Friday, October 07, 2011

Password Rules Offender: Charles Schwab


Dear Charles Schwab,

It is 2011. Why do you have a maximum length of 8 characters on an account password? And why is the only requirement that there be a number between letters?

It does not inspire confidence when I am about to ask you to hold my money.

Update: It also doesn't allow symbols. That's right, folks; maximum of 8 characters, and only letters/numbers. I can't believe this crap.

Update: Two-Factor Authentication Available!
Thanks to Richard Smiley who wrote in the comments to alert us to the fact that Schwab is now offering a two-factor authentication token upon request.

For more details, head to the SchwabSafe Page. As of the time of this update (2/21/2013), to request a token, call Schwab at 800-435-4000.


  1. That is screaming for some SQL injection of some sort. Tsk tsk.

  2. I was wondering if maybe they disallowed symbols in order to help prevent a SQL injection attack. Most enterprise systems will put parameter filters on those sorts of symbols, but I think the password fields would be one place you'd want to make an exception in that case.

  3. Anonymous4:35 PM

    SQL has simple methods to prevent injection attacks so it seems unlikely that would be the case. In mysql it is as simple as mysql_real_escape_string to prevent them on input.


    I've been complaining for years.

  4. Good work!

    My daughter pointed out to me (on February 20, 2013) that they'll send out a token which you can use in the login process. (See No charge.

    I ordered one. Should arrive in 5-7 days. (business days?)

    The person I talked to also said they're working on checking longer passwords – but he didn't have a date for when that would be available.

    1. Richard, thanks for this tip! I'm going to update the post to include the information. Thanks to your daughter for sleuthing it out as well.

      I understand the cost to these companies, but I wish they'd advertise something like this a little better. For a weak password system, two-factor authentication is a necessity.

    2. Also, is there a web site of yours that you'd like me to reference/plug? I'd be happy to in thanks for the good tip.


Keep it classy, folks.