Chase does it (mostly) right

I got an email from Chase this morning that my password there was compromised, but I don’t see any current news about it. They did have a data breach in 2014, but I’ve changed my password at least once since then. Going directly to the site (never click on links in emails like that if you aren’t certain it actually came from who it claims to be), sure enough my current credentials no longer work. So, I clicked on the “Forgot user name/password” link and started the process.

First annoyance: to verify who I am, they require me to enter my Social Security Number and one of my account numbers with them. Fair enough. However, they have made that text box one you can’t paste into, so I have to actually type out the account number, rather that copying it from my password manager and pasting it there.

Second annoyance: the only multi-factor authentication they provide is via SMS or email. Neither of those is secure. And, it’s not all that clear when they use it. I was prompted for a code during the process of resetting my account, but after I got in, I don’t see any option for configuring it. They must only use it for situations like this (and maybe logging in using a new computer; not sure on that). They really should implement better multi-factor authentication than this.

Still, it appears they were proactive in notifying their customers about an issue, and the steps they took to protect my account through the reset process seemed reasonable.

This also serves as a reminder as to why you shouldn’t reuse passwords. This breach apparently specifically compromised my password (how that would happen is unclear, but it does raise a concern about how they are storing it). That means, anywhere I used that password, those accounts are at risk.

Don’t reuse passwords.

Don’t reuse passwords.

Don’t reuse passwords.