There are two things I did to increase the security of my Charles Schwab account despite the 6–8 character password restrictions:
- Changed my username for secrecy
- Added an Authenticator Token
With the 8 character password limit, I set a 20 character random username. While many security researchers recommend a random username, I generally rely solely on strong passwords. In this case, going form 8 to 28 characters an attacker needs to guess is a very good improvement.
If you call Schwab, you can also request a physical authenticator token. It is a physical Symantec VIP token, so its an extra device to carry. It was easy enough to setup and Schwab allows you to sign in two different ways with it. You can concatenate <password><authenticator code> in the password field, or you follow the standard flow of entering your username and password before being prompted for the authenticator code. The concatenated option is nice because it enables the authenticator to work with financial management software that only supports username and password fields.
I verified that the authenticator works with the Schwab website, Schwab iOS app, and Mint.com.
Edit: May 14, 2014
If you have any programs or services that periodically updated, you should disable them when adding the authenticator. I think failed login attempts from one of these programs caused Schwab to lock my account.
How did you get it to work with your Mint account?
Hi Jake,
With the OTP authentication token, syncing with Mint is pretty iffy. I have about a 5% success rate, so it’s pretty frustrating.
Overall, I like Mint more and it seems more secure, but Personal Capital works well with Schwab’s OTP. It will store your password and prompt you for an OTP code.
Hi Jake, I’m not sure if something changed with Mint, but I have been unable to update Schwab since I posted. I’ve now tried 30 times without success.