Monday, December 22, 2014

Schwab Password Policies and Two Factor Authentication

Jeremy Tunnell (via Rosyna Keller):

Like probably millions of people I have a Schwab brokerage account, and that account holds a good portion of my savings for retirement. I care very much about protecting my savings, and one would expect that Schwab would care a great deal about protecting a reputation for protecting me.

This is why, during a recent tech support call and subsequent investigation, I have become appalled at what appears to be a Rube-Goldberg, duct-tape-and-bailing-wire approach to implementing their much bragged about two factor authentication. Below is my list of several poor design decisions that, while taken in isolation might just be embarrassing, come together to fool perhaps tens of thousands of people into thinking that their account is secure when it is not.

Update (2014-12-23): Here are the comments on Hacker News and an older post mentioning some of the same issues.

Update (2015-09-03): Rosyna Keller:

I am glad @CharlesSchwab finally fixed their password issues!

1 Comment RSS · Twitter

Reported similar problems twice over the last few years. Since went elsewhere. One tech support person had the audacity to suggest that a username + unique 8 char password would be secure enough. He suggested making a random character username which can actually be longer. For a time I did just that, knowing that at least my username wouldn't match anything else on the net if their db was pilfered. But makes logging in without a password manager beyond painful.

Leave a Comment