Increasing Schwab Security

There are two things I did to increase the security of my Charles Schwab account despite the 6–8 character password restrictions:

  1. Changed my username for secrecy
  2. Added an Authenticator Token

With the 8 character password limit, I set a 20 character random username. While many security researchers recommend a random username, I generally rely solely on strong passwords. In this case, going form 8 to 28 characters an attacker needs to guess is a very good improvement.

If you call Schwab, you can also request a physical authenticator token. It is a physical Symantec VIP token, so its an extra device to carry. It was easy enough to setup and Schwab allows you to sign in two different ways with it. You can concatenate <password><authenticator code> in the password field, or you follow the standard flow of entering your username and password before being prompted for the authenticator code. The concatenated option is nice because it enables the authenticator to work with financial management software that only supports username and password fields.

I verified that the authenticator works with the Schwab website, Schwab iOS app, and

Edit: May 14, 2014

If you have any programs or services that periodically updated, you should disable them when adding the authenticator. I think failed login attempts from one of these programs caused Schwab to lock my account.

3 thoughts on “Increasing Schwab Security

    1. Kenji Yoshino Post author

      Hi Jake,

      With the OTP authentication token, syncing with Mint is pretty iffy. I have about a 5% success rate, so it’s pretty frustrating.

      1. Login to Schwab, to verify that my token is working
      2. Wait until the OTP code disappears off of the token
      3. Update the Schwab password in Mint with <password><OTP code>
      4. Wait to see if Mint syncs with Schwab
      5. If that fails, I logout of Schwab and start over from step 1. The logout/login to Schwab ensures that OTP counter stays in sync with Schwab

      Overall, I like Mint more and it seems more secure, but Personal Capital works well with Schwab’s OTP. It will store your password and prompt you for an OTP code.

      1. Kenji Yoshino Post author

        Hi Jake, I’m not sure if something changed with Mint, but I have been unable to update Schwab since I posted. I’ve now tried 30 times without success.

Comments are closed.