From time to time, we update our passwords to ensure we have the best security possible. While technological advances in website security have made it safer to manage your finances online, users are still wise to keep their login passwords fresh. Fortunately for us, firms have made this a fairly streamlined process, with the Change Password function usually in a quick and easy location. While we are all in favor of a streamlined process (consider changing around 60 of them at once, like we do), this chore should not be too simple; for safety precautions, we understand the need for ID verification questions.

We believe users should be quizzed on information such as account numbers, security questions and their old password before any change is allowed to take place. However, in this regard many mutual fund firms find themselves on thin ice. Of firms in our coverage group, 61% require users to input only their current password before allowing them to change it. This is a frightening statistic because all one would need to gain complete control of an account is this current password. It made us wonder: Why bother to create security questions during registration if they can be bypassed during a password change?

Of the 28% of mutual fund firms which require more security questions, most prefer the account number, Social Security number and current password before granting a password change. The only trouble here is of course is the inclusion of Social Security numbers. As identity theft becomes an increasing danger, we hope SSNs will soon be excluded from mutual fund sites altogether (actually ALL sites) – save for perhaps the initial registration process. Interestingly, although Vanguard falls into the 61% category of firms lacking extra security precautions, they are alone in notifying users that they will “never ask for a social security number for your safety.”

For those keeping score at home, these statistics leave an 11% gap. We were surprised to find that MFS and Wells Fargo don’t seem to provide any security precautions whatsoever before a user can change their password. However, despite this lapse, Wells Fargo is the only firm to prevent users from altering their password more than once in a 24-hour period. Although all firms in our coverage group succeed in positioning the Change Password function in a logical location (Service Center, My Profile, etc.), we’ve found clear room for improvement in the quality of password security.