I haven't tried it yet, but am now going to add some symbols!I have spoken with our Web Technical Support Services and they told me that you can now put symbols in your password, but not your user name. We haven't really advertised this yet because of how many people use third
party vendors to access their Vanguard accounts.
Symbols Available in Passwords at Vanguard
Symbols Available in Passwords at Vanguard
I'm not sure if this is new news, but like many of you I'm concerned about password strength for accessing my accounts. I recently emailed my VG representative on this, and he replied that VG now allows symbols as part of the password login:
- Steelersfan
- Posts: 4129
- Joined: Thu Jun 19, 2008 8:47 pm
With just alpha and numeric choices in ten digits, there were 3.65 quadrillion possibilities for someone to guess from. More actually since that's using exactly ten characters and there are more if you include using less than ten characters.
I don't know how many special characters you can choose from, but if there are ten additional characters, that gives 42.4 quadrillion possibilities, plus.....
I'm still OK with 3.65 quadrillion possibilities to attack, but if it makes you feel safer it's a prudent thing to do.
I don't know how many special characters you can choose from, but if there are ten additional characters, that gives 42.4 quadrillion possibilities, plus.....
I'm still OK with 3.65 quadrillion possibilities to attack, but if it makes you feel safer it's a prudent thing to do.
Right password length provides a exponential defense against brute force attacks. My primary concern is against keystroke loggers or session sniffing.
I would like to see vanguard use a mouse keypad for part of auth to reduce keystroke loggers
Some of the ciphers vg accepts are very weak be sure to force you browser to only accept sslv3 or tls. I would like to see them only accept 128 bit and above.
www:~# sslscan vanguard.com | grep Accepted
Accepted SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits ADH-DES-CBC3-SHA
Accepted SSLv3 56 bits ADH-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Accepted SSLv3 128 bits ADH-RC4-MD5
Accepted SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
I would like to see vanguard use a mouse keypad for part of auth to reduce keystroke loggers
Some of the ciphers vg accepts are very weak be sure to force you browser to only accept sslv3 or tls. I would like to see them only accept 128 bit and above.
www:~# sslscan vanguard.com | grep Accepted
Accepted SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits ADH-DES-CBC3-SHA
Accepted SSLv3 56 bits ADH-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Accepted SSLv3 128 bits ADH-RC4-MD5
Accepted SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
"The hardest victory is over self" |
Aristotle
Is a password of 8 digits safe?
Is it hard to change a password?
Is it hard to change a password?
Chaz |
|
“Money is better than poverty, if only for financial reasons." Woody Allen |
|
http://www.bogleheads.org/wiki/index.php/Main_Page
-
- Posts: 212
- Joined: Fri Apr 25, 2008 1:34 pm
- Opponent Process
- Posts: 5157
- Joined: Tue Sep 18, 2007 9:19 pm
Onscreen Keyboard?
How do I do this? I'm running Vista if that matters.JimHalpert wrote:i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.
Carl Z
-
- Posts: 212
- Joined: Fri Apr 25, 2008 1:34 pm
i don't use vista, but here is a cut and paste from microsoft:
Type without using the keyboard (On-Screen Keyboard)
Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.
Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
Type without using the keyboard (On-Screen Keyboard)
Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.
Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
Cool, I just logged into vg using this program and to log onto reply to this message. Thanks!JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:
Type without using the keyboard (On-Screen Keyboard)
Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.
Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
- blacktupelo
- Posts: 209
- Joined: Mon Feb 19, 2007 5:43 pm
- Location: St. Louis Missouri USA
Communication from a query to Vanguard about using special characters in login passwords:
"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.
Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.
If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:
1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.
Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.
If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:
1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
Larry
- Steelersfan
- Posts: 4129
- Joined: Thu Jun 19, 2008 8:47 pm
That's pretty slick and even works on my Windows XP system.JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:
Type without using the keyboard (On-Screen Keyboard)
Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.
Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
I'm not interested, but thanks for posting that for those who are concerned about key loggers.
There are programs that can defeat key loggers.
Chaz |
|
“Money is better than poverty, if only for financial reasons." Woody Allen |
|
http://www.bogleheads.org/wiki/index.php/Main_Page
Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.FNK wrote:Public service announcement:
Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.
I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?I'm unhappy Vanguard limits passwords to 10 characters.
Darin
Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.FNK wrote:Public service announcement:
Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.
I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?I'm unhappy Vanguard limits passwords to 10 characters.
Darin
Why are you migrating to LastPass? Isn't keepass OK?FNK wrote:Public service announcement:
Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.
I'm unhappy Vanguard limits passwords to 10 characters.
Chaz |
|
“Money is better than poverty, if only for financial reasons." Woody Allen |
|
http://www.bogleheads.org/wiki/index.php/Main_Page
This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
Good point. I don't know how common or uncommon that sort of theft is, but I agree that a stronger password is better. As someone who uses a password manager (Lastpass), I'd certainly prefer the ability to use as strong as password as I want.garg33 wrote:This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
Darin
Advantages of KeePass:chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.
Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.
Didn't LastPass get hacked or was that some other online password service?chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?FNK wrote:Public service announcement:
Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.
I'm unhappy Vanguard limits passwords to 10 characters.
Okay, it looks like they MAY have been hacked:
http://techcrunch.com/2011/05/05/passwo ... ly-hacked/
Either way I'm not sure I'd save my passwords, especially banking or anything important in an online service.
If you had a strong master password, it didn't matter if LP's servers were hacked. That's the appeal of the security model.greensky wrote:Didn't LastPass get hacked or was that some other online password service?
Last edited by Drain on Wed May 25, 2011 12:25 pm, edited 1 time in total.
Darin
Thanks for letting me know... I always wanted a symbol in there. Now if they just made it case sensitive we'd be getting somewhere!
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.blacktupelo wrote:Communication from a query to Vanguard about using special characters in login passwords:
"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.
Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.
If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:
1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
Cheers,
Ron
The fundamental things apply as time goes by -- Herman Hupfeld
Thanks for the pros and cons.FNK wrote:Advantages of KeePass:chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.
Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.
Chaz |
|
“Money is better than poverty, if only for financial reasons." Woody Allen |
|
http://www.bogleheads.org/wiki/index.php/Main_Page
-
- Posts: 27
- Joined: Mon Sep 28, 2009 8:29 pm
I have been a satisfied user of RoboForm for many years. They now offer an online version, but I like the "thick" version on my computer. I also have the "portable" version on a USB stick when away from home.FNK wrote:Advantages of KeePass:chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.
Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.
I am not sure how the features totally compare to the two options above, but I am totally happy with Roboform.
You are correct - I just added special characters and it didn't require re-registering. Easy as pie.RonV wrote:I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.blacktupelo wrote:Communication from a query to Vanguard about using special characters in login passwords:
"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.
Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.
If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:
1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
Cheers,
Ron
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282