This is Fidelity Investment’s password policy for the past decade:
- Password Standards
Use 6 to 12 letters and/or numbers
Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e_g., Jane212Smith)
Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g. 12345 or 11111)
Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)
It’s 2013. You’re a major financial institution. Get off your IBM mainframe or AS/400-authenticated garbage and get a real authentication system, okay? It’s embarrassing. No, really. While the rest of the planet’s web services – including free email systems Outlook.com & Gmail – are presenting multi-factor authentication with the usage of passphrases containing hundreds of characters, you can’t even get basic passwords right?
Let’s review, shall we?
- No passwords larger than 12 characters.
[MOUTH AGAPE] - No non-alphanumeric characters. Non-alphanumeric characters are arguably one of the best defenses against brute force account hacking.
- No server-side authentication. Fidelity.com doesn’t authenticate itself to you with known information about you & your account to demonstrate that it really is Fidelity.com you’re logging into, and not a man-in-the-middle.
- No two-factor authentication. Not even a cellphone solution like Phone Factor.
- No authorized workstation activation. (a from of two-factor authentication) There are no personal PCs that you can bless with special cookies to access your account. Basically, anyone can log into your account from any PC in the world. Nice.
Yes, I get that you have an account lockout policy. Fine. But so does everyone else & that doesn’t stop them from implementing complex passwords. I seriously expected this to be fixed a long time ago. Y’all make Morgan Stanley look downright MODERN despite their ridiculous flash-only interface.
Sigh.
kurtsh
Kurt's Thoughts 