How often do you change passwords on your investment accounts?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
User avatar
Topic Author
tvubpwcisla
Posts: 524
Joined: Sat Nov 09, 2019 10:09 am

How often do you change passwords on your investment accounts?

Post by tvubpwcisla »

I imported my 1099 into TurboTax and had to provide my username and password. Afterwards I changed my password and then realized I probably don't cycle through new passwords as much as I should.

:oops:

:shock:

How often do you change the passwords on your investing accounts?

Thanks!
Stay invested my friends.
User avatar
David Jay
Posts: 9424
Joined: Mon Mar 30, 2015 5:54 am
Location: Michigan

Re: How often do you change passwords on your investment accounts?

Post by David Jay »

Never.
Prediction is very difficult, especially about the future - Niels Bohr | To get the "risk premium", you really do have to take the risk - nisiprius
jebmke
Posts: 11463
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: How often do you change passwords on your investment accounts?

Post by jebmke »

Once I create a very strong PW I never change it.
When you discover that you are riding a dead horse, the best strategy is to dismount.
DiMAn0684
Posts: 162
Joined: Fri Oct 28, 2011 10:27 am

Re: How often do you change passwords on your investment accounts?

Post by DiMAn0684 »

As long as you're using unique and complex password it does not make a ton of sense to change it unless you have used it on a system which might have been somehow compromised. Also, use 2FA if available.
acegolfer
Posts: 2288
Joined: Tue Aug 25, 2009 9:40 am

Re: How often do you change passwords on your investment accounts?

Post by acegolfer »

Every year with generated passwd.
User avatar
yangtui
Posts: 502
Joined: Sun Mar 30, 2014 1:32 pm
Contact:

Re: How often do you change passwords on your investment accounts?

Post by yangtui »

I never change passwords unless something suspicious happens. Suspicious things never happen so I never change my passwords.
jhsu802701
Posts: 152
Joined: Fri Apr 03, 2020 2:42 pm

Re: How often do you change passwords on your investment accounts?

Post by jhsu802701 »

Just make sure that you use a different secure password for each of your accounts (investment and otherwise). Limiting yourself to passwords that you can easily remember, writing down your passwords on paper, and using the same password everywhere are all security no-nos.

That's why I use KeePassXC to generate, encrypt, and save passwords. It's so easy and convenient to have a different secure password for everything. KeePassXC is free, open source, and available for Linux, MacOS, and Windows. So I'm covered on any platform.
User avatar
anon_investor
Posts: 3565
Joined: Mon Jun 03, 2019 1:43 pm

Re: How often do you change passwords on your investment accounts?

Post by anon_investor »

tvubpwcisla wrote: Sat May 23, 2020 7:56 am I imported my 1099 into TurboTax and had to provide my username and password. Afterwards I changed my password and then realized I probably don't cycle through new passwords as much as I should.

:oops:

:shock:

How often do you change the passwords on your investing accounts?

Thanks!
I always manually enter numbers into turbotax. The convenience is not worth the potential security risk. The same thing when linking banks accounts to things, I always use micro deposits. Better safe than sorry.
catlady
Posts: 139
Joined: Sat Mar 26, 2016 8:31 pm

Re: How often do you change passwords on your investment accounts?

Post by catlady »

In addition to unique passwords, it’s a good idea to use different usernames for each site.
User avatar
Topic Author
tvubpwcisla
Posts: 524
Joined: Sat Nov 09, 2019 10:09 am

Re: How often do you change passwords on your investment accounts?

Post by tvubpwcisla »

anon_investor wrote: Sat May 23, 2020 10:18 am
tvubpwcisla wrote: Sat May 23, 2020 7:56 am I imported my 1099 into TurboTax and had to provide my username and password. Afterwards I changed my password and then realized I probably don't cycle through new passwords as much as I should.

:oops:

:shock:

How often do you change the passwords on your investing accounts?

Thanks!
I always manually enter numbers into turbotax. The convenience is not worth the potential security risk. The same thing when linking banks accounts to things, I always use micro deposits. Better safe than sorry.
Great point. Half the time TurboTax gets the import wrong!

:oops:
Stay invested my friends.
kabob
Posts: 113
Joined: Wed Oct 16, 2019 9:01 am
Location: Loudon, Tn

Re: How often do you change passwords on your investment accounts?

Post by kabob »

The First rule bout Security is: one doesn't talk about Security!
MikeG62
Posts: 3130
Joined: Tue Nov 15, 2016 3:20 pm
Location: New Jersey

Re: How often do you change passwords on your investment accounts?

Post by MikeG62 »

I use secure passwords (generated through LastPass). I do not change them for any of my accounts, including my investment accounts.

Not saying I shouldn't be updating them, just that I have not been.

I do have alerts set up at all financial institutions I have a relationship with. So in the very unlikely event someone were to get in, I would be notified in real time of any attempt to add external accounts or move funds out. Also, if someone were to try and log in from a computer that had not been previously authorized, in most cases the FI would ask for my challenge/security words. Feels low risk to me.
Real Knowledge Comes Only From Experience
RudyS
Posts: 1982
Joined: Tue Oct 27, 2015 10:11 am

Re: How often do you change passwords on your investment accounts?

Post by RudyS »

kabob wrote: Sat May 23, 2020 10:30 am The First rule bout Security is: one doesn't talk about Security!
I was thinking to comment, but saw this first. Sounds like good advice.
HawkeyePierce
Posts: 1494
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: How often do you change passwords on your investment accounts?

Post by HawkeyePierce »

Never, unless I'm notified of a breach.

NIST no longer recommends forced password rotations: https://pages.nist.gov/800-63-FAQ/#q-b05
RudyS wrote: Sat May 23, 2020 11:24 am
kabob wrote: Sat May 23, 2020 10:30 am The First rule bout Security is: one doesn't talk about Security!
I was thinking to comment, but saw this first. Sounds like good advice.
It's not good advice. For the average person, hiding their security practices only means they won't get feedback.
oldfort
Posts: 1766
Joined: Mon Mar 02, 2020 8:45 pm

Re: How often do you change passwords on your investment accounts?

Post by oldfort »

If you have two-factor authentication, never.
tashnewbie
Posts: 828
Joined: Thu Apr 23, 2020 12:44 pm

Re: How often do you change passwords on your investment accounts?

Post by tashnewbie »

I have a free LastPass premium account through a university, and I just started using it. I don’t plan to ever change the passwords unless they’re compromised.
Bob.Beeman
Posts: 122
Joined: Mon Dec 12, 2011 5:32 pm

Re: How often do you change passwords on your investment accounts?

Post by Bob.Beeman »

HawkeyePierce wrote: Sat May 23, 2020 11:46 am Never, unless I'm notified of a breach.

NIST no longer recommends forced password rotations: https://pages.nist.gov/800-63-FAQ/#q-b05
RudyS wrote: Sat May 23, 2020 11:24 am
kabob wrote: Sat May 23, 2020 10:30 am The First rule bout Security is: one doesn't talk about Security!
I was thinking to comment, but saw this first. Sounds like good advice.
It's not good advice. For the average person, hiding their security practices only means they won't get feedback.
Hawkeye Pierce is right, Kabob's post is, in fact, terrible, TERRIBLE, TERRIBLE!!! advice!

This is called "Security by Obscurity", or "Security through Obscurity" and it has been thoroughly discredited for over 100 years. Read the Wikipedia Security through Obscurity article, particularly the part about ciphers and keys.

This is why the algorithms used for commercial transactions and probably most classified government info as well uses ciphers that have been the winners of government sanctioned open competition.

The bad guys already know more than we do. The safest thing is don't add complexity, as each departure from standards increases risk.

-Bob.Beeman
stan1
Posts: 8951
Joined: Mon Oct 08, 2007 4:35 pm

Re: How often do you change passwords on your investment accounts?

Post by stan1 »

HawkeyePierce wrote: Sat May 23, 2020 11:46 am NIST no longer recommends forced password rotations: https://pages.nist.gov/800-63-FAQ/#q-b05
Absolutely true, but with Vanguard I never want to be in a situation where a fraud investigator says "I see you haven't changed your password in five years". Therefore I change my Vanguard password about once per year.

I do not change passwords at banks where I have credit cards offering legal protection against fraud.
sd323232
Posts: 663
Joined: Thu Jun 21, 2018 4:45 pm

Re: How often do you change passwords on your investment accounts?

Post by sd323232 »

tvubpwcisla wrote: Sat May 23, 2020 7:56 am I imported my 1099 into TurboTax and had to provide my username and password. Afterwards I changed my password and then realized I probably don't cycle through new passwords as much as I should.

:oops:

:shock:

How often do you change the passwords on your investing accounts?

Thanks!
every two years.
Mudpuppy
Posts: 6445
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: How often do you change passwords on your investment accounts?

Post by Mudpuppy »

Let's look at some common scenarios were an attacker can get a password to see when changing a password regularly might be useful.

Password file is stolen from the site: In this case, changing the password before the attacker can employ techniques to crack the password might help you mitigate the damage, but consider what other access the attacker had to the system while stealing the password file. In other words, the password file being stolen might be the least of your worries in this scenario.

Keylogger or other interception: In this case, changing passwords gets you no additional security because they'll just get the new password in the same fashion as soon as you set it. You need to address the underlying issue that led to the keylogger/interception malware getting on the system in the first place.

Victim of a phishing attack: If you realize that you fell for a phishing attack and accidentally gave away your login credentials, change the passwords immediately. If you don't know that you fell for a phishing attack, then by the time you get around to periodically changing the password, the damage has likely already been done.

Reusing the password at multiple sites: This is a horrible password habit, because if any one of the sites gets compromised, the attacker crack the password and then use it at other sites. Periodically changing your password might help mitigate this if you change the password before the attacker tries to use it, but a better solution is to use a unique password at every site, so a compromise of one site only affects that site.

Using a password pattern: This is also a pretty bad password habit, for a similar reason to reusing a password. If your pattern is obvious from the cracked password at Site A, e.g. 3Leet-SiteA!, then the attacker can make a pretty good guess at your password at a bunch of other sites. Again, a better solution is to use unique passwords at every site.

In other words, there are other security habits to employ that will get you as much, if not more, security benefits than periodically changing your password. Probably the most important one for financial sites is to enable two-factor authentication if it's available. Hopefully, it's something more secure than sending a text message with an access code, because that's a pretty horrible second-factor (it has a lot of interception vectors).
Mudpuppy
Posts: 6445
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: How often do you change passwords on your investment accounts?

Post by Mudpuppy »

jhsu802701 wrote: Sat May 23, 2020 10:11 am Just make sure that you use a different secure password for each of your accounts (investment and otherwise). Limiting yourself to passwords that you can easily remember, writing down your passwords on paper, and using the same password everywhere are all security no-nos.
FYI, it's okay to write your password down on paper as long as you secure the paper. In other words, a post-it on your work monitor or under your work keyboard is not acceptable, but a piece of paper in your fire-proof home safe is okay. Even a piece of paper in your wallet that you keep on your person is okay, because most wallet thieves are not going to do anything with a password on paper.

In my fire-proof safe, I have a paper with my master passwords listed, plus a list of back-up Google Authenticator codes, just in case something happens to me where I happen to forget that information. There's no indication of the accounts or password files that those are tied to, so I doubt any random house thief who breaks into my safe is going to try to do much with it. I could also get a safe deposit box for that paper, but that seems a little bit of overkill for my personal use scenario.
Mudpuppy
Posts: 6445
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: How often do you change passwords on your investment accounts?

Post by Mudpuppy »

RudyS wrote: Sat May 23, 2020 11:24 am
kabob wrote: Sat May 23, 2020 10:30 am The First rule bout Security is: one doesn't talk about Security!
I was thinking to comment, but saw this first. Sounds like good advice.
There's a saying from cybersecurity professionals: Security through obscurity is the same as no security at all. In other words, you should be trusting the mathematics (encryption) and experts (best practices) rather than relying on a secret ritual. That's why all good encryption algorithms are published and scrutinized for mathematical or algorithmic weaknesses. The algorithms are public, only the key (password in this case) is kept secret.
User avatar
Doom&Gloom
Posts: 3594
Joined: Thu May 08, 2014 3:36 pm

Re: How often do you change passwords on your investment accounts?

Post by Doom&Gloom »

Never--unless there is an issue that I'm aware of.
TheOscarGuy
Posts: 1100
Joined: Sat Oct 06, 2012 1:10 pm
Location: Where I wanna be.

Re: How often do you change passwords on your investment accounts?

Post by TheOscarGuy »

tvubpwcisla wrote: Sat May 23, 2020 7:56 am I imported my 1099 into TurboTax and had to provide my username and password. Afterwards I changed my password and then realized I probably don't cycle through new passwords as much as I should.

:oops:

:shock:

How often do you change the passwords on your investing accounts?

Thanks!
Quite often :=) Sometimes I forget, as tend to be fairly hands off with my investments. So after a few months I have most likely forgotten about it.
buhlaxtus
Posts: 160
Joined: Wed Apr 20, 2016 1:55 am

Re: How often do you change passwords on your investment accounts?

Post by buhlaxtus »

As infrequently as possible. If you use unique and strong passwords, there is no benefit. If you don't use unique and strong passwords, get a password manager and start.
oldfort
Posts: 1766
Joined: Mon Mar 02, 2020 8:45 pm

Re: How often do you change passwords on your investment accounts?

Post by oldfort »

Mudpuppy wrote: Sat May 23, 2020 2:56 pm That's why all good encryption algorithms are published and scrutinized for mathematical or algorithmic weaknesses. The algorithms are public, only the key (password in this case) is kept secret.
This is overstating the case. The government uses non-public algorithms for its own use.
DonIce
Posts: 1125
Joined: Thu Feb 21, 2019 6:44 pm

Re: How often do you change passwords on your investment accounts?

Post by DonIce »

Why would I change from "password123"? It's a timeless classic.
Van
Posts: 764
Joined: Wed Oct 27, 2010 9:24 am

Re: How often do you change passwords on your investment accounts?

Post by Van »

No significant money outside of Vanguard. So, with 2 factor authentication, I have not seen the need to change passwords. Am I wrong?
User avatar
BrandonBogle
Posts: 3299
Joined: Mon Jan 28, 2013 11:19 pm

Re: How often do you change passwords on your investment accounts?

Post by BrandonBogle »

Mudpuppy wrote: Sat May 23, 2020 2:52 pm In my fire-proof safe, I have a paper with my master passwords listed, plus a list of back-up Google Authenticator codes, just in case something happens to me where I happen to forget that information. There's no indication of the accounts or password files that those are tied to, so I doubt any random house thief who breaks into my safe is going to try to do much with it. I could also get a safe deposit box for that paper, but that seems a little bit of overkill for my personal use scenario.
I stopped using Google Authenticator. I was fortunate that I only had just started using it for a few things and then my phone broke. Even though I had a recent backup of my phone and restored it, Google Authenticator was blank. None of the accounts on there have I ever been able to get back into. Thankfully, they weren’t major ones, so I didn’t get too bothered by it.

I’ve since started using 1Password for rotating tokens after an update provided that. I’ve used 1Password for years and set up the rotating token for a few accounts with good success. I haven’t tried restoring to a new phone from backup yet, but I do know that all my prior 1Password logins transitioned successfully.

Anyways, your post reminds me that I should see about getting backup codes, if available, at certain places. I also have a fireproof safe that I can put it in. Two actually, but lost the key to one a few years ago and haven’t gotten around to getting it broken into.
Gadget
Posts: 385
Joined: Fri Mar 17, 2017 1:38 pm

Re: How often do you change passwords on your investment accounts?

Post by Gadget »

BrandonBogle wrote: Sat May 23, 2020 7:37 pm
Mudpuppy wrote: Sat May 23, 2020 2:52 pm In my fire-proof safe, I have a paper with my master passwords listed, plus a list of back-up Google Authenticator codes, just in case something happens to me where I happen to forget that information. There's no indication of the accounts or password files that those are tied to, so I doubt any random house thief who breaks into my safe is going to try to do much with it. I could also get a safe deposit box for that paper, but that seems a little bit of overkill for my personal use scenario.
I stopped using Google Authenticator. I was fortunate that I only had just started using it for a few things and then my phone broke. Even though I had a recent backup of my phone and restored it, Google Authenticator was blank. None of the accounts on there have I ever been able to get back into. Thankfully, they weren’t major ones, so I didn’t get too bothered by it.

I’ve since started using 1Password for rotating tokens after an update provided that. I’ve used 1Password for years and set up the rotating token for a few accounts with good success. I haven’t tried restoring to a new phone from backup yet, but I do know that all my prior 1Password logins transitioned successfully.

Anyways, your post reminds me that I should see about getting backup codes, if available, at certain places. I also have a fireproof safe that I can put it in. Two actually, but lost the key to one a few years ago and haven’t gotten around to getting it broken into.
1Password is awesome for 2 factor rotating tokens. It automatically pastes the 2 factor code in after it autofills your password. Or on mobile where it can't do that, it copies the code to the clipboard so you just have to paste it. It's hard to explain how much easier it is to have your 2 factor TOTP codes integrated with your password manager until you've tried it.

It's also nice that since it's backed up and encrypted in the cloud, losing your phone isn't an issue. You just have to be able to log into 1password somewhere.

Now if only more websites (especially financial ones) supported the TOTP standard. Most just use crummy SMS 2 factor...
BigJohn
Posts: 1895
Joined: Wed Apr 02, 2014 11:27 pm

Re: How often do you change passwords on your investment accounts?

Post by BigJohn »

anon_investor wrote: Sat May 23, 2020 10:18 am I always manually enter numbers into turbotax. The convenience is not worth the potential security risk. The same thing when linking banks accounts to things, I always use micro deposits. Better safe than sorry.
+1

I would never consider givingthe logon credentials for my large financial accounts to any other software program no matter how convenient it might be.
User avatar
FrankTheViking
Posts: 105
Joined: Wed Jan 08, 2020 3:44 pm

Re: How often do you change passwords on your investment accounts?

Post by FrankTheViking »

Plan on changing annually, including the "master" password. I use 1Password.
No EF. 80% Total U.S. / 20% Total International. 100% equity. Is there a gun to your head? Is there a tiger in the room? No? What's the problem?
TallBoy29er
Posts: 1009
Joined: Thu Jul 18, 2013 9:06 pm

Re: How often do you change passwords on your investment accounts?

Post by TallBoy29er »

Never. I use a password keeper. Lots and lots of characters. The strength of your password is much, much more important than changing it. The supposition there is, of course, that you use unique passwords for your investment accounts.
User avatar
mrspock
Posts: 1295
Joined: Tue Feb 13, 2018 2:49 am
Location: Vulcan

Re: How often do you change passwords on your investment accounts?

Post by mrspock »

Never. I have a password manager + 2 factor authentication + all passwords are randomly generated.
rkhusky
Posts: 10239
Joined: Thu Aug 18, 2011 8:09 pm

Re: How often do you change passwords on your investment accounts?

Post by rkhusky »

I keep a file with passwords and date changed. For important sites I change once a year or so - whenever I happen to notice that the date is more than a year.
DetroitRick
Posts: 847
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: How often do you change passwords on your investment accounts?

Post by DetroitRick »

Very rarely. I'm mostly at Schwab, and don't bother changing passwords often anymore because collectively these steps seem sufficient to me:
- Unique, secure password, never reused on other sites (and I use a password manager)
- Symantec VIP key used on every account
- Port-out passcode is set up with my mobile carrier (redundant since I'm using that key anyway)
- Account alerts are set up and active, and I check them on a very timely basis
- I only access from maintained and secure devices (computers, phones) and networks (my own or via vpn)

Plus, I know from observation that Schwab uses algorithms to detect unusual activity patterns as well. Nothing can be 100%, but I feel safe enough this way.
User avatar
Gray
Posts: 788
Joined: Sat Apr 16, 2011 5:33 am
Location: Virginia

Re: How often do you change passwords on your investment accounts?

Post by Gray »

10-year user of LastPass with 500+ accounts. I use complex passwords that are unique. I use multifactor authentication with banking, email, payment (PayPal...), and e-commerce sites (Amazon...). Once you get in the habit of using a secure password manager, you have greater peace of mind. BTW, you should always keep a flash drive with an encrypted backup of your password file in a safe. Password managers are not infallible.

Shout out to Microsoft for creating the Personal Vault in OneDrive.
https://community.windows.com/en-us/sto ... onal-vault

It’s a good step in the right direction. I’d like to see something similar from Google.
User avatar
midareff
Posts: 7144
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: How often do you change passwords on your investment accounts?

Post by midareff »

jebmke wrote: Sat May 23, 2020 8:06 am Once I create a very strong PW I never change it.
= 16 character or greater upper and lower case alpha numeric with special characters. All unique per site. No need to change as nothing else can be compromised.
User avatar
Clever_Username
Posts: 1749
Joined: Sun Jul 15, 2012 12:24 am
Location: Southern California

Re: How often do you change passwords on your investment accounts?

Post by Clever_Username »

I don't see the point in doing so. The long-term standard of 89 day changes, with upper lower special symbols and so on, isn't all that great. I think the last time I changed my password at Vanguard was when they put the better character limit. So... whenever I was last able to set CorrectHorseBatteryStaple without it being truncated.
"What was true then is true now. Have a plan. Stick to it." -- XXXX, _Layer Cake_ | | I survived my first downturn and all I got was this signature line.
User avatar
BrandonBogle
Posts: 3299
Joined: Mon Jan 28, 2013 11:19 pm

Re: How often do you change passwords on your investment accounts?

Post by BrandonBogle »

Well, it was timely to read this thread and specifically see examples of using a Google Voice text-to-email phone number for institutions like Vanguard. I set it up earlier this week and it all seemed to work well. And then this morning upon waking up, I see one of those emails at 5:13 am Eastern.

I changed my password at Vanguard just in case and checked to make sure everything there looks good. Hopefully it was just a fat-finger problem or an aggregator tripping Vanguard up.
TravelforFun
Posts: 2187
Joined: Tue Dec 04, 2012 11:05 pm

Re: How often do you change passwords on your investment accounts?

Post by TravelforFun »

tvubpwcisla wrote: Sat May 23, 2020 7:56 am How often do you change the passwords on your investing accounts?

Thanks!
Only when I'm required to.

TravelforFun
User avatar
BolderBoy
Posts: 5014
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: How often do you change passwords on your investment accounts?

Post by BolderBoy »

jhsu802701 wrote: Sat May 23, 2020 10:11 amThat's why I use KeePassXC to generate, encrypt, and save passwords. It's so easy and convenient to have a different secure password for everything. KeePassXC is free, open source, and available for Linux, MacOS, and Windows. So I'm covered on any platform.
Thanks for posting this! I'm a long-time KeePass user so today I played around with KeePassXC, which I'd never heard of, and will switch to it.

(also works with FreeBSD)
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
Grasshopper
Posts: 1060
Joined: Sat Oct 09, 2010 3:52 pm

Re: How often do you change passwords on your investment accounts?

Post by Grasshopper »

Never, Chromebook, LastPass,Yubikey for Google and Vanguard, G Authenticator where I can, 2FA to G Voice for the rest.
Post Reply