A long time ago, I had to answer a set of three “security” questions for Wells Fargo Bank, and at the time I blogged about it internally at a previous employer, a blog post I no longer have access to. I have contemplated repeating and documenting the process, and asked them once how to do it, and it required that I phone and ask them to clear the answers so it would prompt me again — there was no other way I could change the question/answer choices. I never followed through with that.
Today I got an email message I was initially suspicious of, telling me that my account had been disabled (this is a common variety of phishing message). I manually scrutinized the message headers and noticed that the message had a good DKIM signature from wellsfargo.com, and used the special email address that only they use. So it looked legit, and it was: my account had apparently been locked out, probably by multiple tries by someone who thought they had my username.
As instructed, I went to their Username/Password Help page, which displayed the following instructions for this:
I entered my username (which is fairly easy to guess, but I’m not going to publish it), my credit card number (barely a secret especially considering that the $50 liability limit wouldn’t apply here), and my ATM PIN (only 4 digits), and that was enough to allow me to set up a new password. Wells Fargo did send me an email message telling my password had been changed, which is good. But the process here is still weaker than a good password would have been. The process they’re using isn’t terrible, but once again, account recovery seems to be the weak spot in the security chain. There may be other factors that aren’t visible to me: for example, I did the reset from an IP address I normally use for banking, and that may have made the process easier for me.
I did also get a reminder of their password rules:
Must be 6-14 characters and contain at least one letter and one number. It cannot contain nine or more numbers.
I suppose that by limiting how many numbers may be in the password, they’re avoiding Social Security Numbers, phone numbers, and the like. But given that the most reliable way to generate a more secure password is to make it longer, why limit it to only 14 characters?