{"id":10378,"date":"2014-12-22T19:36:47","date_gmt":"2014-12-23T00:36:47","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=10378"},"modified":"2021-07-03T14:19:10","modified_gmt":"2021-07-03T18:19:10","slug":"schwab-password-policies-and-two-factor-authentication","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2014\/12\/22\/schwab-password-policies-and-two-factor-authentication\/","title":{"rendered":"Schwab Password Policies and Two Factor Authentication"},"content":{"rendered":"<p><a href=\"http:\/\/www.jeremytunnell.com\/posts\/swab-password-policies-and-two-factor-authentication-a-comedy-of-errors\">Jeremy Tunnell<\/a> (via <a href=\"https:\/\/twitter.com\/rosyna\/status\/547170558710779905\">Rosyna<\/a> <a href=\"https:\/\/twitter.com\/rosyna\/status\/547170974546685952\">Keller<\/a>):<\/p>\n<blockquote cite=\"http:\/\/www.jeremytunnell.com\/posts\/swab-password-policies-and-two-factor-authentication-a-comedy-of-errors\">\n<p>Like probably millions of people I have a Schwab brokerage account, and that account holds a good portion of my savings for retirement. I care very much about protecting my savings, and one would expect that Schwab would care a great deal about protecting a reputation for protecting me.<\/p>\n<p>This is why, during a recent tech support call and subsequent investigation, I have become appalled at what appears to be a Rube-Goldberg, duct-tape-and-bailing-wire approach to implementing their much bragged about two factor authentication. Below is my list of several poor design decisions that, while taken in isolation might just be embarrassing, come together to fool perhaps tens of thousands of people into thinking that their account is secure when it is not.<\/p>\n<\/blockquote>\n<p>Update (2014-12-23): Here are the comments on <a href=\"https:\/\/news.ycombinator.com\/item?id=8783790\">Hacker News<\/a> and an <a href=\"http:\/\/norcie.com\/2013\/09\/01\/schwab-unsafe\/\">older post<\/a> mentioning some of the same issues.<\/p>\n<p>Update (2015-09-03): <a href=\"https:\/\/twitter.com\/rosyna\/status\/638499347672371200\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/rosyna\/status\/638499347672371200\">\n<p>I am glad @CharlesSchwab finally fixed their <a href=\"http:\/\/arstechnica.com\/security\/2013\/04\/why-your-password-cant-have-symbols-or-be-longer-than-16-characters\/\">password issues<\/a>!<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Jeremy Tunnell (via Rosyna Keller): Like probably millions of people I have a Schwab brokerage account, and that account holds a good portion of my savings for retirement. I care very much about protecting my savings, and one would expect that Schwab would care a great deal about protecting a reputation for protecting me. This [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2021-07-03T18:19:12Z","apple_news_api_id":"7af022a7-1e18-47ed-828e-341a527dd083","apple_news_api_modified_at":"2021-07-03T18:19:12Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AevAipx4YR-2CjjQaUn3Qgw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[48,2090,96],"class_list":["post-10378","post","type-post","status-publish","format-standard","hentry","category-technology","tag-security","tag-two-factor-authentication-2fa","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=10378"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10378\/revisions"}],"predecessor-version":[{"id":12167,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10378\/revisions\/12167"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=10378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=10378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=10378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}