The art of the perfect password
Anytime I forget something, I rationalize that what I’m really doing is clearing out space to allow new information to be stored in my brain. It’s a bit like cleaning off my desk or deleting cookies from my computer.
The most irritating forgetfulness is when I can’t remember that “perfect” password I set up for a particular website. At the time I created it, I was sure I’d remember it. Instead, I have to repeat the site’s entire security process to regain access. With so much of my role at Vanguard revolving around information security—and with so much of my life online—this can be distressing, and it’s a major inconvenience.
It can be tempting to streamline the number, length, and variety of passwords we use. But a recent New York Times article highlights the danger in this approach, and demonstrates the lack of awareness of those sailing around the Internet. Based on a new study of 32 million social-networking passwords stolen by a hacker and promptly posted on the Web, many people continue to favor easy-to-guess passwords—including the word “password”!
Have you ever used “abc123″? Or run your fingers across the keyboard and wound up with “qwerty”? You’re not alone. In this study, the most common password was “123456,” followed by “12345.” What’s more, 20% of this large sample (640,000 people) chose one of the top 5,000 passwords. That makes a hacker’s job a lot easier.
Fortunately, there are ways to protect yourself with distinct, memorable passwords. Some of the basic rules to keep in mind:
- The longer the password, the better.
- The greater the combination of uppercase and lowercase letters, the better.
- The more numbers and punctuation marks, the better.
- The more random, the better.
But, of course, for a password to be useful, you have to actually remember it! With that in mind, an FTC report on identity theft suggests using the first or last letters of each word in a familiar phrase.
For example, think of a line from a poem you might have memorized in school, such as “Listen my children and you shall hear …. ” Your password might be “Lmcaysh.” Or is there a phrase you remember your parents using? I’ll never forget “As long as you live in my house … ,” which gives you “Alaylimh.” Either way, you get a lengthy, hard-to-guess password that uses both uppercase and lowercase letters.
Adding numbers or punctuation is also advisable. Consider throwing in a memorable year—”1775:Lmcaysh,” for example, or “Alaylimh-1974.” And for even greater security, you might replace certain letters with numerals that resemble them, or vice versa, such as zero for the letter O, or S for the number 5.
It’s even better if your numerals, punctuation, and uppercase letters are distributed randomly throughout the password—”L:mCay5H177S,” anyone?—but we’re going for memorable, so don’t go overboard.
Whatever approach you choose, the key is to come up with passwords that seem random, yet are easy for you to remember. With a little creativity, you can help keep yourself from being one of the countless millions of Internet users who are practically inviting hackers to wreak havoc on their lives.
Note: The link to NYTimes.com will open a new browser window. Vanguard accepts no responsibility for content on third-party websites.
This advice is horrible. I have passwords for my two email accounts, three instant messenger services, a social networking site, a handful of blogs, three banks, four investment firms, three credit cards, several online stores, my own computer and the various computer networks at work. The secret to good passwords is to use different long and random passwords for every site and to write them down. There are several free programs available that will generate a random password for you and then store it with your user name and the website it is for in an encrypted file. Then you need to remember only one or two good passwords instead of 20 poor ones.
You may want to share some of this info with the those responsible for security at Vanguard. As far as I can tell, the passwords at vanguard.com are not case sensitive.
Also available is KeePass, a password manager. With multiple sites requiring a password, it isn’t wise to re-use the same password.
About 5-6 years ago (pre-Vanguard), I had an Investors Business Daily stock trade account. I used it alot, until I just got “crazy” with activity. I just got offline once. However, beforehand they had an EXCELLENT password protection device, which I would be comforted with. I wish Vanguard offered it.
It is a mail-out single detail device that must be “coded” on ID and password. I think that it was even a received “per transaction” call. If you misentered it, you had to start over. No mistakes approved. It was a bothersome device but a safe one. It was sent to you from IBD. Cost was $5 I think.
Vanguard could include it. Please re-consider.
So many websites require passwords now, that I have resorted to using a few standby’s. However, for financial sites, I do think it’s worthwhile to have a unique, complex password. If you must write them down to remember them, at least have them hidden or locked!
It is also important to not use the same password for everything. Social network sites are often unencrypted — it’s risky to use your Facebook password for Vanguard. Mixing in the website into the password can help make it unique. For example, use the first two characters of the service (e.g. ‘V’ and ‘a’ for Vanguard) as the 2nd and 6th characters in your password.
This is good advice, and I would like to see Vanguard support more of it. Vanguard passwords ignore case and do not allow symbols; all other financial sites I use allow symbols and distinguish upper and lower case.
Compliments on this article that addresses one of my real frustrations. Thanks for the very good suggestions.
Worthwhile article. How often should you change your password if ever?
OK, so my current password has both upper case and lower case letters and numbers. I just logged on to my Vanguard account and entered my password with ALL lower case letters and Vanguard ACCEPTED it and logged me on. I also seem to recall that Vanguard does not accept !@#$%^&* in the password. So, while I agree with your conclusion in your blog, and try to apply those concepts, Vanguard doesn’t seem to support the method in the passwords it allows its clients to use.
I use a password convention – most of my password is always the same, but there are two letters that vary for every site. I have a rule for picking those letters based on the site, and they always go in the same place. So I basically have a formula that allows me to have different passwords for everything, but only remember one thing. This was a method taught to me by a savvy IT guy and is the best approach I’ve ever heard.
If you’re old enough to remember a defunct phone number with both letters and numbers (E.g. BU8-1234) try using it.
Vanguard website should allow for complex password including special characters. In term of security, Vanguard should treat paper mail as email. Account owners know their own confidential information and account numbers. Printing them on paper mail is very very bad practice. No mail is secure. Tax forms and account maintenance postal mails should be waived as long as clients sign up for e-delivery. Please take more advantage of e-delivery and at the same time save trees, save money. Thank you in advance!
I like this advice and use some of these techniques. I also use the same password or versions of that password for sites for which I am not as security-minded. For example, I would not be devestated if someone hacked into one of my social networking sites or other sites that do not store my credit card info. Therefore, I use one password (or version of the password) for these sites. This simplifies things a little. Also, since different sites have different character requirements, as alluded to earlier, I have versions of usernames and passwords. For example, if a site lets me use the (hypothetical) username USArev76, then I’ll make my password Lmcaysh76. But if another site requires more letters for the username, I’ll use USArev1776 and password, Lmcaysh1776.
thanks a lot for your timely reminder and practical solutions! GOOD job!!
At a minimum, the Vanguard site should implement your advice and allow longer passwords, case-sensitive passwords, and symbols in the password. Ideally, Vanguard would implement a genuine multi-factor, token-based login system.
Perfectly terrible advice. You SHOULD include special characters, i.e., above the number keys, in making an effective password. Unfortunately Vanguard does NOT allow this. As an IT professional, I must say this is the only site I’ve come across to not allow special characters. Please get into the 21st century.
I think it’s terrible that VG does not allow CASE SENSITIVE and/or SYMBOLS. We have been with VG for many, many years and it’s time for VG to go into the 21st Century. I do think that 10 positions is an adequate length for a USER and PASSWORD.
My one other complaint is WHY DOES IT TAKE SO LONG TO REMOVE ACCOUNTS AND HOLDINGS THAT ARE “GONE” AND “DEAD”. Why does it take 1 whole year. It is a waste of time and resources to keep listing inactive stuff.
PLEASE, please Vanguard, change your password rules to include upper and lower case and special characters. It’s also important to have a password longer than 9 characters.
Password length is limited to just 10 characters which is very less. Password allows uppercase, lowercase & numbers, but it should also include special characters.
Why does Vanguard not apply the same standards that you discuss!?
Vanguard really needs to address the password length issue, and fast. The 10 character Max is ridiculously small. How are we supposed to create completely random (maximum entropy) passwords with this insane restriction? Besides my bank account, I consider my vanguard account one of the most important. I’m looking at my KeePass vault as I write this, and of 105 sites I maintain accounts with, Vanguard is the dead last in terms of password length, and since all my passwords are created by a password generator, its also the weakest of all my passwords. Toss in the fact that I just proved to myself that Vanguard passwords are NOT CASE SENSATIVE, (just now finding out)! This is nuts. I am calling them tomorrow to find out who I can yell at.
Vanguard – let us have longer passwords that are case sensitive and allow for some special characters, please!
We have most of our retirement assets at Vanguard. Listening to your customers will be good for business.
It would be nice if
1. Vanguard had more than 10 characters
2. Upper/lower case added additional security
3. Characters were allowed.
The 10 character size is inadequate for some of the cyber criminals today who use offline captured authentication hashes.
I know they don’t want to deal with clients losing their passwords. But, complexity makes people ultimately safer.
Vanguard does accept special characters in passwords; Specifically, Vanguard wrote to me that they currently do offer the ability to create passwords with special characters on their website. The special characters that are allowed are:
~
` ! @ # $ % ^ & * ( ) – _ + = [ { ] } \ | : â¿¿ . ? , / â¿¿ ;.
Your password must have 6-10 characters and include two letters and two numbers. Do not use spaces.
They ought to allow mixed case as that expands the difficulty of someone or some program guessing a password.
Citibank Online suggests account holders change their passwords every 30–60 days, and I know of at least one university that not only forces employees and students to change their passwords four times a year, but they must be eight or more characters in length, include upper and lower case letters, numbers, and at least one special character. IT people at different institutions certainly have different ideas of what’s necessary.
My Vanguard retirement accounts are my largest single asset. Despite my continued correspondence, even begging, with the Vanguard folks, they will not listen to the advice in this blog, nor the comments that followed. How can I effectively request they upgrade their login credentials to 21st Century standards? Need I vote with my wallet? Move my investments (over $1,000,000) to a custodian who cares? Fidelity isn’t better, they’re worse.
Suggestions anyone?
WRT the upper/lowercase and punctuation marks. Not necessarily. While they DO increase entropy within the passcode, they really don’t change much when a computer’s unleashed on a bruteforce attack. I’d rather see someone use “To be, or not to be, that is the question, whether tis nobler in the minds of men to have suffered the slings and arrows” than #eG5o~n when I have a system that’s subject to bruteforce attacks. This is why I have real problems with many dull-minded admins: my passcodes are sort of easy to figure out by a human, 1) assuming you’re polymathic enough to be able to reel off large chunks of soliloquies and 2) know WHICH soliloquy I was using, but invariably they’re tens if not hundreds of characters long, which makes a bruteforcer scream. So short and full of entropy is a Bad Idea IME, and most dull admins cut off passcodes at 4, 8, or 16 characters. I’d rather see long and not really entropic myself, so tend towards making passcode fields 255 characters (or more) long
Your comments and discussions around security are heartening. I believe too many people are still not cognizant of the risks they face online, or they’re just hoping “it doesn’t happen to them.”
Here are a few thoughts about our security. Please understand that my comments must remain general in order to protect you, our shareholders, and your assets.
Vanguard.com’s password guidelines are currently in line with industry “best practices” for encryption and hashing. While vanguard.com currently allows you to use special characters in passwords, we believe continuous improvement is necessary. That means you will see us make further changes to our password standards in coming months and on a periodic basis. I strongly urge you to check out our Security Center for more information.
In the event of fraudulent activity online, Vanguard’s commitment is simple. If assets are taken from an account in an unauthorized online transaction, and if the steps described in our Security Center – Your Responsibilities have been followed, Vanguard will reimburse the assets taken from an account in the unauthorized transaction. –Ellen Rinaldi