Sallie Mae, the holder of my consolidated student loans, communicates with its account holders via email. But rather than send this communication in the body of its email messages, the company attaches a password protected PDF document to the email. Until recently, the password to open the PDF was the account holder's Social Security number. This, of course, is a big no-no for any company that takes its customers' privacy and data security seriously, particularly a financial company.
Well, Sallie Mae finally came to its senses this month and altered the passwords to the PDF communications:
Sallie Mae's top priority is keeping your personal information safe. With this in mind, we have updated the password that you use when opening encrypted email attachments. Your new password will be in the following format:
The new password is a combination of the following:
- xxxxxxxxxx = your 10-digit Sallie Mae account number
- Y = the capitalized first letter of the state you live in (if you reside in a foreign country, please use F)
- zzzz = the last four digits of your Social Security number
Right. So before I had an insecure password that at least I could remember. Now, I have a quasi-secure password that I will never remember.
What's most ridiculous about this new password scheme is that all Sallie Mae account holders already have a completely separate username and password to log into the company's website. In order to retrieve the 10-digit account number, most users are likely to log into their account on the Sallie Mae website, which contains all the information about their account with the company.
It seems to me that the best way for Sallie Mae to communicate with its account holders would be to place these messages in HTML or plain text, not PDF, format in an inbox located in the user's account pages on the company website. Then to notify users that a new message has been sent, email a link to the new message to users. The customer then clicks on the link and is prompted by the website to log in with the web username and password, not a non-customizable, predetermined password containing a private and hard to remember account number. As a result, the company can communicate with its customers in a manner that is both secure and user friendly.