Signed up for Equifax to freeze my credit, password can not be longer than 20 characters
Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.
Both Experian and transunion had no password length limitations, nor did they require my username be my email address.
Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is "well all of our other customers are okay with this".
Yeah well, if you’re so smart let’s see you write a website in COBOL.
no spaces in a string is a dead giveaway that theres Cobol in there somewhere meow
?
their name is kittykittycatboys what else do you expect :3 meow
It shows up on my screen as merely "max", nothing else.
Username and display name can be set independently, you should have a "Display name" field in settings. Their non-unique display name is "max" and their unique username is "@[email protected]". If you check their profile you should see both.
If you don't set a display name it will be the same as your username, if you set display name to the same as username (like I have) it'll show your username without the instance even to people on other instances.
Oh, I see. Thanks.
Where would max even come from? That's not in their username o.O
That’s what I see too!
Max is the name of the cat, duh.
Meow do you like to drink milk from a saucer?
"We serve
foodsanity here, sir"This implies they're storing the plaintext password.
Ideally the password would be hashed with a salt and then stored. Then it's a fixed length field and it shouldn't matter how long the password is.
Or a very very old database system, possibly DB2, where you can't change the column limits or data types after the fact.
If they're hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they're not hashing, they should really be rewriting their database anyway.
Salted passwords are not recommended anymore. Better to use a memory hard key derivation function designed for passwords, like Argon.
https://en.wikipedia.org/wiki/Argon2
Those are salted, they just do it for you.
Where does the salt get stored?
It's usually part of the string stored to the DB.
Edit: you can see the PHC spec here:
https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
Which is a common format for various password storage algorithms, including Argon2. It has a salt field.
I'd rather see a paper explaining the flaws with salted passwords rather than "just use this instead".
My initial reaction is that this overcomplicates things for the majority of use-cases, and has way more to configure correctly compared to something basic like a salted sha256/sha512 hash that you can write in any language's standard library.
If the database of everyone's salted password hashes gets leaked, this still gives everyone plenty of time to change passwords before anything has a chance of cracking them. (Unless you're about to drop some news on me about long time standard practices being fundamentally flawed)
Wut. Is the competition not enough data for you? This is how we got AES.
Can you name a single popular language where Argon2 isn't implemented in a stamdard library?
I think you're missing the point of what I'm asking. In what way are regular salted passwords insecure? Sure you can keep adding extra steps to encryption, but at a certain point you're just wasting CPU cycles.
I have no doubts about Argon2 being secure, I just think the extra steps are unnecessary for anything I would build (i.e. not touching financial transactions or people's SSNs). By design argon2 uses a lot of memory and CPU time to make bruteforce attacks much harder, but that's more of a downside when you're just doing basic account logins on a low end server.
I'll happily retract my point about external dependencies. It's available in most languages, and notably std C++ contains neither argon2 or sha256/512 hashing, so that kind of makes my original point invalid anyway.
Credit bureaus are not for your protection, they're for the protection of their clients, the banks.
Banks aren't much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I'm pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.
You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.
The first part I'm sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it
Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It's like oh come on that is way too easy these days
Honestly, that's a sign to me that your bank doesn't take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it'll even send me a text to verify a purchase if their software thinks it's weird I got across town too quickly, though that's pretty rare so it isn't overly aggressive/inconvenient.
In Germany at least, I hear that banks have weird law requirements for these weird security things, like photoTAN.
I'd be much happier if they'd just let me do my usual setup with password, totp and my hardware token.
In the US the FDIC sets security requirements for banks and audits annually, and they keeps raising requirements every year or so. At this point its just easier for a bank to invest in following current best practices and keep updating to the current best practices than to keep chasing every new finding on the FDIC audits each year
Source: I worked in IT at a bank for a while
A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren't hashing your password with anything stronger than MD5. Or worse.
My default is to generate a 32 character password and store it in a password manager. Doesn't matter to me how many characters it has since I'm just going to copy and paste it anyway.
Pretty surprising how many places enforce shorter passwords though... I had a bank that had a maximum character limit of 12. I don't bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.
A hash has a fixed length, including MD5. There's no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don't even hash it, they're idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that's not how you deal with injections / escaping your inputs.
Hashing takes longer the longer the string is, so it technically could impact performance if many people with very long passwords log in simultaneously. 20 characters is ridiculous though, you could probably cap it at hundreds and still be completely fine.
the Ring app (I think) forced me to change my Wi-Fi password because I wasn't allowed to use ampersands. according to support it's because they "use ampersands in the code"
You mean the company that had a feature in place that allowed law enforcement to request and access video footage from your devices without obtaining a warrant first?
As expected, their security measures were also found to be lacking.
Yeah, no thanks.
It deeply saddens me when people pay money for locked down hardware that's not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen...all insecure spyware.
yeah I only have a ring for my outdoor cameras. I was considering switching my indoor system yo ring as my alarm company keeps raising their prices but I'm not putting ring cameras inside my house. especially because the privacy shutters on them are manual
Thats the least of your worries with Ring. Put that shit straight into the bin.
Sure would be a shame of Bobby tables made a ring acct
The problem is quotes, not spaces and ampersands
Then wash the code! Son's of bitches!
Eufy cameras will not allow spaces in the WiFi password.
I encountered something like this at work. It wasn’t pass related, it was just a means of getting people to make text responses. Ampersands were replaced with some gibberish format, which annoyed everyone.
I got some kind of explanation from our tech people, which I understood to mean that ampersand was used to indicate that what followed was live code. Turning the ampersand into gibberish text was a safety measure to stop mischief.
I’ve noticed ampersand replacements in some news feeds too
Literally this
Except todays wordle answer cannot be made to multiply to 35
I got to rule #16 - I suck at chess. Secret to “multiply roman numerals” is just add them up to the value.
Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.
that they collect without your explicit consent
You signed a contract? Pretty sure they're going to fuck it up either way and they definitely have all your data.
My bank used to not let me type one longer than six (6) characters!
My bank disables paste as has code checking if the browser is greater than Netscape Navigator 4.
Goddamn I really hate that shit.
https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-with-paste/
I wrote a TamperMonkey script. 😅 I needed to so I could use my password manager. How dare I.
Should be a general web dev usability note: always aim to make your code to be friendly for scraping & userStyles/userScripts. If a client isn’t updating shit, at least users can easily fix things. This is also another point against this Tailwind-only trend since you tend to lose anything semantic in the DOM & have nothing to select on.
Yup. My bank was even "translating" passwords to PINs behind the scene specifically so your password for the website would be the same as your password on the telephone.
I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there's nonway someone could spoof a phone number and then unfreeze your credit.
And I use password manager, I don't care of its 52 chars long, I just use the software to fill the field
I recommend Diceware for generating memorable passwords of sufficient complexity...but also, a password manager.
I use a 5 word phrase generated by my password locker. I will add a symbol or three to it if required.
that is a painfully bad list of
requirementsbullshitshort passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded
They’re supposed to be hashed so that shouldn’t matter
Unless that’s the joke or something
Just wait until you get to Transunion's site. It is a dumpster fire of consisting of the worst sign up I've ever seen, "Contact our social team" and "If you haven't logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.
Transunion was not too bad, and they did not require my full SSN, unlike Equifax. But transunion will not easily give me my credit score unlike the two Es.
I swear password restrictions are getting to the point where there's eventually going to only be one usable password.
Yeah, it's counterproductive to lay out a bunch of restrictions. Let people make a long-ass password that's a memorable phrase - it's safer anyway.
Although I don't know how anyone makes it without a password manager at this point.
Password reuse. Password reuse everywhere.
We're all guilty of it. No shame in admitting it. I know I've been guilty of it from time to time.
When I have to sign up for something on my phone I will use my pre Bitwarden default password. Then once I have a sec to sit down iPad or laptop I will change it to something more secure.
I am currently fighting with my wife and children to start using a password manager.
The funny thing about that is that I am currently on my laptop getting keepassxc set up. This post has somehow motivated me to finally get a password manager.
If it converts one person that is a good thing.
On your phone, you can select autofill, then ask bitwarden to generate a password, save and use that to register
What's the best password manager you'd recommend?
I have only used lastpass (they have had several breeches and I do not recommend them), Bitwarden (my current daily driver and my recommendation), and I have used Apple keychain a little for passwords at work that my wife can access without having full access to my Bitwarden.
Thank you!
I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?
I'm not sure I'd accept a bet on that assumption.
Calculating hashes is supposedly more expensive for longer strings. That could be used to simplify some kind of overload attack like DDOS.
If they're not already rate-limiting login attempts that's another huge problem...
If they're using md5 (which would be in line with their security practices), the block size is 512 bits. That means that everything less than 64 characters is the same cost
That’s security theater for you…
Correct me if I'm wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn't this against some CISA recommendation?
One other reason I could see is pure idiocy. Like I've seen that there is a bias to using every feature some software has, and if a max limit can be set, it will be set, to a "reasonable" value.
Maybe it's also a "it's the way we've always done it" BS that plays into it, too?
Even then, the difference between 20 and 2000 characters is negligible
There may also be a (very weak) reason around bounds checking and avoiding buffer overflows. By rejecting anything longer that 20 characters, the developer can be sure that there will be nothing longer sent to the back end code. While they should still be doing bounds checking in the rest of the code, if the team making the UI is not the same as the team making the back end code, the UI team may see it as a reasonable restriction to prevent a screw up, further down the stack, from being exploited. Again, it's a very weak argument, but I can see such an argument being made in a large organization with lots of teams who don't talk to each other. Or worse yet, different contractors standing up the front end and back end.
They really shouldn't be sending the password over the line at all. It should be local hashed/salted, encrypted, and then sent. So plaintext length really shouldn't matter much, if at all. But I see your point.
I'd like to not solve a boolean satisfiability problem along the way, please.
"Cannot contain your email address" - damn right it can't contain my email address in 20 characters!
I happened to freeze all my credit in the same weekend I switched car insurance so I don't know who is to blame (my bet is on GEICO) but starting Monday I've been getting a bunch of spam calls and texts...
Such scumbags... If it's the credit agencies they caused the problem for me to be there and are now profiting off the "solution" and if it's GEICO it's probably worse since I'm already fucking paying them, but no they need more.
Just a quick tip: I've had good luck getting insurance through a broker. I have cheaper insurance through some B2B place that doesn't work directly with consumers with better coverage than if I went through some national brand that spends millions of dollars a month on advertising to consumers. The other benefit of a broker is now you have a third party who's incentivized to not only find you the best deal but also someone you can get advice from during a claim should anything seem off to you.
Thanks for the tip! I'll have to look into that.
Open a bug report
@nokturne213 In Canada, we also have transunion; they officially say max pw size is 30 but it’s actually 15. Complete joke. At least Equifax has proper 2FA.
I tried to log in to see if I could activate 2FA and it says I have to call customer service to log in now.
Don't worry this is easily solved by sending a fax of your drivers license Mo-Fr between the hours of 8:05am and 8:09am
The 20 character length limit is so annoying because I once had 2 distinct passwords (not in use anymore) that were both coincidentally 21 characters long. Character limiting me by a single character at the end of those old passwords was annoying because I usually ended up, for some services I needed, having to change up and use a completely new password. Back when I was a lot worse about reusing passwords than now.
Reminds me of this
I always get a chuckle when financial institutions have requirements like these, or lack 2FA. My Lemmy account has more security at this point.
At least they show you their requirements. Usually I use passwords with up to 150 characters (including special ones). Getting a vague response like "Password is invalid" is so annoying. I then have to remove special characters and reduce the length step by step until it is accepted by the website. (But 20 characters is way too short, resulting in these hilarious other requirements. You just want to create an account, without having to do a PhD in creating passwords first.)
Twitch is bad about this. It's not a fucking ballistic missile installation - just tell me what you want.
There shouldn't be an arbitrary limit on the length of a password but how is 20 characters "way too short"? It's more than 10^36 combinations.
It doesn't even matter. Because the limit implies that they don't hash and salt their passwords.
Plus they had a breach already in 2017.
yep. you are right.
I've seen even shorter limits. Still annoying.
I went through that bullshit so many times trying to get the characters etc then the next step said not available try again later, then repeat that a few times. What BS a max of 20 characters is too.
I had an account there with a proton email address and suddenly I couldn't log in anymore. After 6 months of calling, someone finally told me proton emails are blocked because they are not secure. So I changes it to a tutanota email
What a clusterf**k
I almost used my proton mail because I can create an alias, where equifax would not accept a plused gmail account.
I think 12345678901234aB+ would work though. If I am able to log in (I currently have to call customer service to be able to log in) I will try both of these passwords and see if either is accepted.
I'm just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.
That is assuming they do stuff right and there are no vulnerabilities, which they won't and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don't offer 2FA.
The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can't atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.
With just
a saltpepper you can make a 16 char password effectively a 24 char password... Or a 2.000.000 char password. Assuming it is not stolen alongside that is.Edit: Changed 'salt' to 'pepper'.
I tend to prefer pass phrases, they are a lot easier to type and speak, if required. Mine regularly blow past 20 characters.
As for salting, that only defends against rainbow table attacks. The salt needs to be stored along with the hash. That is find for most accounts, but once you're in banking territory, that's a bad bet.
You also can't assume you have no vulnerabilities. If someone gets your database, you can't defend against brute force attacks.
Lastly, if you are doing passwords properly, you shouldn't care much about length. There are a few dos attacks to worry about, but a 512 char limit will stop those, and not limit any sane password.
Bcrypt and scrypt both have a byte limit of 72. That's still enough for a secure passphrase, though some schemes might blow past it.
That's not how salt works. It will be stolen alongside the password hash, because salt is necessarily in plaintext. It doesn't increase the guessability of passwords. It just makes it infeasible to precompute your guesses.
Yes, what I meant is actually a kind of pepper. Although I would like to point out that literally the only difference is that it's stored elsewhere.
The actual length of the password isn't the problem. If they were "doing stuff right" then it would make no difference to them whether the password was 20 characters or 200, because once it was hashed both would be stored in the same amount of space.
The fact that they've specified a limit is strong evidence that they'renot doing it right
Some hashing algorithms are suspectible to long password denial of service so it's recommended to limit the length of password but certainly not to 20 characters but to a more reasonable limit, like 100 characters or so.
Fair enough, I didn't consider compute resources
It does, I'll give you that. However, I will hold the fact that their maximum is actually reasonable against that. The minimum of 8 is more concerning imo