| ▲ | TheCraiggers 5 hours ago |
| What irritates me the most is that, while a lot of sites allow for hardware tokens for MFA, my banks do not. Not a single one of my financial institutions support FIDO or anything like it, opting instead for SMS if they have anything at all. Passwords are usually a maximum length of some small number, and alarmingly, quotes and some other special characters are not allowed. Are they even hashing? It's insane that my personal blog is more secure than my bank. |
|
| ▲ | dmoy an hour ago | parent | next [-] |
| Vanguard, Bank of America, and a tiny handful of others do support hardware tokens. But yea you're right that most don't. Not that it would help in this specific case I guess. |
|
| ▲ | SoftTalker 5 hours ago | parent | prev | next [-] |
| I don't think these mass data breaches have anything to do with the security of an individual consumer account. Something was left open and exposed in the central infrastructure for this to happen, or some kind of supply-chain exploit, or a key administrator account credential was phished. |
| |
| ▲ | TheCraiggers 5 hours ago | parent [-] | | I agree with you assessment. But if some of my PII was in that breach, which now joins the insane amount of other PII from past breaches, that just makes it that much harder to secure my accounts. Regardless, I believe my point still stands. I want better options for security; I shouldn't need a better reason than it's where I keep all my money. |
|
|
| ▲ | davzim 4 hours ago | parent | prev | next [-] |
| IANAL, but as far as I understand, since this month (nov 2025) the DFS (dep of financial services) requires all financial companies to have MFA in force for accessing IT systems (see regulation 500.12).
Not sure how that applies to your situation, but maybe we see some positive movements in this area. |
| |
| ▲ | ceejayoz 4 hours ago | parent [-] | | Email/SMS based MFA will count, but shouldn't. (Or at least, a better option should be required to be available.) |
|
|
| ▲ | tonyedgecombe 4 hours ago | parent | prev | next [-] |
| >Are they even hashing? I wonder that with one of my banks, the password is case insensitive. Of course they could lower case it before the hashing but I suspect they don't. |
| |
| ▲ | pinkmuffinere 3 hours ago | parent [-] | | > the password is case insensitive Yikes, that’s scary. Legitimately would make me think about leaving that bank |
|
|
| ▲ | tylerflick 4 hours ago | parent | prev | next [-] |
| Vanguard supports Yubikey. |
| |
| ▲ | atrettel an hour ago | parent [-] | | I really like that Vanguard supports Yubikeys too. They are the only ones that support them in my experience, but I have seen some increased support for TOTP in financial institutions lately. Fidelity now allows for TOTP instead of SMS. I have also encountered some credit unions that allow for TOTP instead of SMS. It is definitely weird that investment firms and credit unions are taking the lead here rather than the big banks. |
|
|
| ▲ | quesera 4 hours ago | parent | prev | next [-] |
| > It's insane that my personal blog is more secure than my bank. It's insane to imagine that that is true. :) Seriously though, if banks and their customers were being defrauded by superficially poor password/MFA hygiene, obviously they would fix that. They are not. |
|
| ▲ | nikanj 4 hours ago | parent | prev [-] |
| Sometime in the 2010s when I was still with BMO, their online banking required you to have a six-digit password. No letters, let alone special characters. And no MFA of course |
| |
| ▲ | koakuma-chan 4 hours ago | parent [-] | | BMO Investor Line still requires you to have a short password. It explicitly requires, I don't remember the exact number, like, a 6-character password. It cannot be longer. WTF. | | |
| ▲ | gnabgib an hour ago | parent | next [-] | | Very much doubt it, it certainly used to (4 years ago). The old system truncated your password (you used 20 chars, it dropped the last 14) so when the switch happened - suddenly your password didn't work - it was very obvious (unless you used <=6 char passwords). The communication about the change, and the way the old system worked (without warning nor notification) left a lot to be desired. | | |
| ▲ | koakuma-chan an hour ago | parent [-] | | When you create an application to open an account it still requires you to create a fixed-length short password that you are then supposed to change or something. It was around half a year ago when I encountered this. |
| |
| ▲ | SoftTalker 4 hours ago | parent | prev [-] | | Their web app is "screen scraping" a legacy mainframe CICS interface via a virtual 3270 terminal. Almost certainly the case any time you see something like a very short or very limited set of characters permitted in a password. |
|
|
