I recently opened up a new brokerage account at TradeKing, I haven’t really used it yet as I am still in the process of clearing my initial ACH transfer, but one major annoyance is the virtual keyboard they use in their login system. This is pretty commonly used in financial websites, it usually works like this: first you have to type in your username or customer ID, there is only one field to submit, and then if you type in a username/id that matches one of their records, it redirects to a different page to prompt you for passwords/security keys/PINs/etc. Sometimes it doesn’t even tell you if the first input is correct, which is the right thing to do. In the second screen you are presented with a virtual keyboard or keypad, where you are forced to click the virtual keyboard instead of typing in the password, I think some of them even remap the clicks into different keys. This might seem like a good idea as it makes it slightly harder for people to guess the passwords, but in reality it doesn’t work because:
- it encourages users to have much shorter and easier to type passwords or PINs, instead of using 1Password‘s password generator to generate strong random passwords with the maximum allowed length, I am inclined to use something easy to type, without symbols or mixed cases
- with a little bit of scripting and the right tools, you can emulate mouse clicks in browsers, people do this in web UI testing all the time, so it really doesn’t prevent anyone from trying to guess passwords, and due to point #1 the passwords are usually easier to guess with such system
This just becomes a HUGE annoyance to your customers when they try to access their accounts. TD Ameritrade or E*TRADE don’t do this, and 1Password can log me into those sites with just one keyboard shortcut (?-\), so I am way more likely to trade at my TD Ameritrade account vs at TradeKing.
This is a screenshot of how it looks like at TradeKing:
ING Orange also has something similar:
and HSBC also implemented a virtual keyboard, though, in this case, 1Password was able to autofill and submit the form:
BTW, if you have a Mac and an iPhone, I highly recommend getting 1Password, especially if you use multiple browsers like I do (FF, Fluid, and Safari). It is GOLD!
