Thursday, February 21, 2013 – Password Fail...

You'd think a financial institution that managed billions of dollars of its customers' money would pay especially good attention to online security.

You would be wrong, at least in the case of

My ex-employer set up Fidelity accounts for employees to handle things like stock options, employee stock purchase plans (ESPP), 401(k) plans, etc.  It's a nice benefit.  But I ran into something there that is a great example of a really bad password implementation.

When you create a password at, the site will tell you that it must meet these criteria:
  • Use 6 to 12 letters and/or numbers
  • Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e.g., Jane212Smith)
  • Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g., 12345 or 11111)
  • Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)
This is already much weaker than one would expect of such an institution.  The first and last rules are enforced.  The second rule clearly cannot be automatically enforced.  I'm not sure if the third rule is enforced, though it could be.

These rules make it sound as though there are 62 possible characters (a-z, A-Z, and 0-9) for each password character position.  With a 6 to 12 character password allowable, there would be 62^6 + 62^7 + ... 62^12 possible passwords, which works out to about 3.3 x 10^21 (or smaller if the third rule is enforced).  That's a big number, but it could be much larger, if only would eliminate the last rule.

However, I discovered today that the situation is actually far worse than it looks. asks for your password if you call them – they have you enter it via the touch-tone keypad on your phone.  That means, for example, that if your password's first character is "5", "j", "J", "k", "K", "l", or "L", you press the "5" key.  That means that's passwords are really composed of nothing but the digits 0-9.

I have verified this.  My actual password is comprised of both letters and numbers.  I converted all the letters to the touch-tone keypad equivalent digit, and entered my password as all numbers – and it worked just fine.

That means that the number of possible passwords is much smaller than even's inadequate password criteria would suggest: 10^6 + 10^7 + .. + 10^12, which works out to about 1.1 x 10^11.  For the math-challenged amongst my readers, that's over 10 billion times weaker.

Epic fail,  Epic fail.  Shame should be upon your countenance...


  1. Thanks for that.... Can't believe that they are that stupid. Will have to call them.

  2. Wow. I just tried it. That is incredible. So their total number of possible passwords is limited to a grand total of ten trillion numbers. While that sounds like a lot, modern (comparatively cheap) password cracking systems can burn through roughly 8 BILLION paswords a second (depending on the hashing algorithm the vendor is using).

    So, 125 seconds to crack a password.

    And any company stupid enough to cripple their customer's security like that is most likely too stupid to use anything more processor intensive than SHA1.

    I tried emailing them, but they don't let you get in touch with them via email. Man this suck. The only way to get them to change would be to shame them publicly. Don't know how to do that though...

  3. I have contacted them about the issue, and I actually got a response - an extremely lame one, to the effect that bank accounts are secured by 4 digit PINs, so what am I worried about? I'm not the only one to discover this issue; others have blogged or otherwise written about it, including at least two blogs with far greater audiences than mine. I suspect that from Fidelity's perspective there simply is no problem, because they haven't yet had a breach. One suspects that they will, though...and then it will become a problem even to them!