Recently I saw a discussion on password security (specifically password security at Vanguard). There was much information on long passwords, password generation services, password storage services, etc.
Well, I thought I’d chime in with some input because I think the main threat was being missed, and it isn’t how complex your password is. Plus, I’ve been in the computer security world off and on for a very long time now so I have some experience here that is relevant.
Understand that many account compromises are not people cracking passwords directly. The perpetrators are stealing passwords with malware on target machines, bogus sites to phish, capturing passwords in unencrypted network traffic, etc. If they aren’t doing the above, then they are directly compromising the servers of the company to get to user access credentials, etc. (none of which the user’s password can prevent except by never reusing passwords for critical sites).
Brute force cracking of passwords on most sites won’t work due to automated lock-out procedures. Plus, it always raises huge red flags which the thieves do not want. So let’s put to rest the idea that a really complicated password is going to save you in all cases because it might not.
Put Your Password in Your Wallet
For computer users the best thing they can do is to pick a reasonably good password for critical sites like banking, etc. and never reuse them (here’s a great explanation on picking a good password). They also must run anti-malware software religiously to keep problems off their machine. If you get malware on your machine then it’s game over and I don’t care what kind of password you pick.
I’ll even go so far as to say you should write down your complicated passwords and put them in your wallet if you want. Yes, this is counter to a lot of advice. But consider that if your wallet goes missing it is obvious and you can change your passwords quickly. However if someone online steals one of your re-used passwords that was easy to remember you won’t notice for some time. Realize that you don’t need to write down the website that the passwords belong to if you don’t want. You can put a simple codename next to it if you want to jog your memory. If someone steals you wallet and finds a list of random passwords with no website next to them, how are they going to know what they belong to? And will they figure it out before you change them or report the account compromise potential to your broker/bank?
If you are very worried you may want to keep a beater machine around that you only use for doing financial transactions and you don’t use for any other reason so it has less chance of being infected. If you don’t want to do this (and most don’t), then don’t let your kids use your main machine. Get your kids their own computer to screw up and don’t let them use yours because they’ll probably get it infected doing whatever it is they are doing. Also, stay off pirate sites, torrents, adult sites, etc. These are all good places to get malware the same way hanging out on Skid Row is a great way to pick up things anti-biotics won’t cure.
Outside of this, there isn’t much the average person can do. Sure, use a good password and change it every now and then. Log onto your account every week or so to make sure there isn’t anything weird going on. Run anti-malware checks. Etc. Those are things you can control. Other than that, I’m sad to say it’s out of your domain and this is why companies carry insurance for security incidents.
Vanguard and Multi-Factor Authentication
In respect to Vanguard and other online brokerage’s password security. Realize that one of Vanguard’s issues is that they are not using multi-factor authentication like banks in Europe and other places often do. So stealing a password along with answers to some simple questions is enough to be an issue. And if malware steals your local environment and security cookies, then they could bypass these extra checks and just use the password. Even though this is a risk, realize that Vanguard is not going to let anyone add on a new account to wire money out to Romania so there is still some protection. Maybe someone could log in and execute trades maliciously though so that is an issue.
If you use things like Google Gmail, consider setting it up for multi-factor authentication. There is a Google Authenticator app you can download for free. Once your account is setup you have to enter a password and an authenticator code that rotates every 60 seconds. You can also keep a list of codes printed out in your wallet to use for backups. Without the authenticator codes it is significantly harder for malware to compromise your account at Google. If you have online banking, brokerages, etc. you can call them up and see if they offer multi-factor authentication systems. Most of them don’t in the U.S., but it doesn’t hurt to ask if you are concerned.
Ideally, Vanguard and other brokerages would use multi-factor authentication (I’d love for them to do something simple with my cellphone and an app for instance). However, there are technical and support issues involved and I’m sure they looked into all of these options and probably decided it isn’t worth it to them. Perhaps internally losses have not become a big enough problem to justify the costs to make additional security improvements. The reality is that financial companies get burned with hacks from time to time but they don’t publicize it. It’s just a cost of doing business and they weigh that cost against inconvenience of lots of security for their customers.
Hope the above brain dump on the realities of passwords helps you out…