Dear Fidelity Investments: Your password policy sucks. Love, Kurt

imageThis is Fidelity Investment’s password policy for the past decade:

  • Password Standards
    Use 6 to 12 letters and/or numbers
    Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e_g., Jane212Smith)
    Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g. 12345 or 11111)
    Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)

It’s 2013.  You’re a major financial institution.  Get off your IBM mainframe or AS/400-authenticated garbage and get a real authentication system, okay?  It’s embarrassing.  No, really.  While the rest of the planet’s web services – including free email systems & Gmail – are presenting multi-factor authentication with the usage of passphrases containing hundreds of characters, you can’t even get basic passwords right?

Let’s review, shall we?

  1. No passwords larger than 12 characters.
  2. No non-alphanumeric characters.  Non-alphanumeric characters are arguably one of the best defenses against brute force account hacking.
  3. No server-side authentication. doesn’t authenticate itself to you with known information about you & your account to demonstrate that it really is you’re logging into, and not a man-in-the-middle.
  4. No two-factor authentication.  Not even a cellphone solution like Phone Factor. 
  5. No authorized workstation activation. (a from of two-factor authentication)  There are no personal PCs that you can bless with special cookies to access your account.  Basically, anyone can log into your account from any PC in the world.  Nice.

Yes, I get that you have an account lockout policy.  Fine.  But so does everyone else & that doesn’t stop them from implementing complex passwords.  I seriously expected this to be fixed a long time ago.  Y’all make Morgan Stanley look downright MODERN despite their ridiculous flash-only interface.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: