Privacy @lemmy.ml nocturne @sopuli.xyz 3 mo. ago

Signed up for Equifax to freeze my credit, password can not be longer than 20 characters

Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is "well all of our other customers are okay with this".

146

146 comments

Yeah well, if you’re so smart let’s see you write a website in COBOL.
This implies they're storing the plaintext password.

Ideally the password would be hashed with a salt and then stored. Then it's a fixed length field and it shouldn't matter how long the password is.
Credit bureaus are not for your protection, they're for the protection of their clients, the banks.
Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It's like oh come on that is way too easy these days
A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren't hashing your password with anything stronger than MD5. Or worse.
the Ring app (I think) forced me to change my Wi-Fi password because I wasn't allowed to use ampersands. according to support it's because they "use ampersands in the code"
Literally this
Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.
My bank used to not let me type one longer than six (6) characters!
I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there's nonway someone could spoof a phone number and then unfreeze your credit.
LOL

I hate stupid character limits. Not everyone uses, "passwords"... I type out a damn sentence.
that is a painfully bad list of ~~requirements~~ bullshit
short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded
That’s security theater for you…
I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?
Just wait until you get to Transunion's site. It is a dumpster fire of consisting of the worst sign up I've ever seen, "Contact our social team" and "If you haven't logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.
Correct me if I'm wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn't this against some CISA recommendation?
I swear password restrictions are getting to the point where there's eventually going to only be one usable password.
I'd like to not solve a boolean satisfiability problem along the way, please.
I happened to freeze all my credit in the same weekend I switched car insurance so I don't know who is to blame (my bet is on GEICO) but starting Monday I've been getting a bunch of spam calls and texts...

Such scumbags... If it's the credit agencies they caused the problem for me to be there and are now profiting off the "solution" and if it's GEICO it's probably worse since I'm already fucking paying them, but no they need more.
Fuck1ngKil!M3
Open a bug report
Oh boy. If you think this is bad, you should try waiting a few weeks or months after you're signed up this time, then sign up for a new account using your current details, just with a different email. Spoiler: if you can answer the security questions, you're home free.

And remember that between the Equifax leak and more recent hacks, at this point, every sensitive detail for every member of the economy is now in the hands of bad actors. If they want your shit, or into it, they'll social engineer it.

Should passwords have maximum character counts? Sure, to prevent overflow attacks (or whatever) by pasting five different analyses of the movie Primer as your password. It should be longer than 20 in any case. But are there other, way worse security issues? Yes.
Huh - they increased it!
@nokturne213 In Canada, we also have transunion; they officially say max pw size is 30 but it’s actually 15. Complete joke. At least Equifax has proper 2FA.
The 20 character length limit is so annoying because I once had 2 distinct passwords (not in use anymore) that were both coincidentally 21 characters long. Character limiting me by a single character at the end of those old passwords was annoying because I usually ended up, for some services I needed, having to change up and use a completely new password. Back when I was a lot worse about reusing passwords than now.
I always get a chuckle when financial institutions have requirements like these, or lack 2FA. My Lemmy account has more security at this point.
Reminds me of this
At least they show you their requirements. Usually I use passwords with up to 150 characters (including special ones). Getting a vague response like "Password is invalid" is so annoying. I then have to remove special characters and reduce the length step by step until it is accepted by the website. (But 20 characters is way too short, resulting in these hilarious other requirements. You just want to create an account, without having to do a PhD in creating passwords first.)
I've seen even shorter limits. Still annoying.
I went through that bullshit so many times trying to get the characters etc then the next step said not available try again later, then repeat that a few times. What BS a max of 20 characters is too.
@nokturne213 Add it to https://dumbpasswordrules.com/

#DumbPasswordRules
I had an account there with a proton email address and suddenly I couldn't log in anymore. After 6 months of calling, someone finally told me proton emails are blocked because they are not secure. So I changes it to a tutanota email

What a clusterf**k
Permanently Deleted
I'm just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.

That is assuming they do stuff right and there are no vulnerabilities, which they won't and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don't offer 2FA.

The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can't atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.

With just ~~a salt~~ pepper you can make a 16 char password effectively a 24 char password... Or a 2.000.000 char password. Assuming it is not stolen alongside that is.

Edit: Changed 'salt' to 'pepper'.
Super long passwords aren't going to do you any good when their database is compromised and sold to anyone with a few bucks.

Its not like some one is gonna be brute forcing your account password, it would lock your account after like ten tries.

You've viewed 146 comments.