Fidelity password security policies

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
tomforshort
Posts: 25
Joined: Mon Jan 16, 2012 12:54 pm

Fidelity password security policies

Post by tomforshort » Thu Mar 29, 2012 9:49 pm

I have had to call Fidelity several times over the past few weeks due to an ill-fated attempt to open a retirement account through my employer. That is a long and sad story (how hard is it to open an account? I already have several there), but this post is about something else.

The Fidelity password policy is odd. You cannot use special characters and you have to enter your password via the keypad when calling on the phone. The disconcerting part is that Fidelity should not be storing your plaintext password anywhere. Any reasonable authentication system will only store a hash of your password. For example, the SHA-1 hash of the word bogleheads is 9dd6e0f0739424ded4935adf720086c78f30fd2e. During login, your just-entered password is hashed and compared against the stored hash with authentication being granted in the case of a match. By storing the hash, losing the password database during a breach means that the attacker must still use a dictionary or brute-force attack to recover the plaintext password (or rather, some word/phrase with the same hash). Brute-forcing non-trivial passwords is difficult. However, if they store the password as plaintext, then a breach means they lose everything (or rather, you do).

It is possible that they use hashes, but it would seemingly require hashing every possible password consistent with the buttons you hit on the keypad. Ignoring 7 and 9 with four letters each, and assuming a 12 character case-sensitive password, there would be 7^12 or about 14 billion candidate passwords to hash and compare against your stored hash. Ha. I'm sure they don't do that. Of course, if passwords are case-insensitive, then it's only 16.8 million, which still seems unlikely. So I check if passwords are case-sensitive by entering mine with the wrong case. It worked - fidelity.com is not case-sensitive (neither is vanguard.com).

So, to summarize the Fidelity password policy: Passwords are case-insensitive and use only letter and numbers. They are also likely stored in plain text. In other words, they are highly insecure by design.

User avatar
Rob5TCP
Posts: 3274
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Fidelity password security policies

Post by Rob5TCP » Thu Mar 29, 2012 10:13 pm

IMHO neither Vanguard nor Fidelity have great password protection.
I have required security questions on whenever I login. That has greater
number of characters than Vanguard's passwords.
Each of my questions has 20 or more character answers. Since they are known only to me;
those are quite secure.

User avatar
jpsfranks
Posts: 976
Joined: Sun Aug 26, 2007 11:45 pm

Re: Fidelity password security policies

Post by jpsfranks » Thu Mar 29, 2012 10:22 pm

tomforshort wrote:It is possible that they use hashes, but it would seemingly require hashing every possible password consistent with the buttons you hit on the keypad. Ignoring 7 and 9 with four letters each, and assuming a 12 character case-sensitive password, there would be 7^12 or about 14 billion candidate passwords to hash and compare against your stored hash. Ha. I'm sure they don't do that. Of course, if passwords are case-insensitive, then it's only 16.8 million, which still seems unlikely. So I check if passwords are case-sensitive by entering mine with the wrong case. It worked - fidelity.com is not case-sensitive (neither is vanguard.com).
Your conclusion here is not correct. They are storing the keypad converted digital form of your password either plain text (unlikely) or its hash (very likely). They are not storing your actual originally chosen letter password (or its hash). I just tried by entering the keypad digit form of my password on the website (my password originally contained letters) and I was able to log in. So clearly they are discarding your actual password input in favor of the keypad digit form. For example if the password you selected was "usa206", they are either storing "872206" or the hash of "872206." You can't tell based on the fact that they support the telephone input if they are hashing or not (and I would be extremely surprised if they were not). This scheme does reduce the number of possible passwords since the domain of characters is essentially just digits.

Topic Author
tomforshort
Posts: 25
Joined: Mon Jan 16, 2012 12:54 pm

Re: Fidelity password security policies

Post by tomforshort » Thu Mar 29, 2012 10:46 pm

jpsfranks wrote: Your conclusion here is not correct. They are storing the keypad converted digital form of your password either plain text (unlikely) or its hash (very likely). They are not storing your actual originally chosen letter password (or its hash). I just tried by entering the keypad digit form of my password on the website (which originally contained letters) and I was able to log in. So clearly they are discarding your actual password input in favor of the keypad digit form. For example if the password you selected was "usa206", they are either storing "872206" or its hash. You can't tell based on the fact that they support the telephone input if they are hashing or not (and I would be extremely surprised if they were not). This scheme does reduce the number of possible passwords since the domain of characters is essentially just digits.
Ah, interesting. Nice catch. Yes, that would be unfortunate if they even further reduced the keyspace to just the digits. Brute forcing even a 12 character password if it is known to be digits does not seem very difficult.

CrazyPete
Posts: 91
Joined: Thu Apr 03, 2008 12:42 am

Re: Fidelity password security policies

Post by CrazyPete » Thu Mar 29, 2012 11:48 pm

Fidelity will lock your account after a few failed login attempts so brute force attacks are not feasible.

harikaried
Posts: 1264
Joined: Fri Mar 09, 2012 3:47 pm

Re: Fidelity password security policies

Post by harikaried » Fri Mar 30, 2012 12:45 am

tomforshort wrote:Yes, that would be unfortunate if they even further reduced the keyspace to just the digits.
I can confirm that Fidelity accepts any combination of letters that map to the digit version of the password.

For example, if someone's password is "thecard," entering "tiebase" also logs you in.

Mudpuppy
Posts: 5888
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Fidelity password security policies

Post by Mudpuppy » Fri Mar 30, 2012 4:02 am

CrazyPete wrote:Fidelity will lock your account after a few failed login attempts so brute force attacks are not feasible.
Yes, but if someone were to compromise Fidelty's database and retrieved the hashed passwords, they would only have to run numerical combinations to attempt to recover the original passphrase, since the alphanumerical password is mapped to the numeric keypad of the phone. That is a serious reduction in search space, and not a good security sign from a company that will be managing a large portion of your retirement nest-egg.

carolinaman
Posts: 3621
Joined: Wed Dec 28, 2011 9:56 am
Location: North Carolina

Re: Fidelity password security policies

Post by carolinaman » Fri Mar 30, 2012 7:36 am

If a Fidelity customer's account is hacked and funds are stolen, who is financially liable? Fidelity used to accept liability unless the customer was negligent. Now it appears they no longer accept that liability if I am reading this correctly. Does anyone else know what their policy is?

http://personal.fidelity.com/misc/legal ... limitation

User avatar
Rob5TCP
Posts: 3274
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Fidelity password security policies

Post by Rob5TCP » Fri Mar 30, 2012 8:12 am

As large company as they are, why don't Vanguard and Fidelity, just allow for longer passwords. For those that want them, upper/lower case plus characters.

Those that are OK with shorter passwords could keep them as they are.
Those of us that would like more stringent criteria would be free to do so.
Last edited by Rob5TCP on Fri Mar 30, 2012 8:15 am, edited 1 time in total.

Scotttheking
Posts: 230
Joined: Wed Apr 09, 2008 7:58 pm

Re: Fidelity password security policies

Post by Scotttheking » Fri Mar 30, 2012 8:15 am

I called Fidelity to ask about this. It is supposedly escalated to their security and upper management teams now.
The person pointed me to this page for what happens if someone breaches the account: http://personal.fidelity.com/accounts/s ... ntee.shtml

awval999
Posts: 1094
Joined: Fri Apr 08, 2011 10:17 pm

Re: Fidelity password security policies

Post by awval999 » Fri Mar 30, 2012 9:00 am

Yay fidelity:

The Fidelity Customer Protection Guarantee

We value your business and the trust you have placed in Fidelity. We take security very seriously and use a variety of measures to protect your personal information and accounts. As part of our ongoing commitment to our customers, we're proud to offer our Customer Protection Guarantee: We will reimburse your Fidelity account for any losses due to unauthorized activity.

Our Customer Protection Guarantee is designed to provide you with peace of mind when doing business with Fidelity. It covers all assets in Fidelity Brokerage accounts, Fidelity Mutual Fund accounts, Fidelity Individual Retirement Accounts (IRAs), and individual workplace retirement plan accounts under a 401(k), profit sharing, 403(b) or 457 plan for which Fidelity is the record-keeper.

mptfan
Posts: 5169
Joined: Mon Mar 05, 2007 9:58 am

Re: Fidelity password security policies

Post by mptfan » Fri Mar 30, 2012 9:08 am

Rob5TCP wrote:As large company as they are, why don't Vanguard and Fidelity, just allow for longer passwords. For those that want them, upper/lower case plus characters.

Those that are OK with shorter passwords could keep them as they are.
Those of us that would like more stringent criteria would be free to do so.
I am not an expert in this area, but I will take a guess at the answer. I think it has to do with keeping their costs down: it is more likely that someone will forget a longer and more complex password, which means it is more likely they will contact Fidelity and engage their customer service and go through the protocol of proving who they are in order to reset the password. Less contact with customer service equals less overhead equals more profit.

There is an inherent tradeoff in account security issues between complexity and security versus convenience and low cost.

boglebill
Posts: 157
Joined: Sun May 17, 2009 1:08 pm

Re: Fidelity password security policies

Post by boglebill » Fri Mar 30, 2012 9:35 am

Not having worked for Fidelity or seen the code, I can't say for certain. But I do have (blind) faith that they aren't storing plain text data like that.

As a technologist, my guess is that there are TWO hashes.
1) Direct match - Very sensitive.
2) Phone match - Arguably more loose.

Since you typed the password in their site at some point, it's plausible that they processed it as 2 hashes - and saved them both.

Otherwise, you're right, they would have to store plain text or do some type of brute force calculation each time - and neither is acceptable.

Scotttheking
Posts: 230
Joined: Wed Apr 09, 2008 7:58 pm

Re: Fidelity password security policies

Post by Scotttheking » Fri Mar 30, 2012 10:37 am

boglebill wrote:Not having worked for Fidelity or seen the code, I can't say for certain. But I do have (blind) faith that they aren't storing plain text data like that.

As a technologist, my guess is that there are TWO hashes.
1) Direct match - Very sensitive.
2) Phone match - Arguably more loose.

Since you typed the password in their site at some point, it's plausible that they processed it as 2 hashes - and saved them both.

Otherwise, you're right, they would have to store plain text or do some type of brute force calculation each time - and neither is acceptable.
Or option 3) Only store the number hash, and convert the password you type in on the website to the number version, then hash that to compare.

It seems they only store the number hash as you can log on to the website using the phone pad numbers as your password.

boglebill
Posts: 157
Joined: Sun May 17, 2009 1:08 pm

Re: Fidelity password security policies

Post by boglebill » Fri Mar 30, 2012 10:43 am

Scotttheking wrote:Or option 3) Only store the number hash, and convert the password you type in on the website to the number version, then hash that to compare.
It seems they only store the number hash as you can log on to the website using the phone pad numbers as your password.
Hadn't thought about that, but also plausible (and testable). That would score as the second worst way to do it! :)

jaytheman
Posts: 77
Joined: Tue Feb 07, 2012 7:29 pm

Re: Fidelity password security policies

Post by jaytheman » Fri Mar 30, 2012 10:56 am

I have given up on Fidelity when it comes to security. I have to think that it is not a priority. My raging battle is over sending emails with url links in them. It's too bad because I have found the rest of their support to be very good.

boglebill
Posts: 157
Joined: Sun May 17, 2009 1:08 pm

Re: Fidelity password security policies

Post by boglebill » Fri Mar 30, 2012 11:02 am

I never click financial institution email links. I type the site by hand.

In rare cases I have quadruple checked a link before copying and pasting it myself.

Scotttheking
Posts: 230
Joined: Wed Apr 09, 2008 7:58 pm

Re: Fidelity password security policies

Post by Scotttheking » Fri Mar 30, 2012 1:42 pm

Fidelity called me back.
"There are security methods behind the scenes, and we are comfortable with how we have it set up." That's the short version.

For the non technical people, hopefully this analogy helps: They have a file which has the passwords stored in a way where it cannot directly be read, but they have made the passwords simpler, and thus easier to figure out. They are assuming that their protections will prevent someone from getting the file.
Security designs are best done assuming the file will be gotten at some point, and making it as hard as possible to figure out the passwords.

User avatar
jpsfranks
Posts: 976
Joined: Sun Aug 26, 2007 11:45 pm

Re: Fidelity password security policies

Post by jpsfranks » Fri Mar 30, 2012 2:33 pm

Scotttheking wrote:Fidelity called me back.
"There are security methods behind the scenes, and we are comfortable with how we have it set up." That's the short version.

For the non technical people, hopefully this analogy helps: They have a file which has the passwords stored in a way where it cannot directly be read, but they have made the passwords simpler, and thus easier to figure out. They are assuming that their protections will prevent someone from getting the file.
Security designs are best done assuming the file will be gotten at some point, and making it as hard as possible to figure out the passwords.
Perhaps not the most satisfying of responses. But I will say this for Fidelity: if you had made a similar call to Vanguard they never would have even called you back (despite promising to).

blackstone
Posts: 33
Joined: Sun Jan 30, 2011 8:15 pm

Re: Fidelity password security policies

Post by blackstone » Fri Mar 30, 2012 3:08 pm

Fidelity used to have ATMs (atleast not any more in the branches I have visited) that only had the standard numeric keypads. Perhaps this and touchtone login is the reason for having such a policy. IIRC Vanguard had a 8 character password limit along with no distinction between caps & small letters until recently, which is not that great either. Any letter you typed after the 8th one were silently ignored!

carolinaman
Posts: 3621
Joined: Wed Dec 28, 2011 9:56 am
Location: North Carolina

Re: Fidelity password security policies

Post by carolinaman » Fri Mar 30, 2012 3:26 pm

Scotttheking wrote:I called Fidelity to ask about this. It is supposedly escalated to their security and upper management teams now.
The person pointed me to this page for what happens if someone breaches the account: http://personal.fidelity.com/accounts/s ... ntee.shtml
Thanks for checking on this. This is what I understood it was. Glad to hear it has not changed. Not all financial firms make this commitment which leaves the customer very vulnerable in our hacker-crazy world.

Topic Author
tomforshort
Posts: 25
Joined: Mon Jan 16, 2012 12:54 pm

Re: Fidelity password security policies

Post by tomforshort » Fri Mar 30, 2012 9:04 pm

Scotttheking wrote:Fidelity called me back.
"There are security methods behind the scenes, and we are comfortable with how we have it set up." That's the short version.

For the non technical people, hopefully this analogy helps: They have a file which has the passwords stored in a way where it cannot directly be read, but they have made the passwords simpler, and thus easier to figure out. They are assuming that their protections will prevent someone from getting the file.
Security designs are best done assuming the file will be gotten at some point, and making it as hard as possible to figure out the passwords.
I am impressed they called you back, but what a strange answer. This is effectively no different than saying that they store the passwords as plaintext, but don't worry, because that file is super-duper safe. Even if they do store hashes rather than plaintext (although using their logic there is no need - the file is super-duper safe, after all), the search space is small enough to make brute force attack pretty simple provided that someone gets access to the hashed passwords and salts. There are only one trillion numeric sequences for their longest passwords. That may sound like a large number, but a $500 GPU could brute-force it in minutes.

To put into context the extent to which they reduced the key space, a 12 character alphanumeric case-sensitive password (still no special characters) would take over 3 billion times as long to brute force than their current scheme. Oh well. Hopefully that file really is super-duper safe.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Fidelity password security policies

Post by Epsilon Delta » Sat Mar 31, 2012 10:31 am

tomforshort wrote: Oh well. Hopefully that [password hash] file really is super-duper safe.
If somebody has access to this file then they are inside Fidelity's systems. If the password file is disclosed the hashed passwords are not the only thing, or indeed the most critical thing, to worry about.

It's not that protecting customer passwords is unimportant, but there are many other things that are at least as important. Increasing security requires finding and strengthening the weakest links.

User avatar
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 10:52 pm
Location: Oregon

Re: Fidelity password security policies

Post by Alskar » Mon Dec 31, 2012 6:38 pm

One of my New Year's resolutions for 2013 is to improve my cyber-security. I chose LastPass to manage my passwords. I'm aware of the risks, but feel that the risks of using short passwords and reusing passwords is greater than the risk of having my password vault hacked. I did implement two-factor authentication on my password vault using a Yubi-Key. I now have 122 unique passwords in my vault. That's about 2x more than I expected!

Getting back on topic: Here's a response I got from Fidelity when I emailed them about my concerns with regard to their short passwords. I asked about the ability to disable the ability to reset the password online:
----------------------------------Quote
Our systems are not amenable to disabling for a particular customer just the Username and Password resetting features in Fidelity.com. If you were to decide to request of us that we block your access entirely from any online access to your Fidelity account, we can accommodate that request for as long as you wish. You would then be limited to doing business with us in person or by telephone.

Here is something that may be of interest to you:

Fidelity is at this point testing a digital security device generically known as a "security token" or "key fob" to fulfill the FFIEC proposal for 2 factor authentication:

1. Something you know, such as a Password.

2. Something you have, such as a security token device.

I do not have a timeframe for the general initiation of these new login security measures. We are looking into the variety of systems that are available to us and will soon be making a decision.

If you are interested in learning more about the "security token" device we are testing, you may contact your Premium Services team about the possibility of being included in the beta testing group. Premium is available at 800 544-4442 from Monday - Friday, 8:00 a.m. - 11:00 p.m. Eastern time. Outside these hours, your call will be answered by our National Service Representatives who are always available 24 hours a day, 7 days a week.

I appreciate your interest in Web site security. We at Fidelity work continuously to safeguard customer accounts employing effective technology and security methods. Our very existence depends on the safety and security of doing business online. Our current login protocols are consistent with standards and practices relative to the brokerage and mutual fund industries at large. We will stand by our record for protecting our customers against fraud and unauthorized access.

Currently two log in items must be entered correctly into the log in box for access to be successful. Either one of these items, the "Username" or the "Password" may be changed at any time at your discretion by clicking the "Login" button in the upper right corner of Fidelity.com. There are utilities in there for changing both should you have any reason to suspect that someone might have gained knowledge of one or other.

We instituted the "Customer ID" so that our customers would not need to use their Social Security Numbers any more for logging into Fidelity.com. We have redesigned the Password/PIN requiring it to be at least 6 characters in length. The Password/PIN can be any combination of letters or numbers, or a mixture of letters and numbers.

I have forwarded your message to senior management for consideration. While management cannot personally respond to every comment, please be assured we use your feedback to guide improvements to the services and features that we offer. There is a discussion of online security in Fidelity.com at this address:

Fidelity.com/security.

There you will also find some helpful services that we make available either at no cost or at a discount to our customers to enhance online security.
----------------------------------End Quote
I called and asked to be put on the list of beta testers for the Fidelity "security token" which I assume to be an RSA token or a Yubi-Key-type device. I will post again when I find out more details.

In any case, it seems that Fidelity is taking steps to improve their cyber security. I am less sure that Vanguard, with their 10 character limit on passwords, is taking security seriously. I fear is only a matter of time before one of the big brokerage firms is hacked. I am reminded of how Heartland got hacked a few years back and millions of CC numbers were exposed. I hope Vanguard isn't as complacent as they appear to be.

Since I am now using unique passwords, the damage should *hopefully* be limited to just the one account that was hacked. Happy New Year!
Lagom är bäst

ataloss
Posts: 888
Joined: Tue Feb 20, 2007 3:24 pm

Re: Fidelity password security policies

Post by ataloss » Tue Jan 01, 2013 4:19 pm

I have the etrade security token (RSA) I liked the idea but RSA was hacked. I think Google's text based 2 factor is better.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Fidelity password security policies

Post by Epsilon Delta » Tue Jan 01, 2013 7:50 pm

johnep wrote:
Scotttheking wrote:I called Fidelity to ask about this. It is supposedly escalated to their security and upper management teams now.
The person pointed me to this page for what happens if someone breaches the account: http://personal.fidelity.com/accounts/s ... ntee.shtml
Thanks for checking on this. This is what I understood it was. Glad to hear it has not changed. Not all financial firms make this commitment which leaves the customer very vulnerable in our hacker-crazy world.
You should also remember that the firms policy is not the last word. Some types of liability are imposed on them by law and they can't get out of it by adding contractual terms.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Fidelity password security policies

Post by Epsilon Delta » Tue Jan 01, 2013 8:00 pm

ataloss wrote:I have the etrade security token (RSA) I liked the idea but RSA was hacked. I think Google's text based 2 factor is better.
SMS and cell phone systems were not designed with security in mind. Pretty much the only thing the designers were worried about is preventing people from making a significant number of communications without paying. Any two factor system that tries to piggy back on the cell system is doomed to failure.

User avatar
tfb
Posts: 8054
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: Fidelity password security policies

Post by tfb » Tue Jan 01, 2013 8:22 pm

Alskar wrote:I called and asked to be put on the list of beta testers for the Fidelity "security token" which I assume to be an RSA token or a Yubi-Key-type device.
Thank you for sharing the info. I will call them tomorrow.
Harry Sit, taking a break from the forums.

MAI
Posts: 17
Joined: Sun Jul 20, 2014 8:31 am

Re: Fidelity password security policies

Post by MAI » Sat Oct 08, 2016 8:47 am

Sorry for the late reply. I just tried logging into the Fidelity website using the phone (numeric) version of my password and it does NOT work (not any more, anyway), so Fidelity must be either storing two separate hashes for the web and phone versions of the password, or (God forbid) storing the web password in plaintext. I use a strong random username to shore up the security. BTW, the web password is currently case-sensitive.

The big security issue that was not discussed above involves entering a password over the phone, which is not a secure channel, unlike an encrypted web connection. Anyone who can record the call has your phone password. Given that, and the fact that the web password is limited to 20 characters, and each digit is mapped to by only a handful of characters, brute-forcing the web password would be relatively easy, although hopefully Fidelity locks the account after several failed login attempts.

harikaried
Posts: 1264
Joined: Fri Mar 09, 2012 3:47 pm

Re: Fidelity password security policies

Post by harikaried » Sat Oct 08, 2016 10:20 am

I just tried right now and I was able to log in with the phone-numeric version of my username and phone-numeric version of my password. Do you have 2-factor enabled?

The website login is also case insensitive for me as well as the app login.

MAI
Posts: 17
Joined: Sun Jul 20, 2014 8:31 am

Re: Fidelity password security policies

Post by MAI » Sat Oct 08, 2016 10:43 am

Originally I used the web username and phone password to try logging in on the website. I tried again with the phone username and password and it still doesn't work. I do NOT have 2-factor enabled. In case it matters, the URL I use to log in on is https://login.fidelity.com/ftgw/Fas/Fid ... Login/Init . I also tried typing in fidelity.com and logging in from that instead of my bookmark with the same result, my phone password does not work. I'm quite sure I'm entering it correctly since it's stored in my password manager and I've compared it to the web password.

MAI
Posts: 17
Joined: Sun Jul 20, 2014 8:31 am

Re: Fidelity password security policies

Post by MAI » Sat Oct 08, 2016 10:52 am

I'm wondering if there was a policy change after which they started generating two separate hashes for web and phone logins, and you set your username and password before that happened, so for you they're using a single hash. You could try temporarily changing username and/or password (the website allows changing either) so they have to generate new hashes and see if that fixes it.

Edit: Actually, they probably store the username in plaintext and hash the password (hopefully) so changing the username probably wouldn't be useful. I like to use a strong random username, though, to increase security (and of course use strong random answers for the "security" questions as well).

Edit: Logging into the website with the phone version of my username, and the web version of the password, DOES work, though. So that suggests that they use the numeric value of the username for both web and phone logins (but not for the password, unless as I'm guessing you set your password a long time ago and they only have one hash stored for you).
Last edited by MAI on Sat Oct 08, 2016 11:14 am, edited 2 times in total.

User avatar
oldcomputerguy
Moderator
Posts: 4418
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods in East Tennessee

Re: Fidelity password security policies

Post by oldcomputerguy » Sat Oct 08, 2016 10:56 am

tomforshort wrote: The Fidelity password policy is odd. You cannot use special characters and you have to enter your password via the keypad when calling on the phone.
I'm a bit confused. Where does it say you can't use a special character? I use special characters in my Fidelity password.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

stlutz
Posts: 5052
Joined: Fri Jan 02, 2009 1:08 am

Re: Fidelity password security policies

Post by stlutz » Sat Oct 08, 2016 10:58 am

Folks--look at the dates on the original thread--we're talking about things that have long since changed.

Mudpuppy
Posts: 5888
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Fidelity password security policies

Post by Mudpuppy » Sat Oct 08, 2016 12:32 pm

MAI wrote:Sorry for the late reply. I just tried logging into the Fidelity website using the phone (numeric) version of my password and it does NOT work (not any more, anyway), so Fidelity must be either storing two separate hashes for the web and phone versions of the password, or (God forbid) storing the web password in plaintext. I use a strong random username to shore up the security. BTW, the web password is currently case-sensitive.

The big security issue that was not discussed above involves entering a password over the phone, which is not a secure channel, unlike an encrypted web connection. Anyone who can record the call has your phone password. Given that, and the fact that the web password is limited to 20 characters, and each digit is mapped to by only a handful of characters, brute-forcing the web password would be relatively easy, although hopefully Fidelity locks the account after several failed login attempts.
Considering that this thread was started 4 years ago and last had a reply well over 3.5 years ago, it is not surprising that Fidelity has changed the way it operates in the interim time period. Nor is it surprising that some people experience different behavior (perhaps the new policy is only triggered if one resets one's password). It's also not surprising that mobile banking was not much discussed back then, since it was not nearly as strongly pushed by the financial industry 4 years ago.

User avatar
telemark
Posts: 2436
Joined: Sat Aug 11, 2012 6:35 am

Re: Fidelity password security policies

Post by telemark » Sat Oct 08, 2016 12:48 pm

As a purely technical point, if the system is properly done you shouldn't need to change your password to switch to the current hashing scheme. All you need to do is log in successfully. At that point the system has your plaintext password in memory and the knowledge that it's correct, so it can calculate a new hash using the new method and update the database accordingly. Of course there's no guarantee that anything is properly done.

TRUE CONFESSIONS: I once implemented password security using MD5. Woe is me! In my defense, it was in the mid 1990s and the alternative was using DES.

MAI
Posts: 17
Joined: Sun Jul 20, 2014 8:31 am

Re: Fidelity password security policies

Post by MAI » Sat Oct 08, 2016 3:03 pm

telemark wrote:As a purely technical point, if the system is properly done you shouldn't need to change your password to switch to the current hashing scheme. All you need to do is log in successfully. At that point the system has your plaintext password in memory and the knowledge that it's correct, so it can calculate a new hash using the new method and update the database accordingly.
You're right, although since Fidelity used to authenticate any password which was numerically equivalent to the original password, they had no way to be sure which was the right one. (For example, a user might forget his original password but remember the phone password, if they use that one a lot.) If they rehashed the wrong one, the original password would be locked out even if the user later remembers it. So they might have decided not to rehash unless the user requests a password change. I can't think of any other reason why the phone password works on the website for the other poster, but not for me.

User avatar
Orion
Posts: 509
Joined: Mon Feb 19, 2007 11:52 pm

Re: Fidelity password security policies

Post by Orion » Fri Dec 09, 2016 2:43 pm

Sorry for bumping an old thread, but if you have special characters in your password does that exclude using their phone system or do they have a workaround?

User avatar
TimeRunner
Posts: 1503
Joined: Sat Dec 29, 2012 9:23 pm

Re: Fidelity password security policies

Post by TimeRunner » Fri Dec 09, 2016 5:27 pm

Orion wrote:Sorry for bumping an old thread, but if you have special characters in your password does that exclude using their phone system or do they have a workaround?
"When calling by phone, translate your password into numbers using the telephone keypad. There is no case sensitivity. All special characters should be translated to an asterisk (*)." - From a Fido screen
Man assumes more intelligence than dolphins because he achieves so much, while dolphins just have a good time. Dolphins believe they're more intelligent than man - for precisely the same reason. (HGG)

User avatar
Orion
Posts: 509
Joined: Mon Feb 19, 2007 11:52 pm

Re: Fidelity password security policies

Post by Orion » Fri Dec 09, 2016 6:47 pm

Interesting - Thank you!

Post Reply