Vanguard Security Questions Reset

[TromboneAl]

I don't know - do these passwiod systems actually bypass keyloggers, or do they simulate keypresses that would look the same to a system like this?





OK, when I read 'It isn't possible that someone entered my user name by mistake', I took that to mean it was a very long and complex one. Eight char could be a brute force attack.

-ERD50

I read that keyloggers can't read the apps entries.

VG allows up to 12 chars for a user name, and now I use all 12 and include numbers. I found it's easy to change: just do it before you log in. Choose to register and it will understand that you are reregistering. Nothing is lost.

Sent from my Nexus 7 using Early Retirement Forum mobile app

 

[target2019]

I read that keyloggers can't read the apps entries.

VG allows up to 12 chars for a user name, and now I use all 12 and include numbers. I found it's easy to change: just do it before you log in. Choose to register and it will understand that you are reregistering. Nothing is lost.

When I first signed up I picked 12 random characters. There could be an attacker that gets it right, but not likely.

Is it possible your browser or even pass program had a momentary glitch?

I would ask Vanguard to verify whether the attempt came from my IP address or not.

Might something like quicken or mint be downloading data for you? Maybe a hiccup there.

 

[TromboneAl]

Is it possible your browser or even pass program had a momentary glitch?

I would ask Vanguard to verify whether the attempt came from my IP address or not.

Might something like quicken or mint be downloading data for you? Maybe a hiccup there.

1. I would have noticed if that had happened.
2. Great idea. I just called and asked, and he's going to have someone look into it. I think the answer has to be "another IP address" because otherwise it wouldn't have asked the questions. If they can tell me where the IP address came from, it will really help.
3. No, I don't do that, and anyway I would have noticed.

 

[TromboneAl]

While I was at Vanguard, I noticed they have a voice verification system:

https://personal.vanguard.com/us/XH...d/xhtml/VoiceBioSelfProvisionedJumpPage.xhtml

The rep mentioned that, but here's the story:

I have a password ("enhanced security") for when I call VG.

If the voice thing fails, they use the password. So, that makes the voice thing pretty useless. OTOH, if the caller fails the voice test, it could make the rep suspicious.

 

[target2019]

1. I would have noticed if that had happened.
2. Great idea. I just called and asked, and he's going to have someone look into it. I think the answer has to be "another IP address" because otherwise it wouldn't have asked the questions. If they can tell me where the IP address came from, it will really help.
3. No, I don't do that, and anyway I would have noticed.

Trying to think if I've ever gotten the challenge questions with Vanguard. Probably not. But I do get them with other companies when Firefox browser updates itself, which is a frequent occurrence.

It sounds like you're on a safer path, so just a question of knowing how it might have happened.

 

[Options]

That's just one of the reasons why password manager software is so valuable.

+1

After Heartbleed virus, began using KeePass, and absolutely love it. Generates very secure encrypted passwords, which I used to change passwords on all my sites. Now logging in to all financial sites is so much faster/easier, and safer. I copy encrypted passwords into each of my sites when logging in, and there's a setting to vary how long the entry stays in the clipboard to defeat keyloggers.

Was originally going to use LastPass, but didn't like that it's cloud based. I keep KeePass on two thumb drives (one for backup) which I only plug into the computer when accessing sites. All my data is vastly safer now.

 

[TromboneAl]

Vanguard called me back with the answer. They found that someone with a similar user name had typed in my user name by mistake, and therefore had trouble with the security questions.

I still find it a little surprising, because my user name at the time was something like this:

UOTTGERO

So, if they are telling the truth, then everything is OK, and my new user name with 12 characters and digits should prevent this happening again.

I say "telling the truth," because if Russia mobsters were doing dictionary attacks on Vanguard, they wouldn't want to admit that. I guess I'm cynical.

 

[easysurfer]

What does UOTTGERO mean in Russian?

At least the challenge question worked as planned which is much better than the alternative.

 

[MRG]

l
I say "telling the truth," because if Russia mobsters were doing dictionary attacks on Vanguard, they wouldn't want to admit that. I guess I'm cynical.

Agree they wouldn't tell you, individually, of an attack. They probably wouldn't have given any answer.

The fact they called you back and gave a plausible explanation would suggest you got the truth(IMHO). Web servers or application servers log invalid authentication requests(given proper configuration). Those logs are generally available for research for weeks or longer, just for incidents like yours.

The next to last thing Vanguard or any financial services provider wants is for you not to trust their security. The last thing they want is their name on the front page of WSJ saying a breach occurred.

 

[Chuckanut]

Most likely Vanguard could tell from where the phone call came from if Boris was trying sneak into your account. "Why is Trombone Al calling from Babushba in Siberia?"

 

[veremchuka]

which reminds me, Vanguards security sucks. You enter username and password on separate pages, so a bad guy gets confirmation of the username, and can then try the password. When they are on one page, they need to get BOTH right at the same attempt. And their PW are too short, I had to use a simpler system than my usual one for secure sights.

-ERD50

Having both on the same page would be better as the hacker wouldn't know which was incorrect. But why say their security sucks? I think it is very good. The userid can be 12 positions so maybe 16 or 20 is better but 12 is good. The password can be 20, since when is 20 positions for a password too short? Mix up upper and lower case, numbers and symbols and you have a safe user id and password. They use an icon on the password page so you know you are really on their site. Then there are the security questions that should be nonsense answers that only you would know not the correct answers to the questions. It seems to me Vanguard is doing a good job.

+1

I copy encrypted passwords into each of my sites when logging in, and there's a setting to vary how long the entry stays in the clipboard to defeat keyloggers.

Was originally going to use LastPass, but didn't like that it's cloud based. I keep KeePass on two thumb drives (one for backup) which I only plug into the computer when accessing sites. All my data is vastly safer now.

Yep I copy and drop userids and passwords from the safe. Like you I didn't care for keeping this in the cloud. I've used KeePass for 2 or 3 years now. And like you I deleted the database off the c drive and put it on 2 flash drives. I'd like to keep a 3rd in my safe deposit box but I'd have to have a 4th to bring and return with the one that was in the SDB, maybe all that is over kill. I have a print out of the entire database in the SDB and that is always up to date.

 

[ERD50]

Having both on the same page would be better as the hacker wouldn't know which was incorrect. But why say their security sucks? ...

For one, the reason you just mentioned.

I think it is very good. The userid can be 12 positions so maybe 16 or 20 is better but 12 is good. The password can be 20, since when is 20 positions for a password too short?

Unless they changed it, or I screwed up, I could not get it to take a long password, and by 'long', I still mean less than 20.

-ERD50

 

[veremchuka]

I changed mine from whatever the max was, maybe 10 positions?, to the full 20 a few months ago. If you can't I'd call Vanguard.

 

[FireBug]

+1 on keepass. I've been using it forever. It's FREE. It's safe. It's secure. From years of using it and in my previous life in technology...I used to research just how secure it might be. While nothing I suppose can be guaranteed at 100%, the general consensus from those "in the know" has always been, "you lose or forget your entry password into the program, you are toast (=secure)

I have no concerns storing my Database in the cloud. I drop it in my OneDrive folder so I have it locally and also the MS site.

Versions: 1.x (older version, still supported, perfectly fine)
2.x newer and meant primarily for Win Machines as it requires .Net framework..I use 2.x

Finally, a tip... if you want to store a backup copy of your database in the cloud (or any other file for that matter. Consider renaming the file extension to something different. Keepass uses .kbx (as word would use a.doc or excel .xsl). I rename my file something like "myword.aaa" the 'my word' part reminds me that it has password info. Someone would have zero clue as to what program can open it. If I need it, I Just rename back to .kbx

 

[ernow]

Just a note on LastPass, it is cloud based but it keeps everything in an encrypted blob. Nothing is in the clear beyond your own machine. I use it and am very happy with it.

 

[Lsbcal]

I think this technique helps to confuse a "possible" keylogger which could be on one's system during a Vanguard login:

1) you have a 12 character login
2) Type maybe 6 characters of the login
3) Place cursor outside the login box, or even in the Search Window box
4) Type nonsense characters
5) Replace the cursor to the login box
6) Type the remaining 6 characters

Note you could start by typing the last 6 characters and when replacing the cursor at the beginning, then type the first 6 characters.

I've been told that this can confuse at least a good percentage of keyloggers. Maybe the CIA has a keylogger that won't be fooled?

 

[FireBug]

With all this talk about security, does anyone think like I do? Every time I log into Fidelity or Vanguard..... just for a microsecond....I think to myself, "Please, oh please, don't show my balance to be $0.00"

What is money anyway, just an entry in some database.

 

[Major Tom]

Every time I log into Fidelity or Vanguard..... just for a microsecond....I think to myself, "Please, oh please, don't show my balance to be $0.00"

That happened to me a few years ago. I logged into my savings account in which, at the time, I was keeping ~ 4 years worth of living expenses. My account summary appeared, and showed my account balance to be zero!

A good minute or two of confusion and near-panic ensued, before I remembered that just a few weeks earlier, I had transferred the entire balance to a bank that was paying a slightly higher rate of interest.

PHEW.

 

[devans0]

One disappointment of Vanguard's security is that passwords are not case sensitive. the complexity goes up rapidly if each character can be a capital, lowercase, number or special character. I make sure that I have a character or three that are NOT on the keyboard on any site that is truly sensitive/important. I like big O's.

I always loved the Dilbert cartoon where the pointy head boss very carefully types ******** as his password.

 

[RunningBum]

One disappointment of Vanguard's security is that passwords are not case sensitive...

Vanguard passwords ARE case sensitive. I don't think the usernames are, if that's what you meant.

 

[easysurfer]

So, if a password is stolen via a keylogger, wouldn't it not matter whether the password was 8 characters or 16 characters long?

As I always thought the longer passwords are more secure only for brute force attacks but to a keylogger, what's 8 vs 16 characters between friends?

 

[devans0]

Vanguard passwords ARE case sensitive. I don't think the usernames are, if that's what you meant.

Thank you for the correction. You are right. One nightmare is to find a hacked account and everything gone when I logged in.

I tried to have my user name a "password" to add complexity. My 401K account has non numeric or alphabetic characters added in, I didn't think of that with my Vanguard account, but did have a mix of upper and lower case letters, but as you noted correctly, to no avail. I just lengthened my password to the full 20 chars. It will take years for each dollar gained to hack my account.

 

[Chuckanut]

Just a note on LastPass, it is cloud based but it keeps everything in an encrypted blob. Nothing is in the clear beyond your own machine. I use it and am very happy with it.

+1

LastPass is one tool. I would not rely solely on it for security. At the very least, one should periodically logon to one's accounts and see if anything unusual is going on. Also, using two factor authentication, when available, is a good idea.

Lastpass hashes and encrypts the data base into a blob of meaningless garbage. The key to making that garbage mean something is not stored in the cloud. When you type in your id and password, the app generates your key so it can encrypt and decrypt your data as needed. The key itself is a 256 bite long mini-blob of data. But the key is never stored with the blob of encrypted data.

So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA - it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It's just like it's been digested into this thing. In fact, hashes are called "digests," also, for that reason.
What that is, is that is your cryptographic key. That's the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you.

From: https://www.grc.com/sn/sn-256.htm