[Wiki] New page about Online Account Security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
BanjoDonkey
Posts: 59
Joined: Wed Feb 07, 2024 8:03 pm

[Wiki] New page about Online Account Security

Post by BanjoDonkey »

Hey all,

There's been a lot of discussion on the forum recently about best practices for online account security. I have seen the same questions getting asked and answered, and so I thought it might be useful to have somewhere best practices can live permanently. Ladygeek suggested I try to write it up in the wiki, so I've put a draft together.

https://www.bogleheads.org/wiki/User:Ba ... t_security

Hopefully I've formatted this correctly. I'm not a cybersecurity expert, but I do have an interest in online security, and I've been thinking about this stuff for a while.

Please feel free to change anything or make suggestions here.

Thanks
Not a millionaire, not a doctor, not a lawyer. Early 30s.
User avatar
Peculiar_Investor
Site Admin
Posts: 2614
Joined: Thu Oct 20, 2011 12:23 am
Location: Calgary, AB 🇨🇦
Contact:

Re: New page about Online Account Security

Post by Peculiar_Investor »

Thanks for your efforts to create this wiki article. From my perspective I think the challenge is two-fold.

First there are many different sites and articles on the internet on the subject, with many different viewpoints. Can they be distilled into a 'best practices' in general and more importantly how does this article become Bogleheads specific?

Some examples from a quick Google: Second, even in the various Bogleheads topics that I have read there are lots of different opinions, so how do the wiki editors make the article reflect a consensus and neutral point of view?

Unfortunately I don't know the answers to either question however my gut instinct would be to utilize external security resources for 'best practices' rather than a Bogleheads wiki article. That's my $0.02 (Canadian).
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Peculiar_Investor
Site Admin
Posts: 2614
Joined: Thu Oct 20, 2011 12:23 am
Location: Calgary, AB 🇨🇦
Contact:

Re: New page about Online Account Security

Post by Peculiar_Investor »

Peculiar_Investor wrote: Mon Feb 03, 2025 8:16 am Second, even in the various Bogleheads topics that I have read there are lots of different opinions
For example, take a look through the Search found 522 matches: security matches with 'security' in the Subject to see if a) anything is missing and b) is there some sort of consensus?
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Topic Author
BanjoDonkey
Posts: 59
Joined: Wed Feb 07, 2024 8:03 pm

Re: New page about Online Account Security

Post by BanjoDonkey »

Thanks for the feedback! I want this to be helpful, and if it's too left-field, I understand. However, I think this is appropriate and useful.
Peculiar_Investor wrote: Mon Feb 03, 2025 8:16 am First there are many different sites and articles on the internet on the subject, with many different viewpoints. Can they be distilled into a 'best practices' in general and more importantly how does this article become Bogleheads specific?
In my opinion, the posts about online security do approach consensus, especially about using a physical token and the vulnerabilities of SMS 2FA.

I'll admit that this topic is on the margins of the Bogleheads approach. It doesn't have anything to do with index funds, or frugality, or tax-efficiency, etc. However, it's something that affects every Boglehead. And if account security isn't done properly, you risk losing your assets. Since risk management is a Bogleheads thing, it seems that this topic is still appropriate, even if on the margins.
Peculiar_Investor wrote: Mon Feb 03, 2025 8:16 am my gut instinct would be to utilize external security resources for 'best practices' rather than a Bogleheads wiki article.
It appears that people aren't using external security resources since they're coming to the forum and asking the same questions. I think it would be helpful to have the answers in one place, where people are actually searching for them.

Does that make sense?
Not a millionaire, not a doctor, not a lawyer. Early 30s.
User avatar
LadyGeek
Site Admin
Posts: 101225
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: [Wiki] New page about Online Account Security

Post by LadyGeek »

This thread is now in the Personal Consumer Issues to give this "draft" article a wider audience.

Wiki editors have a private forum to discuss deep-dive details about editing the wiki. Occasionally, it's beneficial to include the general membership in the discussion because we'd like to have a member consensus on the new article. It also allows for different perspectives.

The draft page is here: User:BanjoDonkey/Online account security

Once the draft page has matured, we'll move it to the "live" wiki.

Comments / questions / concerns are welcome. Wiki editors are welcome to edit the page directly.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
RetiredAL
Posts: 4537
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: [Wiki] New page about Online Account Security

Post by RetiredAL »

BanjoDonkey wrote: Mon Feb 03, 2025 8:00 am Hey all,

There's been a lot of discussion on the forum recently about best practices for online account security. I have seen the same questions getting asked and answered, and so I thought it might be useful to have somewhere best practices can live permanently. Ladygeek suggested I try to write it up in the wiki, so I've put a draft together.

https://www.bogleheads.org/wiki/User:Ba ... t_security

Hopefully I've formatted this correctly. I'm not a cybersecurity expert, but I do have an interest in online security, and I've been thinking about this stuff for a while.

Please feel free to change anything or make suggestions here.

Thanks
Possible item for the Wiki -- I recently (In Jan) changed passwords at Schwab and Fidelity. I found the Fidelity change screen would only accept 20 chrs. In discussion with a Schwab Rep, I was told it could be up to 240 chrs.
LISD
Posts: 385
Joined: Sun Feb 10, 2019 7:52 pm

Re: [Wiki] New page about Online Account Security

Post by LISD »

Regarding the 16 character password recommendation,

There are a number of graphics showing how long it would take a hacker to guess a password - using upper/lower case, special characters and capitals. For a 12-digit password it would take hackers this long to guess it:

34,000 years based on Ref 1
5 million years based on Ref 2
3000 years based on Ref 3

OK, pretty poor correlation, and I don't know which is correct, or if all are correct based on different assumptions, but what I get out of this is this; 12 characters is a lot.

Why is 16 characters recommended? Is there a credible reference showing a rationale for 16? (I haven't been able to find one)

From Google AI:
"Password managers typically generate passwords that are at least 16 characters long, with many recommending 20 characters or more for optimal security. " (what is "optimal security", and if more than 20 is better, why don't they recommend 25, 45, 200 characters?)

"Some password managers, like Bitwarden, can generate passwords up to 128 characters long, though 16-20 characters are often sufficient for most users. " (if 20 characters are often sufficient, this means that 20 is sometimes insufficient)

"While the passwords generated for individual accounts can be long and complex, the master password you use to access your password manager itself should also be strong and ideally at least 12 characters long, with a mix of character types. " (why use a 12 character password to open a password manager that itself uses 16-20 characters, "or more"?)

Bitwarden website: "A strong password should be at least 14 characters long, though 16 or more is recommended for added security." (if 16 or more is recommended for added security, then how long specifically? And how much added security are you getting with 16 (or 25) over 14 - 1 in a quadrillion?)

From www.cisa.gov/secure-our-world/use-strong-passwords, "At least 16 characters—longer is stronger! "

Seems like the recommendations are all over the place, with no rationale ever given, and wording that often makes little sense.

The only good reference I've found is a reference from the FBI website to the NIST. This, below, is an interesting document but I couldn't find a specific password length recommendation. They do talk about the length is not so important due to login "rate limiting" (but we can't assume every site implements this). (see the appendix at the end of the document)

https://pages.nist.gov/800-63-4/sp800-63b.html#appA







References:
1. https://www.reddit.com/r/dataisbeautifu ... d_updated/
2. https://cloudnine.com/ediscoverydaily/e ... ty-trends/
3. https://www.alliancetech.com/crack-password/
Minty
Posts: 814
Joined: Sun Mar 24, 2013 3:19 pm
Location: NorCal

Re: [Wiki] New page about Online Account Security

Post by Minty »

This is great. I would consider discussing lockdown features, or their absence, for the largest brokerages. viewtopic.php?t=382555 I would also suggest phone number locking to present sim swap attacks. https://www.bleepingcomputer.com/news/s ... g-attacks/
Core Four w/ nominal bonds & TIPS. Refi Rampage: Purchase: 3.875% 30 -> R1 3% 20 -> R2 2.375% 15 -> R3 1.99% 15 -> R4 1.875% 15
User avatar
Topic Author
BanjoDonkey
Posts: 59
Joined: Wed Feb 07, 2024 8:03 pm

Re: [Wiki] New page about Online Account Security

Post by BanjoDonkey »

LISD wrote: Tue Feb 04, 2025 12:02 am Regarding the 16 character password recommendation,

There are a number of graphics showing how long it would take a hacker to guess a password - using upper/lower case, special characters and capitals. For a 12-digit password it would take hackers this long to guess it:

34,000 years based on Ref 1
5 million years based on Ref 2
3000 years based on Ref 3

OK, pretty poor correlation, and I don't know which is correct, or if all are correct based on different assumptions, but what I get out of this is this; 12 characters is a lot.

Why is 16 characters recommended? Is there a credible reference showing a rationale for 16? (I haven't been able to find one)

From Google AI:
"Password managers typically generate passwords that are at least 16 characters long, with many recommending 20 characters or more for optimal security. " (what is "optimal security", and if more than 20 is better, why don't they recommend 25, 45, 200 characters?)

"Some password managers, like Bitwarden, can generate passwords up to 128 characters long, though 16-20 characters are often sufficient for most users. " (if 20 characters are often sufficient, this means that 20 is sometimes insufficient)

"While the passwords generated for individual accounts can be long and complex, the master password you use to access your password manager itself should also be strong and ideally at least 12 characters long, with a mix of character types. " (why use a 12 character password to open a password manager that itself uses 16-20 characters, "or more"?)

Bitwarden website: "A strong password should be at least 14 characters long, though 16 or more is recommended for added security." (if 16 or more is recommended for added security, then how long specifically? And how much added security are you getting with 16 (or 25) over 14 - 1 in a quadrillion?)

From www.cisa.gov/secure-our-world/use-strong-passwords, "At least 16 characters—longer is stronger! "

Seems like the recommendations are all over the place, with no rationale ever given, and wording that often makes little sense.

The only good reference I've found is a reference from the FBI website to the NIST. This, below, is an interesting document but I couldn't find a specific password length recommendation. They do talk about the length is not so important due to login "rate limiting" (but we can't assume every site implements this). (see the appendix at the end of the document)

https://pages.nist.gov/800-63-4/sp800-63b.html#appA







References:
1. https://www.reddit.com/r/dataisbeautifu ... d_updated/
2. https://cloudnine.com/ediscoverydaily/e ... ty-trends/
3. https://www.alliancetech.com/crack-password/
As I understand it, the rationale for having longer passwords is that password length is always getting chased by computing power. As computing power increases exponentially every few years, the ability for bad actors to crack your password increases. A 6-8 character password used to be sufficient, but now it's as good as no password.

(Yes, some brute force attacks may be blunted by rate-limiting, but we shouldn't be over-reliant on that. Defenses are beaten all the time by new methods, technology, and computing power. You should always think that a clever AI is pointed at your brokerage account, because given enough time, it will be.)

The NIST linked recommends 15 characters, CISA recommends 16. The article could recommend 15-16 based on those two sources.
Not a millionaire, not a doctor, not a lawyer. Early 30s.
MGBMartin
Posts: 1400
Joined: Thu Nov 04, 2021 11:09 am

Re: [Wiki] New page about Online Account Security

Post by MGBMartin »

According to some organization called Diceware Passphrases are just as secure as Passwords but are more easily remembered.
They say that 6 common words from a list of about 8000 is secure and 8 words would take 4.5 x the age of the universe to crack.
I don’t know who Diceware are or what they do but I found their article on the subject interesting.

https://diceware.rempe.us
EDIT
I should have read the WiKi first as I see it does talk about Passphrases.
Bad spellers of the world untie | Autocorrect is my worst enema
stan1
Posts: 16258
Joined: Mon Oct 08, 2007 4:35 pm

Re: [Wiki] New page about Online Account Security

Post by stan1 »

MGBMartin wrote: Tue Feb 04, 2025 9:35 am According to some organization called Diceware Passphrases are just as secure as Passwords but are more easily remembered.
They say that 6 common words from a list of about 8000 is secure and 8 words would take 4.5 x the age of the universe to crack.
I don’t know who DiceWare are or what they do but I found their article on the subject interesting.

https://diceware.rempe.us
Yes, it is a solid approach for a more random password that needs to be remembered (such as the password for a password manager or primary email account).

One can make further modifications if desired, such as capitalization, changing characters between words, and mis-spelling words.
increment
Posts: 2151
Joined: Tue May 15, 2018 2:20 pm

Re: [Wiki] New page about Online Account Security

Post by increment »

Looks like it talks about password quality and 2FA mainly for financial accounts, but these considerations may be very important for email accounts too (because password resets are often sent there).
SnowBog
Posts: 5503
Joined: Fri Dec 21, 2018 10:21 pm

Re: [Wiki] New page about Online Account Security

Post by SnowBog »

From a long-term perspective, it should be noted that "password" issues are hopefully a "temporary" problem (at least as we know them today). There is an industry push to get rid of passwords. https://fidoalliance.org/

On the consumer side, Google, Apple, and Microsoft offer "passwordless" options, with Microsoft giving you the ability to remove your password completely. Many of these options are "hardware" based, either built into the device itself (phone, computer) or use a physical "key" of sorts.

From the financial side, many major brokerages support similar "passwordless" options, although usually only in addition to passwords (meaning password security remains important). https://thefinancebuff.com/security-har ... guard.html

Using password generaters/managers, even if built into the OS/browser especially if they themselves are secured by strong "passwordless" options, help bridge the gap where other methods aren't - hopefully temporarily - yet supported. Until then, make sure these sites/apps have two-factor authentication enabled...

As someone who has started to go down this path, it becomes much easier to recognize potential identity theft. The sites/services that are setup to work with a "passwordless" option don't ask me for passwords, and if they do that's a big red flag. Likewise, I use Microsoft's Authenticator app/Edge browser (protected by my passwordless account) to generate/store strong passwords across my devices (Microsoft, Android, and iOS), so if a website or app I frequently use asks me for a password (that isn't saved/provided by my setup), if they do that's a big red flag.

And since every site/app (that isn't passwordless yet) has its own unique password, the "blast radius" of issues is just that site. If some website gets compromised, and the credentials leaked on the dark web, my other logins aren't impacted. (And my password manager will alert me when it's aware...)

And the side effect, other than a bit more work upfront initially, far better end user experience, more convenient, and vastly more secure.
LISD
Posts: 385
Joined: Sun Feb 10, 2019 7:52 pm

Re: [Wiki] New page about Online Account Security

Post by LISD »

stan1 wrote: Tue Feb 04, 2025 9:41 am
MGBMartin wrote: Tue Feb 04, 2025 9:35 am According to some organization called Diceware Passphrases are just as secure as Passwords but are more easily remembered.
They say that 6 common words from a list of about 8000 is secure and 8 words would take 4.5 x the age of the universe to crack.
I don’t know who DiceWare are or what they do but I found their article on the subject interesting.

https://diceware.rempe.us
Yes, it is a solid approach for a more random password that needs to be remembered (such as the password for a password manager or primary email account).

One can make further modifications if desired, such as capitalization, changing characters between words, and misspelling words.
I guess the reason words are as secure as random letters is because the hacker(s) need to guess the entire password at once, not individual letters. If they did know if individual letter were guessed correctly , then they could more easily guess the password. For example, if they knew the 1st 7 letters were CHRISTM , common sense would be that the password is likely CHRISTMAS. But that's not how it works. I've been watching Wheel-of-Fortune too much.

But if using words, I would not use words that have any relationship to me - not my spouses name, birthdates, my address, my sister's name, SSN, mothers maiden name, etc. These are all words/numbers that the hackers know, and use to guess passwords.

I find it hard to believe that hackers will try guessing hundreds of 1000s of passwords for an account without the host catching onto it (although it wouldn't surprise me for Credit Unions, which I find are not terribly competent). I think the routine hacks are probably easily guessed passwords, which doesn't take much trying to get right.
SnowBog
Posts: 5503
Joined: Fri Dec 21, 2018 10:21 pm

Re: [Wiki] New page about Online Account Security

Post by SnowBog »

LISD wrote: Tue Feb 04, 2025 6:51 pm
stan1 wrote: Tue Feb 04, 2025 9:41 am

Yes, it is a solid approach for a more random password that needs to be remembered (such as the password for a password manager or primary email account).

One can make further modifications if desired, such as capitalization, changing characters between words, and misspelling words.
I guess the reason words are as secure as random letters is because the hacker(s) need to guess the entire password at once, not individual letters. If they did know if individual letter were guessed correctly , then they could more easily guess the password. For example, if they knew the 1st 7 letters were CHRISTM , common sense would be that the password is likely CHRISTMAS. But that's not how it works. I've been watching Wheel-of-Fortune too much.

But if using words, I would not use words that have any relationship to me - not my spouses name, birthdates, my address, my sister's name, SSN, mothers maiden name, etc. These are all words/numbers that the hackers know, and use to guess passwords.

I find it hard to believe that hackers will try guessing hundreds of 1000s of passwords for an account without the host catching onto it (although it wouldn't surprise me for Credit Unions, which I find are not terribly competent). I think the routine hacks are probably easily guessed passwords, which doesn't take much trying to get right.
Most Passphrases also tend to be longer passwords... An 8-word phrase - let's say the average size of the word is 4 characters - that's a 32 character password... As previously noted, in general, longer is better for passwords...

That said, there are some downsides to this approach. Most common one will be sites that won't accept a passphrase, either because it's too long, doesn't contain special characters, they reject "words", etc. And perhaps the biggest one, while a passphrase might be easier to remember than a password, if it gives you a false sense of security that encourages you to reuse the same passphrase at multiple sites - then you just shot yourself in the foot... Invariably, you are going to have a password on some website/service/app you use compromised. If that's a password reused on a bunch of sites - the "security" of the password no longer matters... Once the password is out there - hackers no longer need to "break in" - they simply "log in" with your credentials (pulled from an unrelated site - since you reused them in multiple places).

For clarity, this last point isn't a dig at passphrases exactly... If someone used unique passphrases at different sites, they'd be in great shape! But the "advantage" of a passphrase being "easier to remember" falls apart when you are trying to remember multiple passphrases. People are lazy by nature with login details, and they can "trick" themselves into thinking "I have a really secure password/passphrase/etc." But anyone who "reuses" a password is only as secure as the weakest site they use it on - meaning they aren't very secure...
PersonalFinanceJam
Posts: 1108
Joined: Tue Aug 24, 2021 8:32 am

Re: [Wiki] New page about Online Account Security

Post by PersonalFinanceJam »

LISD wrote: Tue Feb 04, 2025 6:51 pm I find it hard to believe that hackers will try guessing hundreds of 1000s of passwords for an account without the host catching onto it (although it wouldn't surprise me for Credit Unions, which I find are not terribly competent). I think the routine hacks are probably easily guessed passwords, which doesn't take much trying to get right.
You are correct that most online sites will have some sort of rate limiting or lock out phase for incorrect password attempts. The reason for long passwords/pass phrases is not so much to prevent the online attacks but to prevent the offline attacks. The offline attack would be some hacker being able to exfiltrate the hashed passwords themselves. This would allow them to perform a brute force attack uninhibited by any rate limiting. Assuming they knew what the hash algorithm was of course.
LISD
Posts: 385
Joined: Sun Feb 10, 2019 7:52 pm

Re: [Wiki] New page about Online Account Security

Post by LISD »

PersonalFinanceJam wrote: Tue Feb 04, 2025 8:27 pm
LISD wrote: Tue Feb 04, 2025 6:51 pm I find it hard to believe that hackers will try guessing hundreds of 1000s of passwords for an account without the host catching onto it (although it wouldn't surprise me for Credit Unions, which I find are not terribly competent). I think the routine hacks are probably easily guessed passwords, which doesn't take much trying to get right.
You are correct that most online sites will have some sort of rate limiting or lock out phase for incorrect password attempts. The reason for long passwords/pass phrases is not so much to prevent the online attacks but to prevent the offline attacks. The offline attack would be some hacker being able to exfiltrate the hashed passwords themselves. This would allow them to perform a brute force attack uninhibited by any rate limiting. Assuming they knew what the hash algorithm was of course.
Thanks for your response - I had to lookup some of this stuff. So you are saying that hackers gain access to hashed passwords by somehow breaking into a server - and then try to reverse engineer the actual passwords? And the process of reverse engineering passwords is more difficult the longer the passwords are? Correct?
stan1
Posts: 16258
Joined: Mon Oct 08, 2007 4:35 pm

Re: [Wiki] New page about Online Account Security

Post by stan1 »

LISD wrote: Tue Feb 04, 2025 6:51 pm I find it hard to believe that hackers will try guessing hundreds of 1000s of passwords for an account without the host catching onto it (although it wouldn't surprise me for Credit Unions, which I find are not terribly competent). I think the routine hacks are probably easily guessed passwords, which doesn't take much trying to get right.
For me it comes down to Diceware English word based passwords are easier to accurately type on a virtual keyboard than 20 or 30 characters of random characters and symbols (which I sometimes mistype).

Highest risk is reused username and password pairs. Once a clear text username/password pair is breached and captured somewhere it is easy to try it again, and if someone is using their email address as a username then its not hard for people who have the data to put one and one together to get two. I do not reuse usernames either on high profile sites, and I don't associate my username with my email address. Why leave breadcrumbs? It is easy not to drop any. And yeah those of us who had myspace accounts back in the day when we used short simple passwords for a site like that and people have been able to work at cracking them for a long time now.
PersonalFinanceJam
Posts: 1108
Joined: Tue Aug 24, 2021 8:32 am

Re: [Wiki] New page about Online Account Security

Post by PersonalFinanceJam »

LISD wrote: Tue Feb 04, 2025 9:54 pm Thanks for your response - I had to lookup some of this stuff. So you are saying that hackers gain access to hashed passwords by somehow breaking into a server - and then try to reverse engineer the actual passwords? And the process of reverse engineering passwords is more difficult the longer the passwords are? Correct?
Yes, 100%. The process of reverse engineering the password, known as brute force, is the hacker using a program to try every possible combination of characters to come up with the password. Essentially, the program creates a combination of characters as a possible password. Runs it through the hash function used to hash the passwords and then compares the output to the stolen hashed password. Once they find a match they know what the password is. A longer password means there are more possible combinations which means it takes longer to try them. As computing power grows this time comes down meaning password length has to grow.

A hacker may also use other techniques involving lists of known/common passwords and words to help bring down this time as well. This is why it's important to use a long and unique password. A password manager generated password generally guarantees this to be true.
GoldStar
Posts: 1328
Joined: Wed May 23, 2018 10:59 am

Re: [Wiki] New page about Online Account Security

Post by GoldStar »

Online security is important for ones financial, medical, legal, govt, etc site access but this seems an odd topic to include in the a wiki dedicated to finance and investing. I know it is tangentially related but a lot of things are that could be added causing bloat to the great wiki that exists here.

Just my 2 cents.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

I do not believe that this should be added to the wiki. It is incomplete even as a basic guide, and is missing the single most important recommendation of all-- to follow and conform to the security policies of the institution that are included in their documents describing on-line access. While that can be added now, the fact that it was missed is indicative of the problems of trying to do this.

I don't think a BH thread is an adequate vetting process. Moreover, information security is not a static thing. Adding guidelines to the wiki would require regular and timely revision. An outdated or erroneous guide is worse than no guide.
User avatar
Tejfyy
Posts: 316
Joined: Mon Aug 26, 2019 9:18 pm

Re: [Wiki] New page about Online Account Security

Post by Tejfyy »

Apologies if these have already been mentioned.
  • I moved from a cloud-based password manager such as LastPass to a local one Strongbox.
  • Security begins with the surroundings of the devices we use. All of mine are portable. I think it's obvious the security risk of using mobile devices. But in my apartment where I use laptops to access accounts, there's also the risk of a break-in. It's small but nevertheless I don't save passwords for my bank accounts on those machines and always use 2factor authentication.
  • Tutamail is a German mail provider, less expensive and with less features than Proton but still security-oriented.
  • Email addresses are associated with levels of security. One address for banking, one for online services involving money transactions, etc. The addresses themselves have nothing to do with my name, e.g., tree33@. All of them live with two providers which I access on the web, i.e., using no mail client.
User avatar
LadyGeek
Site Admin
Posts: 101225
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: [Wiki] New page about Online Account Security

Post by LadyGeek »

Northern Flicker wrote: Wed Feb 05, 2025 12:41 pm I do not believe that this should be added to the wiki. It is incomplete even as a basic guide, and is missing the single most important recommendation of all-- to follow and conform to the security policies of the institution that are included in their documents describing on-line access. While that can be added now, the fact that it was missed is indicative of the problems of trying to do this.

I don't think a BH thread is an adequate vetting process. Moreover, information security is not a static thing. Adding guidelines to the wiki would require regular and timely revision. An outdated or erroneous guide is worse than no guide.
You make good points. The wiki is a collaboration to arrive at a member consensus.

Disagreeing on the usefulness of a wiki article is fine. That's why we have these discussions. If anyone feels similarly, please post your opinion here.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Brewman
Posts: 207
Joined: Sat May 14, 2016 7:17 am

Re: [Wiki] New page about Online Account Security

Post by Brewman »

Just tossing theae out there in the hopes they may be usefull

Password Security Best Practices for 2025 | Crowe LLP

Krebs’s 3 Basic Rules for Online Safety – Krebs on Security

[Links formatted by admin LadyGeek]
User avatar
Topic Author
BanjoDonkey
Posts: 59
Joined: Wed Feb 07, 2024 8:03 pm

Re: [Wiki] New page about Online Account Security

Post by BanjoDonkey »

Northern Flicker wrote: Wed Feb 05, 2025 12:41 pm I don't think a BH thread is an adequate vetting process. Moreover, information security is not a static thing. Adding guidelines to the wiki would require regular and timely revision. An outdated or erroneous guide is worse than no guide.
Maybe it's useful if we think of this page like the Tax Estimation Tools page: https://www.bogleheads.org/wiki/Tax_estimation_tools#.

Tax software is subject to change, like information security. Both topics require regular updates, and both topics are only marginally bogleheads adjacent. But both topics help users who are coming here asking questions.

So maybe we could do it this way: We put lots of caveats up front about the page only being a basic guide to answer basic questions, and then link out to lots of other resources for further reading. This way we give people with very little knowledge about this topic a good place to start, but we don't pretend it's a comprehensive or final statement on account security.

Personally, I think there's a lot of money at stake here and a lot of bad actors trying to steal it. I don't want someone's retirement to be compromised –– and I think that's more likely to happen if they have zero guidance as opposed to some basic guidance and external resources.
Not a millionaire, not a doctor, not a lawyer. Early 30s.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

LadyGeek wrote: Wed Feb 05, 2025 6:09 pm
Northern Flicker wrote: Wed Feb 05, 2025 12:41 pm I do not believe that this should be added to the wiki. It is incomplete even as a basic guide, and is missing the single most important recommendation of all-- to follow and conform to the security policies of the institution that are included in their documents describing on-line access. While that can be added now, the fact that it was missed is indicative of the problems of trying to do this.

I don't think a BH thread is an adequate vetting process. Moreover, information security is not a static thing. Adding guidelines to the wiki would require regular and timely revision. An outdated or erroneous guide is worse than no guide.
You make good points. The wiki is a collaboration to arrive at a member consensus.

Disagreeing on the usefulness of a wiki article is fine. That's why we have these discussions. If anyone feels similarly, please post your opinion here.
Consensus or majority opinion?
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

BanjoDonkey wrote: Wed Feb 05, 2025 7:18 pm
Northern Flicker wrote: Wed Feb 05, 2025 12:41 pm I don't think a BH thread is an adequate vetting process. Moreover, information security is not a static thing. Adding guidelines to the wiki would require regular and timely revision. An outdated or erroneous guide is worse than no guide.
Maybe it's useful if we think of this page like the Tax Estimation Tools page: https://www.bogleheads.org/wiki/Tax_estimation_tools#.

Tax software is subject to change, like information security. Both topics require regular updates, and both topics are only marginally bogleheads adjacent. But both topics help users who are coming here asking questions.
The tax software page is referring users to other resources. That is not what the proposed wiki page here.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

LISD wrote: Tue Feb 04, 2025 9:54 pm
PersonalFinanceJam wrote: Tue Feb 04, 2025 8:27 pm

You are correct that most online sites will have some sort of rate limiting or lock out phase for incorrect password attempts. The reason for long passwords/pass phrases is not so much to prevent the online attacks but to prevent the offline attacks. The offline attack would be some hacker being able to exfiltrate the hashed passwords themselves. This would allow them to perform a brute force attack uninhibited by any rate limiting. Assuming they knew what the hash algorithm was of course.
Thanks for your response - I had to lookup some of this stuff. So you are saying that hackers gain access to hashed passwords by somehow breaking into a server - and then try to reverse engineer the actual passwords? And the process of reverse engineering passwords is more difficult the longer the passwords are? Correct?
Yes. If a password file breach is publicized, you want your password to be strong enough that you have time to change it before it is used to gain access. 2FA is also a protection as it also would have to fail for the account to be breached.
User avatar
Topic Author
BanjoDonkey
Posts: 59
Joined: Wed Feb 07, 2024 8:03 pm

Re: [Wiki] New page about Online Account Security

Post by BanjoDonkey »

Northern Flicker wrote: Thu Feb 06, 2025 12:42 am
BanjoDonkey wrote: Wed Feb 05, 2025 7:18 pm

Maybe it's useful if we think of this page like the Tax Estimation Tools page: https://www.bogleheads.org/wiki/Tax_estimation_tools#.

Tax software is subject to change, like information security. Both topics require regular updates, and both topics are only marginally bogleheads adjacent. But both topics help users who are coming here asking questions.
The tax software page is referring users to other resources. That is not what the proposed wiki page here.
This is the change I'm proposing to address your objections (which are reasonable):
BanjoDonkey wrote: Wed Feb 05, 2025 7:18 pm We put lots of caveats up front about the page only being a basic guide to answer basic questions, and then link out to lots of other resources for further reading. This way we give people with very little knowledge about this topic a good place to start, but we don't pretend it's a comprehensive or final statement on account security.
Does that address your concerns?
Not a millionaire, not a doctor, not a lawyer. Early 30s.
GoldStar
Posts: 1328
Joined: Wed May 23, 2018 10:59 am

Re: [Wiki] New page about Online Account Security

Post by GoldStar »

Northern Flicker wrote: Thu Feb 06, 2025 12:42 am
BanjoDonkey wrote: Wed Feb 05, 2025 7:18 pm

Maybe it's useful if we think of this page like the Tax Estimation Tools page: https://www.bogleheads.org/wiki/Tax_estimation_tools#.

Tax software is subject to change, like information security. Both topics require regular updates, and both topics are only marginally bogleheads adjacent. But both topics help users who are coming here asking questions.
The tax software page is referring users to other resources. That is not what the proposed wiki page here.
Referring to other pages would be the best thing to do here (if the decision is to do a page) - there are plenty of resources from experts about online security. Why would a group of folks providing investing and financial advise have such a page of original material?
There is nothing unique to online security related to "Investing advise inspired by John Bogle"
LISD
Posts: 385
Joined: Sun Feb 10, 2019 7:52 pm

Re: [Wiki] New page about Online Account Security

Post by LISD »

I think a Wiki page is necessary to 1) explain security terminology and 2) describe generally accepted security practices. You can refer to other websites but I haven't seen any really good sites. Many websites and documents on this subject are very technical with terminology that is difficult to understand, and loooong - too long. Practically speaking, few people are going to spend hours going thru these.

I think jack would agree, getting scammed out of a lot of money isn't a good investment.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

BanjoDonkey wrote: Thu Feb 06, 2025 6:57 am
Northern Flicker wrote: Thu Feb 06, 2025 12:42 am
The tax software page is referring users to other resources. That is not what the proposed wiki page here.
This is the change I'm proposing to address your objections (which are reasonable):
BanjoDonkey wrote: Wed Feb 05, 2025 7:18 pm We put lots of caveats up front about the page only being a basic guide to answer basic questions, and then link out to lots of other resources for further reading. This way we give people with very little knowledge about this topic a good place to start, but we don't pretend it's a comprehensive or final statement on account security.
Does that address your concerns?
Nope. I just included a couple of example issues, not a thorough list, and you didn't even address both of those. With all due respect, I don't think such a wiki entry should be authored by someone who claims not to have cybersecurity expertise.
GoldStar
Posts: 1328
Joined: Wed May 23, 2018 10:59 am

Re: [Wiki] New page about Online Account Security

Post by GoldStar »

LISD wrote: Thu Feb 06, 2025 9:57 pm
I think jack would agree, getting scammed out of a lot of money isn't a good investment.
I thought the proposal was for online account security.
Are we thinking about adding material about how to avoid being scammed as well? That would open up the topic greatly which is one of the points I made - where would it end?
Lots of great sites (include .gov) exist for best practices around online security. Many are not that technical.
We could start with Vanguard's page on the topic.
User avatar
Topic Author
BanjoDonkey
Posts: 59
Joined: Wed Feb 07, 2024 8:03 pm

Re: [Wiki] New page about Online Account Security

Post by BanjoDonkey »

There's been some good links referenced in this thread so far.

If anyone has any additional external security resources you would recommend, please post them. I want to make sure we're sending people to the best places.
Not a millionaire, not a doctor, not a lawyer. Early 30s.
User avatar
LadyGeek
Site Admin
Posts: 101225
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: [Wiki] New page about Online Account Security

Post by LadyGeek »

I'm tending to agree that a financial information site is not the best choice for providing online security information. Perhaps links to the sources that are authoritative would be a better choice.

For financial and investing concerns (that's us), I suggest linking to the financial site security info. For example:

- Account Data Security at Fidelity
- Security Center | Vanguard
- SchwabSafe | Charles Schwab
- Security Center | Protecting Your Online Security | E*TRADE
- Robinhood Account security

Separately, discussion of scams would be out of scope for this page.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
typical.investor
Posts: 5871
Joined: Mon Jun 11, 2018 3:17 am

Re: [Wiki] New page about Online Account Security

Post by typical.investor »

Northern Flicker wrote: Wed Feb 05, 2025 12:41 pm I do not believe that this should be added to the wiki. It is incomplete even as a basic guide, and is missing the single most important recommendation of all-- to follow and conform to the security policies of the institution that are included in their documents describing on-line access. While that can be added now, the fact that it was missed is indicative of the problems of trying to do this.
+100

It's strange how many are unaware of the requirements different brokers have in order to be eligible for their guarantees against fraudulent access.

While good passwords, 2FA, securing email, using security questions that aren't publicly discoverable and making sure your computer isn't infected are all good things, you could still fall victim to identity theft and a fraudulent ACATS transfer. And even if you disable ACATS at a broker who allows for that, you could still be impersonated on the phone.

People should be aware that one common requirement for eligibility to guarantees against fraudulent access is the monitoring of one's accounts and notification and timely notification to the financial institution of fraud. And that means yes, take a look at the mail the broker sends even if it is usually unimportant because people have missed notification that assets were transferred out by assuming the mail was proxy voting news again.
User avatar
Topic Author
BanjoDonkey
Posts: 59
Joined: Wed Feb 07, 2024 8:03 pm

Re: [Wiki] New page about Online Account Security

Post by BanjoDonkey »

I added links to brokerage-specific recommendations, and updated the introduction to reflect that this is not a comprehensive guide, but a basic introduction to generally accepted security practices. I also added a few recent recommendations.
LadyGeek wrote: Fri Feb 07, 2025 6:58 pm I'm tending to agree that a financial information site is not the best choice for providing online security information. Perhaps links to the sources that are authoritative would be a better choice.
This topic does seem a little out of place for the Bogleheads wiki. I just hope we don't underestimate its value. If you already know about basic online security, then this page may seem like a bloated waste of time. But if you don't know much about online security, like many retirees don't, then this is crucial information from a source they already trust.

People are coming into the forums and asking the same kinds of basic questions. They're already coming here for this information, and a wiki page is a concise way to point them in the right direction.

It seems to me that if there isn't a place to answer these basic questions, some users here may be at serious risk of fraud. Though not comprehensive, I think this page can only help people get better informed and point them to trusted resources. At the very least, it's more likely to be better than some random blog that pops up on google and is trying to sell something.

Anyways, that's my basic argument for this. I understand others may disagree and I respect that. I'm happy to keep working on this if we think it's valuable. If not, that's no problem.
Not a millionaire, not a doctor, not a lawyer. Early 30s.
Bagels
Posts: 285
Joined: Mon Apr 12, 2021 9:08 am

Re: [Wiki] New page about Online Account Security

Post by Bagels »

LISD wrote: Tue Feb 04, 2025 12:02 am (why use a 12 character password to open a password manager that itself uses 16-20 characters, "or more"?)
I use a fingerprint, but a 12-character password makes sense to me.
You don’t want to type in too many characters because the longer it is, the more likely you are to mess it up.
Once you get it open with your 12 chars, the password manager can do the heavy lifting of supplying long strings of not-human-eye-friendly characters that are hard to break.
How can you tell if someone’s a vegan | Ans: Oh, they’ll tell you | How do you know if a boglehead doesn’t care about calculating dividend yield? | Ans: Oh, they’ll tell you, even if 10 other people have
Bagels
Posts: 285
Joined: Mon Apr 12, 2021 9:08 am

Re: [Wiki] New page about Online Account Security

Post by Bagels »

BanjoDonkey wrote: Mon Feb 03, 2025 8:00 am Please feel free to change anything or make suggestions here.
I appreciate the page you’re making, BanjoDonkey.
As you mentioned, there has been a lot of discussion of online security lately, and this is a page we can point to in the future.

It doesn’t have to be the end all be all, just as the discussions on the forum and the articles we link to are not the final word either. There is no obligation for it to be perfect or complete. It’s a very good starting point.
How can you tell if someone’s a vegan | Ans: Oh, they’ll tell you | How do you know if a boglehead doesn’t care about calculating dividend yield? | Ans: Oh, they’ll tell you, even if 10 other people have
nordsteve
Posts: 1140
Joined: Sun Oct 05, 2008 9:23 am

Re: [Wiki] New page about Online Account Security

Post by nordsteve »

I generally agree with Northern Flicker about the need to keep a page like this up to date. There's a tension between brevity (which is more durable) and specificity (which is more useful in the moment).

Specific feedback:

Usernames - a pointer to the Vanguard username change faq at https://investor.vanguard.com/technical ... me-browser is more useful than a comment about the difficulty of changing he user name

Passwords - the NIST password recommendation as of fall 2024 no longer recommends complexity requirements and now focuses on length as the primary criterion.

Then section about SMS could be shortened to just indicating that it is no longer recommended with a pointer to an authority.

Attackers aren't really penetrating financial institutions via brute force password attacks.

The password manager recommendation ignores commonly used password managers (e.g., Google, Microsoft).

The discussion of security questions needs to discuss how to store the fake answers in a secure way.

Using an authenticator for TOTP codes is arguably better for most users as it's more likely to be used in practice than a hardware key.
stan1
Posts: 16258
Joined: Mon Oct 08, 2007 4:35 pm

Re: [Wiki] New page about Online Account Security

Post by stan1 »

nordsteve wrote: Fri Feb 07, 2025 8:31 pm I generally agree with Northern Flicker about the need to keep a page like this up to date. There's a tension between brevity (which is more durable) and specificity (which is more useful in the moment).

Specific feedback:

Usernames - a pointer to the Vanguard username change faq at https://investor.vanguard.com/technical ... me-browser is more useful than a comment about the difficulty of changing he user name

Passwords - the NIST password recommendation as of fall 2024 no longer recommends complexity requirements and now focuses on length as the primary criterion.

Then section about SMS could be shortened to just indicating that it is no longer recommended with a pointer to an authority.

Attackers aren't really penetrating financial institutions via brute force password attacks.

The password manager recommendation ignores commonly used password managers (e.g., Google, Microsoft).

The discussion of security questions needs to discuss how to store the fake answers in a secure way.

Using an authenticator for TOTP codes is arguably better for most users as it's more likely to be used in practice than a hardware key.
+100, succinctly addresses my major concerns.

Link on SMS text 2FA: Per CISA, migrate away from SMS 2FA due to SMS not being encrypted
https://www.cisa.gov/sites/default/file ... ctices.pdf
It also recommends using a password manager that alerts on weak or exposed passwords, and actually this is a recent 12/24 and pretty comprehensive set of guidance across the whole document.
User avatar
Nestegg_User
Posts: 2156
Joined: Wed Aug 05, 2009 1:26 pm

Re: [Wiki] New page about Online Account Security

Post by Nestegg_User »

Bagels wrote: Fri Feb 07, 2025 8:00 pm
LISD wrote: Tue Feb 04, 2025 12:02 am (why use a 12 character password to open a password manager that itself uses 16-20 characters, "or more"?)
I use a fingerprint, but a 12-character password makes sense to me.
You don’t want to type in too many characters because the longer it is, the more likely you are to mess it up.
Once you get it open with your 12 chars, the password manager can do the heavy lifting of supplying long strings of not-human-eye-friendly characters that are hard to break.
back in the neolithic period, I used to use high-ASCII characters in my passwords, when they allowed them and had also lower limits on password sizes. As high-ASCII weren't usually included in character sets of brute force attack actors it provided a bit of extra security. Nowadays, I'm not sure how many institutions allow "non-standard" characters, but I do know the ones I use don't so as a result I use longer passwords with more unique characters for higher complexity.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

Bagels wrote: Fri Feb 07, 2025 8:00 pm
LISD wrote: Tue Feb 04, 2025 12:02 am (why use a 12 character password to open a password manager that itself uses 16-20 characters, "or more"?)
I use a fingerprint, but a 12-character password makes sense to me.
If your encrypted password safe is read by an attacker, it will be cracked in a fairly short time if you use a 12-character key. Then all of your passwords are compromised.
Last edited by Northern Flicker on Fri Feb 07, 2025 11:40 pm, edited 1 time in total.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

Nestegg_User wrote: Fri Feb 07, 2025 11:18 pm
Bagels wrote: Fri Feb 07, 2025 8:00 pm

I use a fingerprint, but a 12-character password makes sense to me.
You don’t want to type in too many characters because the longer it is, the more likely you are to mess it up.
Once you get it open with your 12 chars, the password manager can do the heavy lifting of supplying long strings of not-human-eye-friendly characters that are hard to break.
back in the neolithic period, I used to use high-ASCII characters in my passwords, when they allowed them and had also lower limits on password sizes. As high-ASCII weren't usually included in character sets of brute force attack actors it provided a bit of extra security.
This is security by obscurity. It is a weak form of extra security.
Last edited by Northern Flicker on Sat Feb 08, 2025 12:05 am, edited 1 time in total.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

LadyGeek wrote: Fri Feb 07, 2025 6:58 pm I'm tending to agree that a financial information site is not the best choice for providing online security information. Perhaps links to the sources that are authoritative would be a better choice.

For financial and investing concerns (that's us), I suggest linking to the financial site security info. For example:

- Account Data Security at Fidelity
- Security Center | Vanguard
- SchwabSafe | Charles Schwab
- Security Center | Protecting Your Online Security | E*TRADE
- Robinhood Account security
This is the correct approach. Include a statement about the importance of understanding and following the policies of the institution, and then provide links to major players policies if desired.
User avatar
Nestegg_User
Posts: 2156
Joined: Wed Aug 05, 2009 1:26 pm

Re: [Wiki] New page about Online Account Security

Post by Nestegg_User »

Northern Flicker wrote: Fri Feb 07, 2025 11:35 pm
Nestegg_User wrote: Fri Feb 07, 2025 11:18 pm

back in the neolithic period, I used to use high-ASCII characters in my passwords, when they allowed them and had also lower limits on password sizes. As high-ASCII weren't usually included in character sets of brute force attack actors it provided a bit of extra security.
This is security by obscurity. It is a weak form of extra security.
Perhaps by todays standards, but at that time the use of high-ASCII was far preferred than the weaker passwords that were otherwise possible. Not dissimilar than the use of unique languages (like Navajo during WW2) or having unique phoneme that might not be captured in voice to text; remember that the ability to "crack" passwords was much more limited, and computationally much harder with the older equipment, than todays systems (which, as noted, many don't accept such characters today). Even still, if I had a 240 character password which included high-ASCII, even you would have to agree that the time it would take to brute force crack it could not be done in any reasonable time except for specific foreign actors with significant resources... and I'm not a target for such.
Northern Flicker
Posts: 17495
Joined: Fri Apr 10, 2015 12:29 am

Re: [Wiki] New page about Online Account Security

Post by Northern Flicker »

Nestegg_User wrote: Fri Feb 07, 2025 11:49 pm
Northern Flicker wrote: Fri Feb 07, 2025 11:35 pm
This is security by obscurity. It is a weak form of extra security.
Perhaps by today's standards, but at that time the use of high-ASCII was far preferred than the weaker passwords that were otherwise possible.
It would be preferred due to the increase in search space size (256x for 8-character passwords), not due to hoping that attackers would never include those characters in their brute force attack.
Bagels
Posts: 285
Joined: Mon Apr 12, 2021 9:08 am

Re: [Wiki] New page about Online Account Security

Post by Bagels »

Northern Flicker wrote: Fri Feb 07, 2025 11:33 pm If your encrypted password safe is read by an attacker, it will be cracked in a fairly short time if you use a 12-character key. Then all of your passwords are compromised.
I’ve seen two different sources say that it takes “years to centuries” provided numbers, letters and special characters are used. That should be good enough to get us to the passwordless, passkey age.

The whole context of my post mentioned, though, that I use a fingerprint. My master password is much longer. Still, if Bitwarden had a maximum of 12 (unusual as that would be in 2025), I’d make use of it.

mycheckfree dot com, now defunct, only allowed a password of 8 characters. That was a little short for me.
Sometimes, there’s simply no choice, i.e. we’re at the mercy of the website we’re using. I tend to use the maximum length since Bitwarden’s taking care of the password remembering and writing.
How can you tell if someone’s a vegan | Ans: Oh, they’ll tell you | How do you know if a boglehead doesn’t care about calculating dividend yield? | Ans: Oh, they’ll tell you, even if 10 other people have
Bagels
Posts: 285
Joined: Mon Apr 12, 2021 9:08 am

Re: [Wiki] New page about Online Account Security

Post by Bagels »

Nestegg_User wrote: Fri Feb 07, 2025 11:18 pm back in the neolithic period, I used to use high-ASCII characters in my passwords, when they allowed them and had also lower limits on password sizes. As high-ASCII weren't usually included in character sets of brute force attack actors it provided a bit of extra security. Nowadays, I'm not sure how many institutions allow "non-standard" characters, but I do know the ones I use don't so as a result I use longer passwords with more unique characters for higher complexity.
I remember a suggestion on a forum that websites add the ability to use Chinese characters. The logic was that if & and ^ will strengthen your password, why not 名 and 星, with a few thousand to choose from. The response was that it all gets translated to 0s and 1s anyway, so there are diminishing returns at some point. That made me wonder how long the list of special characters should be before we hit that plateau.
How can you tell if someone’s a vegan | Ans: Oh, they’ll tell you | How do you know if a boglehead doesn’t care about calculating dividend yield? | Ans: Oh, they’ll tell you, even if 10 other people have
User avatar
LadyGeek
Site Admin
Posts: 101225
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: [Wiki] New page about Online Account Security

Post by LadyGeek »

Based on the comments in this thread, I revised the page to put financial institutions as your first step in securing your account. The rest of the article then describes what was discussed here.

In this manner, we can refine what we want to say here - but the financial institution websites are the ones you should defer to.

See: User:BanjoDonkey/Online account security
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Post Reply