Symbols Available in Passwords at Vanguard

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Post Reply
Topic Author
Timmay!
Posts: 15
Joined: Fri Jan 15, 2010 8:03 pm

Symbols Available in Passwords at Vanguard

Post by Timmay! »

I'm not sure if this is new news, but like many of you I'm concerned about password strength for accessing my accounts. I recently emailed my VG representative on this, and he replied that VG now allows symbols as part of the password login:
I have spoken with our Web Technical Support Services and they told me that you can now put symbols in your password, but not your user name. We haven't really advertised this yet because of how many people use third
party vendors to access their Vanguard accounts.
I haven't tried it yet, but am now going to add some symbols!
User avatar
Steelersfan
Posts: 4129
Joined: Thu Jun 19, 2008 8:47 pm

Post by Steelersfan »

With just alpha and numeric choices in ten digits, there were 3.65 quadrillion possibilities for someone to guess from. More actually since that's using exactly ten characters and there are more if you include using less than ten characters.

I don't know how many special characters you can choose from, but if there are ten additional characters, that gives 42.4 quadrillion possibilities, plus.....

I'm still OK with 3.65 quadrillion possibilities to attack, but if it makes you feel safer it's a prudent thing to do.
User avatar
Guest422
Posts: 522
Joined: Tue Jun 02, 2009 8:19 pm

Post by Guest422 »

Right password length provides a exponential defense against brute force attacks. My primary concern is against keystroke loggers or session sniffing.

I would like to see vanguard use a mouse keypad for part of auth to reduce keystroke loggers

Some of the ciphers vg accepts are very weak be sure to force you browser to only accept sslv3 or tls. I would like to see them only accept 128 bit and above.

www:~# sslscan vanguard.com | grep Accepted
Accepted SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits ADH-DES-CBC3-SHA
Accepted SSLv3 56 bits ADH-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Accepted SSLv3 128 bits ADH-RC4-MD5
Accepted SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
"The hardest victory is over self" | Aristotle
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 1:44 pm

Post by chaz »

Is a password of 8 digits safe?

Is it hard to change a password?
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
JimHalpert
Posts: 212
Joined: Fri Apr 25, 2008 1:34 pm

Post by JimHalpert »

i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.
User avatar
Opponent Process
Posts: 5157
Joined: Tue Sep 18, 2007 9:19 pm

Post by Opponent Process »

chaz wrote:Is it hard to change a password?
very simple. we change our passwords every month.
30/30/20/20 | US/International/Bonds/TIPS | Average Age=37
User avatar
Guest422
Posts: 522
Joined: Tue Jun 02, 2009 8:19 pm

Post by Guest422 »

JimHalpert wrote:i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.
Thats a good idea
"The hardest victory is over self" | Aristotle
CarlZ993
Posts: 229
Joined: Tue Feb 20, 2007 2:00 pm
Location: Austin, Texas

Onscreen Keyboard?

Post by CarlZ993 »

JimHalpert wrote:i use the onscreen keyboard (under accessories) to type in my passwords; keyloggers supposedly can't capture that info.
How do I do this? I'm running Vista if that matters.
Carl Z
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Post by Drain »

chaz wrote:Is a password of 8 digits safe?
Not counting keylogging and similar strategies...if the hacker gets only three attempts before the account is locked, then yes, an eight-character password is safe.
Darin
JimHalpert
Posts: 212
Joined: Fri Apr 25, 2008 1:34 pm

Post by JimHalpert »

i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
Carl53
Posts: 2693
Joined: Sun Mar 07, 2010 7:26 pm

Post by Carl53 »

JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
Cool, I just logged into vg using this program and to log onto reply to this message. Thanks!
User avatar
blacktupelo
Posts: 209
Joined: Mon Feb 19, 2007 5:43 pm
Location: St. Louis Missouri USA

Post by blacktupelo »

Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
Larry
User avatar
Steelersfan
Posts: 4129
Joined: Thu Jun 19, 2008 8:47 pm

Post by Steelersfan »

JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.
That's pretty slick and even works on my Windows XP system.

I'm not interested, but thanks for posting that for those who are concerned about key loggers.
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 1:44 pm

Post by chaz »

There are programs that can defeat key loggers.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Post by FNK »

Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Post by Drain »

FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.
Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.
I'm unhappy Vanguard limits passwords to 10 characters.
I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
Darin
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Post by Drain »

FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.
Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.
I'm unhappy Vanguard limits passwords to 10 characters.
I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
Darin
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 1:44 pm

Post by chaz »

FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.
Why are you migrating to LastPass? Isn't keepass OK?
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
garg33
Posts: 43
Joined: Sat Sep 19, 2009 12:10 pm

Post by garg33 »

Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Post by Drain »

garg33 wrote:
Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?
This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.
Good point. I don't know how common or uncommon that sort of theft is, but I agree that a stronger password is better. As someone who uses a password manager (Lastpass), I'd certainly prefer the ability to use as strong as password as I want.
Darin
User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Post by FNK »

chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?
Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.
User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Post by FNK »

...
Last edited by FNK on Wed May 25, 2011 12:28 pm, edited 1 time in total.
greensky
Posts: 118
Joined: Tue Aug 05, 2008 9:55 pm

Post by greensky »

chaz wrote:
FNK wrote:Public service announcement:

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

I'm unhappy Vanguard limits passwords to 10 characters.
Why are you migrating to LastPass? Isn't keepass OK?
Didn't LastPass get hacked or was that some other online password service?

Okay, it looks like they MAY have been hacked:
http://techcrunch.com/2011/05/05/passwo ... ly-hacked/

Either way I'm not sure I'd save my passwords, especially banking or anything important in an online service.
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Post by Drain »

greensky wrote:Didn't LastPass get hacked or was that some other online password service?
If you had a strong master password, it didn't matter if LP's servers were hacked. That's the appeal of the security model.
Last edited by Drain on Wed May 25, 2011 12:25 pm, edited 1 time in total.
Darin
User avatar
FabLab
Posts: 1127
Joined: Mon Oct 18, 2010 12:15 pm

Post by FabLab »

Balky connection, double posting. Sorry.
Last edited by FabLab on Wed May 25, 2011 12:15 pm, edited 2 times in total.
The fundamental things apply as time goes by -- Herman Hupfeld
User avatar
sperry8
Posts: 3065
Joined: Sat Mar 29, 2008 9:25 pm
Location: Miami FL

Post by sperry8 »

Thanks for letting me know... I always wanted a symbol in there. Now if they just made it case sensitive we'd be getting somewhere!
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
User avatar
FabLab
Posts: 1127
Joined: Mon Oct 18, 2010 12:15 pm

Post by FabLab »

blacktupelo wrote:Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.

Cheers,
Ron
The fundamental things apply as time goes by -- Herman Hupfeld
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 1:44 pm

Post by chaz »

FNK wrote:
chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?
Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.
Thanks for the pros and cons.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
JustwannaRetire
Posts: 27
Joined: Mon Sep 28, 2009 8:29 pm

Post by JustwannaRetire »

FNK wrote:
chaz wrote:Why are you migrating to LastPass? Isn't keepass OK?
Advantages of KeePass:
* Standalone program can paste into nearly anything, better control.
* Not stored online, better security.
* Scriptable logins, nicer for multi-stage logins, like Vanguard.

Advantages of LastPass:
* Browser-based, cross-platform, can use on my smartphone.
* Easier one-click logins on simple sites.
* Responds to URL, not window title. Massively safer in case someone puts up a lookalike phishing site.
I have been a satisfied user of RoboForm for many years. They now offer an online version, but I like the "thick" version on my computer. I also have the "portable" version on a USB stick when away from home.

I am not sure how the features totally compare to the two options above, but I am totally happy with Roboform.
User avatar
sperry8
Posts: 3065
Joined: Sat Mar 29, 2008 9:25 pm
Location: Miami FL

Post by sperry8 »

RonV wrote:
blacktupelo wrote:Communication from a query to Vanguard about using special characters in login passwords:

"We currently do offer the ability to create passwords with special characters on our website. The special characters that are allowed are:
~ ` ! @ # $ % ^ & * ( ) - _ + = [ { ] } \ | : â¿¿ . ? , / < > â¿¿ ;.

Your password must have 6-10 characters and include two letters and two numbers. Please do not use spaces.

If you would like to change your password to include special characters, please re-register your account for online access. The instructions are as follows:

1. Please visit www.Vanguard.com.
2. Click the "Go to the Personal Investors site" link.
3. Click the "Forgot user name or password?" link.
4. Follow the prompts as requested."
I don't believe this is totally accurate. Changing one's password to include special characters, etc., does not require re-registering an account. But, altering one's User Name does.

Cheers,
Ron
You are correct - I just added special characters and it didn't require re-registering. Easy as pie.
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
Post Reply