same nonsense happens that momentarily sends my blood pressure through the roof. :happy

Around a week after changing my password Vanguard sends me a couple of letters. One is addressed to me and says "thanks for restoring your access by recovering your username and/or password". That makes me think someone used the forgot username/password and was able to gain access to my account... until I remember I changed my password.

This year, in addition, I got a letter addressed to my dad but at my apartment's address. Needless to say, I haven't lived with my parents in years. It remarked that "voice verification had been shut off" for him. Called Flagship rep and he had no idea what this was about or why a letter addressed to my father came to me.

I love Vanguard overall and have deep admiration for what they've done for investing, but these are mistakes that are beneath a financial institution and drive unnecessary calls to their call center and lack of faith in their systems!

retiringwhen
Posts: 1743
Joined: Sat Jul 08, 2017 10:09 am
Location: New Jersey, USA

Re: [Rant] Vanguard Letters

Post by retiringwhen » Fri May 15, 2020 8:34 am

inverter wrote:
Fri May 15, 2020 8:13 am
This year, in addition, I got a letter addressed to my dad but at my apartment's address. Needless to say, I haven't lived with my parents in years. It remarked that "voice verification had been shut off" for him. Called Flagship rep and he had no idea what this was about or why a letter addressed to my father came to me.
Are you a Trusted Contact for his accounts? If so, they send major changes to the account like that for safety and verification purposes.

The password restore thing does sound pretty cheesy. Overall, Vanguards compliance letters and communications are abysmal.

mhalley
Posts: 8311
Joined: Tue Nov 20, 2007 6:02 am

Re: [Rant] Vanguard Letters

Post by mhalley » Fri May 15, 2020 11:42 am

Changing passwords annually does not actually increase your security. If it is causing problems, stop doing it.

https://arstechnica.com/information-tec ... gist-says/
Over the past few years, organizations including the National Institute of Standards and Technology in the US and UK government agency CESG have also concluded that mandated password changes are often ineffective or counterproductive.
https://www.sans.org/security-awareness ... ration-die


In fact, if you conduct a risk-based analysis, you will quickly determine that password expiration does far more harm than good and actually increases your risk exposure.
https://www.infoworld.com/article/31947 ... -hard.html
Here's what's out in the new guidelines:

Requiring routine password changes for the sake of changing them; passwords should be changed only when there is a risk of compromise

Chip
Posts: 3005
Joined: Wed Feb 21, 2007 4:57 am

Re: [Rant] Vanguard Letters

Post by Chip » Fri May 15, 2020 2:24 pm

mhalley wrote:
Fri May 15, 2020 11:42 am
Changing passwords annually does not actually increase your security. If it is causing problems, stop doing it.

https://arstechnica.com/information-tec ... gist-says/
There's a big difference between what the OP is doing and an organization mandating that its employees change passwords every 90 days and NOT requiring long, strong passwords. I agree the latter is stupid.

I assume that since the OP is using a password manager they are using strong and unique passwords. Changing them annually to other strong unique passwords will provide a least a little security against a hack that has already occurred at the financial institution.

It's certainly not the OP's fault that Vanguard can't seem to get its IT act together.

I have told myself repeatedly that I will do what the OP is doing. But I haven't been listening to myself. :D

csmath
Posts: 272
Joined: Sat Oct 13, 2018 11:32 am

Re: [Rant] Vanguard Letters

Post by csmath » Fri May 15, 2020 2:47 pm

mhalley wrote:
Fri May 15, 2020 11:42 am
Changing passwords annually does not actually increase your security. If it is causing problems, stop doing it.
I don't even know where to begin with this statement so I'm just going to say, it isn't true.

I believe these are true statements:
  • Changing your own passwords periodically, decreases risk of being a victim.
  • Changing your own passwords periodically, does NOT decrease the likelihood that your data stored with another organization is hacked.
  • Changing your own passwords periodically, decreases the damage that your hacked data can inflict.
  • A company forcing password changes, does NOT decrease the likelihood that your data stored with another organization is hacked.
  • A company forcing password changes, decreases the damage that your hacked data can inflict.
In other words, password changing doesn't make a set of data less likely to be compromised but it does make the compromised data less useful. To be clear, "less useful" and "useless" are totally different things. Also, password length is important.

aristotelian
Posts: 7632
Joined: Wed Jan 11, 2017 8:05 pm

Re: [Rant] Vanguard Letters

Post by aristotelian » Fri May 15, 2020 3:13 pm

The first one sounds like a routine protection. I have received similar email and paper notifications from other institutions and I am glad they do it.

The second one is plain weird. Does your dad also have an account at Vanguard? Is it possible a hacker linked him to your address and was trying to access his account? In any case, sounds like a case of Vanguard taking extra precaution and I am glad they send notice in a variety of formats when there are any changes involving passwords or identity.

retiringwhen
Posts: 1743
Joined: Sat Jul 08, 2017 10:09 am
Location: New Jersey, USA

Re: [Rant] Vanguard Letters

Post by retiringwhen » Fri May 15, 2020 3:17 pm

csmath wrote:
Fri May 15, 2020 2:47 pm
mhalley wrote:
Fri May 15, 2020 11:42 am
Changing passwords annually does not actually increase your security. If it is causing problems, stop doing it.
I don't even know where to begin with this statement so I'm just going to say, it isn't true.

I believe these are true statements:
  • Changing your own passwords periodically, decreases risk of being a victim.
  • Changing your own passwords periodically, does NOT decrease the likelihood that your data stored with another organization is hacked.
  • Changing your own passwords periodically, decreases the damage that your hacked data can inflict.
  • A company forcing password changes, does NOT decrease the likelihood that your data stored with another organization is hacked.
  • A company forcing password changes, decreases the damage that your hacked data can inflict.
In other words, password changing doesn't make a set of data less likely to be compromised but it does make the compromised data less useful. To be clear, "less useful" and "useless" are totally different things. Also, password length is important.
If you don't consider the behavioral implications of forced password changes, those assertions may be at least partially true, but numerous studies have shown that the consequential behavioral errors increase risk significantly.

It causes users to more likely use easy to remember or identifiable passwords (hence easier to hack/guess), re-use of passwords at many sites plus the many ways people unsafely store passwords (paper, unencrypted files, etc.) all increase risk.

The studies I have seen have shown that very long easy to remember passwords like Ilikerockyroadicecream only used one place are the safest. Length and lack of reuse are the primary improvers of safety. Password resets only address the problem of exposed passwords, they do zero to improve the risk of once-used, well kept passwords.

Well implemented password tools like lastpass or eWallet can also provide secure storage and aid in memory, but if they are used well, no need to change the password.

Since password reset is in and of itself a somewhat insecure process on many sites sometimes involving sending temporary passwords in email, or required two and three stage steps that could be subject to man in the middle attacks, the act of password reset itself can expose you to additional risk (especially for unsophisticated users.)

All this beside the point, if you have any reason to believe your password has even been possibly compromised, change it immediately!

One thing I do is use the https://haveibeenpwned.com/ site to verify uniqueness and security of important password sometimes. I also subscribe to his alert service for data breeches to which passwords to reset or suspect. I think that is more important than changing them on a schedule. Finally, never, never, never reuse the same password for different financial sites to reduce the risk of damage if/when one password gets compromised.

There is one place that forced password resets are very useful (and most likely the genesis of the policies that enforce them today). That is shared computer environments where users regularly shared credentials (often against policy, but forced by operational reality.....) Forced password changes was about the only way to weed out folks who should no longer have access. In today's world, you better not be sharing your credentials with anyone for sensitive info, with some exceptions for spouses and parent/child relationships.

Post Reply