Share this page:
Stay connected:
Welcome to the Citywire Money Forums, where members share investment ideas and discuss everything to do with their money.

You'll need to log in or set up an account to start new discussions or reply to existing ones. See you inside!

Notification

Icon
Error

here we go HL
andy mac
Posted: 07 June 2018 18:25:25(UTC)
#1

Joined: 12/02/2016(UTC)
Posts: 219

Thanks: 132 times
Was thanked: 187 time(s) in 103 post(s)
I logged in to HL a few days ago and saw a new layout for locgging in
Today via snail mail I received a notification that HL now want more info at a log in
To be rolled out in the bear future
What else are they going to do?

I have just printed PDFs of all the holdings just in case
You have been warned


2 users thanked andy mac for this post.
john brace on 08/06/2018(UTC), Richard_L on 10/06/2018(UTC)
Tom Bards
Posted: 07 June 2018 18:41:33(UTC)
#2

Joined: 28/06/2017(UTC)
Posts: 126

Thanks: 2 times
Was thanked: 154 time(s) in 82 post(s)
What exactly do you think you are warning us of?
andy mac
Posted: 07 June 2018 20:14:16(UTC)
#3

Joined: 12/02/2016(UTC)
Posts: 219

Thanks: 132 times
Was thanked: 187 time(s) in 103 post(s)
@Tom Bards

Its been a long time since all the new upgrades have gone faultlessly
Having seen the Barrclays/TSB/Visa not to mention others I just hope this is a minor upgrade that goes without a problem

Heres hoping
1 user thanked andy mac for this post.
Little John on 10/06/2018(UTC)
john brace
Posted: 08 June 2018 07:58:20(UTC)
#4

Joined: 03/02/2012(UTC)
Posts: 70

Thanks: 211 times
Was thanked: 40 time(s) in 22 post(s)
I administer 9 family accounts with HL and am going nuts trying to change log in details. Not only new info needed, but they have cancelled all linked account trading - this was such a boon. so today i'm tackllng re-linking them.

good point to print off all accounts in the meantime.
1 user thanked john brace for this post.
Richard_L on 10/06/2018(UTC)
It's me
Posted: 08 June 2018 15:24:45(UTC)
#5

Joined: 16/04/2018(UTC)
Posts: 1

HL's password process is a total pain in the arse. It doesn't conform with Best Practice and is an example of leaving such things to developers. They immediately try and write the "cleverest" password checking code they can imagine.

I've tried to get this across to HL but to no avail. I got to such a pitch with it that I even attempted to move to Charles Stanley but couldn't understand their response so put that on ice.

The single biggest risk that occurs around passwords is poor custodianship - the company or organisation holding the database loses it or secure control of it - not poor behaviour by the owners. A 4 digit PIN is adequate for the entire world's banking system but not for HL.

I need an emoji for teeth grinding. Grrrr!
Michael Whitehouse
Posted: 08 June 2018 15:33:22(UTC)
#6

Joined: 26/04/2018(UTC)
Posts: 1

I am confused re these comments re HL log in etc. I have six portfolios via my sign on - my wife and four bare trusts for my grandchildren , plus my own. I have received no email re new sign in and I access HL every day. I have just signed in and although the presentation of sign on is slightly re-formatted the info is the same and no problems whatsoever. Why would they want to make it more difficult?
Alan Selwood
Posted: 08 June 2018 16:39:20(UTC)
#7

Joined: 17/12/2011(UTC)
Posts: 2,735

Thanks: 561 times
Was thanked: 4570 time(s) in 1643 post(s)
Like mountaineering - "Because we can"!

My online bank accounts want 6-digit passwords.

I know that PIN numbers for cards are only 4, which is (relatively) much easier to crack.

Beware the contactless card theft problem! Wrapped in radio-frequency barring mesh is not a bad idea.
PaulSh
Posted: 08 June 2018 17:45:57(UTC)
#8

Joined: 02/12/2014(UTC)
Posts: 106

Thanks: 23 times
Was thanked: 147 time(s) in 81 post(s)
OF COURSE signing in shouldn't be easy, if it's easy for you it's easy for the bad guy too. It's been too easy with HL for a long time now and they're probably beefing it up to comply with GDPR. I'd be even happier if they used a YubiKey or something, though.

And they've NOT stopped trading in linked accounts. Trading in linked accounts has just been disabled by default, so you need to get the person whose account it is to sign in and then they can enable trading for you again.

All of that said, they seem to have actually reduced the security on telephone calls because before it needed 3 characters from your master password, so 36^3 or 46,656 combinations, but now it sounds like they only need 3 digits from your "secure number", so only 10^3 or 1,000 combinations. Given the amounts of money that an identity thief could potentially get their hands on, odds of 1 in a 1,000 seem like it would be worth chancing it.
1 user thanked PaulSh for this post.
Sara G on 08/06/2018(UTC)
Tyrion Lannister
Posted: 08 June 2018 18:24:27(UTC)
#9

Joined: 03/03/2017(UTC)
Posts: 402

Thanks: 247 times
Was thanked: 303 time(s) in 185 post(s)
I've had no email nor requests for new secure numbers/passwords etc. I also manage my wife's account and there's been no changes to the way I link to that.

Presumably, they must be introducing the changes gradually?

I have a reminder in my phone to print off a pdf of our holdings once a month. I think I'll increase that frequency until the changes have taken effect.
john brace
Posted: 08 June 2018 18:26:45(UTC)
#11

Joined: 03/02/2012(UTC)
Posts: 70

Thanks: 211 times
Was thanked: 40 time(s) in 22 post(s)
Yes, they say they are doing it gradually. Even after their notice arrives you can still access account a few times before you are blocked
Nigel G
Posted: 08 June 2018 19:18:34(UTC)
#12

Joined: 03/07/2014(UTC)
Posts: 46

Thanks: 18 times
Was thanked: 61 time(s) in 30 post(s)
The changes are going to be introduced over the next couple of weeks. More information can be found at www.hl.co.uk/loginchanges
PaulSh
Posted: 08 June 2018 20:24:23(UTC)
#10

Joined: 02/12/2014(UTC)
Posts: 106

Thanks: 23 times
Was thanked: 147 time(s) in 81 post(s)
Tyrion Lannister;63612 wrote:
I have a reminder in my phone to print off a pdf of our holdings once a month. I think I'll increase that frequency until the changes have taken effect.

I export my portfolio daily to a spreadsheet that then keeps it for 28 days, which is itself backed up to the cloud every day. The cloud backup then keeps at least 10 old versions going back up to 3 months. On top of that, I back it up every 3 months to an external hard drive that's kept in a fire safe.

Paranoid? Maybe, but I'm just following the lessons I learned during a 40+ year career in IT.
Jon Snow
Posted: 08 June 2018 23:36:01(UTC)
#13

Joined: 02/03/2014(UTC)
Posts: 1,107

Thanks: 794 times
Was thanked: 948 time(s) in 478 post(s)
It seems to me, as I read my letter from HL -

They will want you to create a new online password and a "secure number"

Not clear if your trading account password will change.

It's not a bad thing that they are employing extra levels of account access security is it?

Sure, for us folks with 8 or 9 accounts it's a bit of work.

D. Parkinson
Posted: 08 June 2018 23:47:09(UTC)
#14

Joined: 23/06/2017(UTC)
Posts: 3

Hi,
Why not just use your existing login & trading password, how will anybody know its the same as the old one you use ? Just edit it slightly if you have to.
Denis P.
Nigel G
Posted: 09 June 2018 08:21:28(UTC)
#15

Joined: 03/07/2014(UTC)
Posts: 46

Thanks: 18 times
Was thanked: 61 time(s) in 30 post(s)
D. Parkinson;63619 wrote:
Hi,
Why not just use your existing login & trading password, how will anybody know its the same as the old one you use ? Just edit it slightly if you have to.
Denis P.

Your new online password cannot match any of your existing security details, so you will have to edit any used before. It will need to be at least 8 characters long, contain at least 1 uppercase letter, 1 lowercase letter and 1 number.

Your trading password will no longer be needed.
Stephen B.
Posted: 10 June 2018 11:35:08(UTC)
#16

Joined: 26/09/2012(UTC)
Posts: 305

Thanks: 15 times
Was thanked: 227 time(s) in 132 post(s)
The big issue with passwords is what happens if the company is hacked and the password database is stolen. Companies will no doubt tell you that it can't happen, but it does. The database should be encrypted, so hackers would need to use brute force to guess the passwords, but they could potentially devote very large computing resources to it if they wanted. The biggest defence against that it simply making the password longer - roughly speaking every extra character will make it take 100 times as long to crack as there are about 100 characters to choose from. So much better to have something like nowisthewinterofourdiscontent than 5vI7L&@. Unfortunately companies tend to be obsessed with making you include more types of character which does relatively little rather than on length - sometimes they even limit the maximum length.
john brace
Posted: 10 June 2018 11:53:54(UTC)
#22

Joined: 03/02/2012(UTC)
Posts: 70

Thanks: 211 times
Was thanked: 40 time(s) in 22 post(s)
And at the end of it all any withdrawals go to your registered bank account - what's the problem?
2 users thanked john brace for this post.
Harry Trout on 10/06/2018(UTC), t s on 10/06/2018(UTC)
mark spurrier
Posted: 10 June 2018 16:59:12(UTC)
#17

Joined: 17/01/2018(UTC)
Posts: 57

Thanks: 1 times
Was thanked: 54 time(s) in 29 post(s)
Stephen B.;63672 wrote:
The big issue with passwords is what happens if the company is hacked and the password database is stolen. Companies will no doubt tell you that it can't happen, but it does. The database should be encrypted, so hackers would need to use brute force to guess the passwords, but they could potentially devote very large computing resources to it if they wanted. The biggest defence against that it simply making the password longer - roughly speaking every extra character will make it take 100 times as long to crack as there are about 100 characters to choose from. So much better to have something like nowisthewinterofourdiscontent than 5vI7L&@. Unfortunately companies tend to be obsessed with making you include more types of character which does relatively little rather than on length - sometimes they even limit the maximum length.


I still run probes against commercial organisations and get user=admin and password=password01

Disks that support encryption at rest are more expensive and slower that standard disks.........lots of places don't use them
PaulSh
Posted: 11 June 2018 15:04:10(UTC)
#18

Joined: 02/12/2014(UTC)
Posts: 106

Thanks: 23 times
Was thanked: 147 time(s) in 81 post(s)
Stephen B.;63672 wrote:
The big issue with passwords is what happens if the company is hacked and the password database is stolen.

That would be more of a problem if you were only keying in selected characters from it. Given that now the master password has to be entered in its entirety, there is no need to store an encrypted version, instead a salted hash can be used which (if done correctly) should be even more secure as there is no "master key" as such which can immediately reveal all the passwords.

john brace;63674 wrote:
And at the end of it all any withdrawals go to your registered bank account - what's the problem?

Which is basically what HL said when I complained that they'd weakened their telephone security. At one time you could change your bank account by just sending them a letter, but now you have to tell them you want to change and they will send you a PIN by post, which you then need to use to actually make the change. For additional security, you also can't change your address and your bank details within 21 days of each other.
2 users thanked PaulSh for this post.
Sara G on 11/06/2018(UTC), john brace on 11/06/2018(UTC)
Stephen B.
Posted: 11 June 2018 15:17:26(UTC)
#19

Joined: 26/09/2012(UTC)
Posts: 305

Thanks: 15 times
Was thanked: 227 time(s) in 132 post(s)
PaulSh;63709 wrote:
That would be more of a problem if you were only keying in selected characters from it. Given that now the master password has to be entered in its entirety, there is no need to store an encrypted version, instead a salted hash can be used which (if done correctly) should be even more secure as there is no "master key" as such which can immediately reveal all the passwords.


That's true, but still they can just plough through every possible password up to some length. The other possibility is a dictionary attack, i.e. just trying common words or phrases, but you don't need a lot of extra characters to defeat that because there are so many ways to do it that it ends up being no easier than brute force. So a password of "password" is terrible, but even "thisism2ypasswo@rd" is probably OK (although I wouldn't recommend it).

(Conversely, defense against an online attack is fairly trivial - if the system limits to say 1 attempt a second, even without a maximum limit you don't need a very strong password to be unguessable.)
2 Pages12Next page
+ Reply to discussion

Markets

Other markets