Sunday, November 11, 2012

Fidelity Password Insecurity

So my company recently switched to Fidelity for our 401Ks and it looks like their password security is abysmal. They require minimum of 6 chars and a maximum of 12 ... which is shorter than my high-security password. The cherry on top: no symbols allowed! just alphanumeric, pretty crazy. My financial investment account is potentially less secure than my doodle account.


Update:
Thanks to some diligent commentators and www.howsecureismypassword.net we have learned that these passwords can be cracked in about 4 minutes by a computer.

6 comments:

  1. So you have a Fidelity account you say.... ^.^

    ReplyDelete
  2. It's actually far worse than it looks. They convert all the letters to the phone-keypad equivalent number and accept that as your password. You can try this yourself - pretend you were typing your password into a phone keypad. So (a-c,A-C) becomes number "1", (d-f,D-F) becomes number "2", etc. Put that string of numbers into Fidelity.com as your password, and it works. Entropy - what's that for?

    ReplyDelete
    Replies
    1. Are you serious? That's even worse than Amazon's old "we'll only check the first few characters in your password" scheme from a few years back

      Delete
  3. BKR is absolutely right: Fiedlity's password security is virtually nonexistent! They effectively allow passwords that are 12 numbers or less long. To see how insure this is, go to www.howsecureismypassword.net and type in any 12-digit number. You will learn that it would take a desktop PC about 4 minutes to crack it. Now, just for the fun it, type in a 12 character string something like this1qaz@WSX3edc, 12 letters, numbers, uppercaes and lower case letters ... 344,000 years to crack that one. But all may soon change: just heard a rumor that Fidelity will begin allowing 20-digit long passwords this May.

    ReplyDelete
    Replies
    1. That website is awesome thanks for sharing. Really puts a number on how horrendous this is. I'm going to pop this link into the post.

      Delete