Major Financial Institutions and Passwords

Wed, February 16, 2005 — Category: Personal

I routinely change my passwords every few months on all my financial providers that I do online business with. The goal is to pick a secure password that is 8 characters in length, has mixed-case alpha-numeric numbers and at least 2 special characters.
An example of a good password would be: “Foo)B4r!”
Part of the problem was […]

An example of a good password would be: “Foo)B4r!”

Part of the problem was when I recently installed Quicken 2005 Premier. The software would only let me send a 6-digit PIN to one of my banks, whereas the bank itself allowed for an alpha-numeric (letters and digits) password. It took me awhile to figure out why I couldn’t download the transactions into Quicken 2005 Premier (complain to Intuit).

The password forced on me by more than one of the companies I do business with consists of something as stupid as a 6-digit password (no letters or special characters). One could crack the account with a script if they know the username. All you’d have to do is write an iteration loop:

while ($i < 999999) {
tryLogin();
$i++;
}

What I’m saying is that this is a very stupid rule - it leads to people using insecure passwords, like their phone number, or birthday.

Frankly, I’m quite disturbed at the lax password policies I’m finding with most of the financial institutions I use. 4 out of 5 of my providers do NOT allow for a secure password.

PayPal is the only site I’ve come across that allows for a secure password as described above.

I encourage you to send a quick email (feel free to copy and paste this blog posting) to your financial services institution in an effort to lobby them so they will implement more secure passwords. Simply go to their home page, and click on their “Contact Us” link (almost all banks and brokerages have this on the home page). Wouldn’t take more than 2 minutes, and if everybody does it, we will see some changes!

Below is a list of all the financial institutions I could think of (if you know of any others, feel free to post their contact info in the comments section):

Bank of America:
1.800.792.0808
email

Patelco Credit Union:
support@patelco.org
415.442.6200 or 1.800.358.8228 (toll-free, nationwide)

Ameritrade:
(click on New Accounts)
U.S. Phone: 800-669-3900
International Phone:
City Code: 402
Number: 970-5805
Canadian Phone: 866-328-3522 or 416-363-9045

Merrill Lynch:
Site Feedback
US: General Inquiries 1-800-MERRILL (637-7455)

Wells Fargo:
Online Banking and Bill Pay:
1-800-956-4442
Email

Schwabb Plan:
Contact Us page
1-800-724-7526

Schwabb:
Email
1-866-855-9102

E*Trade:
Call 1-800-ETRADE-1 (1-800-387-2331)
From outside the U.S., call +1-916-636-2510
Email is only available to customers

Washington Mutual:
I would CC everybody on this page
Personal Banking Customer Service: 800.788.7000
Home Loan Customer Service: 866.926.8937

Tech Credit Union:
Email Form
408-451-9111 or 800-553-0880

5 Comments »

235

Comment by Anonymous

May 7, 2005 @ 9:28 am

HI, so you are saying that Quicken 2005 limits the password or PIN to a max of 6 numbers only? Meaning, in order to use Quicken to download transaction you will need to change to this convention at your financial institution? When I set up the account initially it retrieved the account info but would not let me later connect.

236

Comment by chovy

May 7, 2005 @ 4:16 pm

Yes, for some institutions. But not all. It’s some sort of miscommunication between the bank and the quicken people. I told them about it, but I doubt anyone will do anything about it.

237

Comment by Anonymous

May 16, 2005 @ 5:14 am

Any password can be hacked with a brute force attack. Even ones with numbers, letters, symbols and non printing characters.

To ensure security the server or application should suspend the user account after a couple of failed logins. This will stop ALL brute force attacks in their tracks.

Therefore forcing a password to use 6 numbers doesnt really affect the security of the account.

You suggest your foo(b34 password would be a good one. It wouldn’t, a brute force dictionary attack would start quite soon with the word FOO (very common) and then start appending characters.

238

Comment by chovy

May 16, 2005 @ 11:01 am

Yes, agreed that after x number of incorrect logins, the account should be disabled.

But using special characters and different cases greatly increases the number of attempts it takes for a brute force attack to be successful. I’ve tried doing a bruteforce on my own Celeron-233 computer and to guess a relatively simple, it took over 3 days, I finally gave up.

91399

Trackback by Cialis.

August 6, 2007 @ 2:28 am

Cialis generic click here….

Cialis best price buy online….

RSS feed for comments on this post. TrackBack URI