Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.
Both Experian and transunion had no password length limitations, nor did they require my username be my email address.
Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.
I went through that bullshit so many times trying to get the characters etc then the next step said not available try again later…
Just wait until you get to Transunion’s site. It is a dumpster fire of consisting of the worst sign up I’ve ever seen, “Contact our social team” and "If you haven’t logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.
Transunion was not too bad, and they did not require my full SSN, unlike Equifax. But transunion will not easily give me my credit score unlike the two Es.
That’s security theater for you…
I swear password restrictions are getting to the point where there’s eventually going to only be one usable password.
Yeah, it’s counterproductive to lay out a bunch of restrictions. Let people make a long-ass password that’s a memorable phrase - it’s safer anyway.
Although I don’t know how anyone makes it without a password manager at this point.
I don’t know how anyone makes it without a password manager at this point.
Password reuse. Password reuse everywhere.
We’re all guilty of it. No shame in admitting it. I know I’ve been guilty of it from time to time.
When I have to sign up for something on my phone I will use my pre Bitwarden default password. Then once I have a sec to sit down iPad or laptop I will change it to something more secure.
I am currently fighting with my wife and children to start using a password manager.
What’s the best password manager you’d recommend?
I have only used lastpass (they have had several breeches and I do not recommend them), Bitwarden (my current daily driver and my recommendation), and I have used Apple keychain a little for passwords at work that my wife can access without having full access to my Bitwarden.
Thank you!
On your phone, you can select autofill, then ask bitwarden to generate a password, save and use that to register
The funny thing about that is that I am currently on my laptop getting keepassxc set up. This post has somehow motivated me to finally get a password manager.
If it converts one person that is a good thing.
I’d like to not solve a boolean satisfiability problem along the way, please.
“Cannot contain your email address” - damn right it can’t contain my email address in 20 characters!
At least they show you their requirements. Usually I use passwords with up to 150 characters (including special ones). Getting a vague response like “Password is invalid” is so annoying. I then have to remove special characters and reduce the length step by step until it is accepted by the website. (But 20 characters is way too short, resulting in these hilarious other requirements. You just want to create an account, without having to do a PhD in creating passwords first.)
Twitch is bad about this. It’s not a fucking ballistic missile installation - just tell me what you want.
There shouldn’t be an arbitrary limit on the length of a password but how is 20 characters “way too short”? It’s more than 10^36 combinations.
It doesn’t even matter. Because the limit implies that they don’t hash and salt their passwords.
Plus they had a breach already in 2017.
I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?
Calculating hashes is supposedly more expensive for longer strings. That could be used to simplify some kind of overload attack like DDOS.
If they’re not already rate-limiting login attempts that’s another huge problem…
If they’re using md5 (which would be in line with their security practices), the block size is 512 bits. That means that everything less than 64 characters is the same cost
since the plain text isnt stored
I’m not sure I’d accept a bet on that assumption.
Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil’d into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don’t do fucky things with passwords unless your backend is doing something really stupid.
that is a painfully bad list of
requirementsbullshitA 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren’t hashing your password with anything stronger than MD5. Or worse.
My default is to generate a 32 character password and store it in a password manager. Doesn’t matter to me how many characters it has since I’m just going to copy and paste it anyway.
Pretty surprising how many places enforce shorter passwords though… I had a bank that had a maximum character limit of 12. I don’t bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.
A hash has a fixed length, including MD5. There’s no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don’t even hash it, they’re idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that’s not how you deal with injections / escaping your inputs.
Hashing takes longer the longer the string is, so it technically could impact performance if many people with very long passwords log in simultaneously. 20 characters is ridiculous though, you could probably cap it at hundreds and still be completely fine.
Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It’s like oh come on that is way too easy these days
Oh but wait! That non-customizable
account numberuser ID that you have to wait for in the mail is definitely top notch security!Honestly, that’s a sign to me that your bank doesn’t take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it’ll even send me a text to verify a purchase if their software thinks it’s weird I got across town too quickly, though that’s pretty rare so it isn’t overly aggressive/inconvenient.
In Germany at least, I hear that banks have weird law requirements for these weird security things, like photoTAN.
I’d be much happier if they’d just let me do my usual setup with password, totp and my hardware token.
In the US the FDIC sets security requirements for banks and audits annually, and they keeps raising requirements every year or so. At this point its just easier for a bank to invest in following current best practices and keep updating to the current best practices than to keep chasing every new finding on the FDIC audits each year
Source: I worked in IT at a bank for a while
The 20 character length limit is so annoying because I once had 2 distinct passwords (not in use anymore) that were both coincidentally 21 characters long. Character limiting me by a single character at the end of those old passwords was annoying because I usually ended up, for some services I needed, having to change up and use a completely new password. Back when I was a lot worse about reusing passwords than now.
Credit bureaus are not for your protection, they’re for the protection of their clients, the banks.
Banks aren’t much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I’m pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.
You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.
The first part I’m sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it
@nokturne213 In Canada, we also have transunion; they officially say max pw size is 30 but it’s actually 15. Complete joke. At least Equifax has proper 2FA.
I tried to log in to see if I could activate 2FA and it says I have to call customer service to log in now.
Don’t worry this is easily solved by sending a fax of your drivers license Mo-Fr between the hours of 8:05am and 8:09am
Open a bug report
