Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.

    • ShepherdPie@midwest.social
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Banks aren’t much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I’m pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.

      • nocturne@sopuli.xyzOP
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.

  • Scott@lem.free.as
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    This implies they’re storing the plaintext password.

    Ideally the password would be hashed with a salt and then stored. Then it’s a fixed length field and it shouldn’t matter how long the password is.

    • Helix 🧬@feddit.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      Or a very very old database system, possibly DB2, where you can’t change the column limits or data types after the fact.

      • xthexder@l.sw0.com
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        If they’re hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they’re not hashing, they should really be rewriting their database anyway.

  • alkaliv2@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    Just wait until you get to Transunion’s site. It is a dumpster fire of consisting of the worst sign up I’ve ever seen, “Contact our social team” and "If you haven’t logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.

  • ℍ𝕂-𝟞𝟝@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    Imagine having to contract with a company in order for them not to removed your life up with your own data. This is ridiculous.

  • kingthrillgore@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    4 months ago

    A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren’t hashing your password with anything stronger than MD5. Or worse.

    • 🅿🅸🆇🅴🅻@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      A hash has a fixed length, including MD5. There’s no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don’t even hash it, they’re idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that’s not how you deal with injections / escaping your inputs.

      • drivepiler@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        4 months ago

        Hashing takes longer the longer the string is, so it technically could impact performance if many people with very long passwords log in simultaneously. 20 characters is ridiculous though, you could probably cap it at hundreds and still be completely fine.

  • Ellia Plissken@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    the Ring app (I think) forced me to change my Wi-Fi password because I wasn’t allowed to use ampersands. according to support it’s because they “use ampersands in the code”

      • Fuzzy_Red_Panda@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        It deeply saddens me when people pay money for locked down hardware that’s not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen…all insecure spyware.

      • Ellia Plissken@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        yeah I only have a ring for my outdoor cameras. I was considering switching my indoor system yo ring as my alarm company keeps raising their prices but I’m not putting ring cameras inside my house. especially because the privacy shutters on them are manual

  • CubitOom@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there’s nonway someone could spoof a phone number and then unfreeze your credit.

    • krolden@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      4 months ago

      Financial companies ans banks and stuff have to follow regulations on their MFA method. That why you can’t just use any OTP authenticator and are stuck with email/SMS.

      • The Doctor@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        In case anybody’s curious about what those are:

        The biggest reason they use phone calls or SMS, however, is because they don’t want to go to the hassle of getting an in-house MFA service (a TOTP backend, in other words), approved, pen tested, analyzed, verified… all things considered, it’s faster and easier to go with a service like Twilio that already did all that legwork. A couple of years back I worked for a company in just that position, and after we did all the legwork, research, and consultation with the independent third party specialists trying to run our own TOTP would have easily doubled the yearly cost because of all the compliance stuff.

        • krolden@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          Adding TOTP would be cheaper in the long run than continuing to pay those SMS rates. I dont think its about any kind of extra hassle they have to deal with. More of terrible NIST standards written by the center for internet security, which is a for profit corporation that apparently nist allows to write all their standards

          • The Doctor@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we’d have to get everything re-vetted yearly.

            That’s kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It’s like oh come on that is way too easy these days

    • cm0002@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Oh but wait! That non-customizable account number user ID that you have to wait for in the mail is definitely top notch security!

    • bassomitron@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Honestly, that’s a sign to me that your bank doesn’t take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it’ll even send me a text to verify a purchase if their software thinks it’s weird I got across town too quickly, though that’s pretty rare so it isn’t overly aggressive/inconvenient.

      • PlexSheep@infosec.pub
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        In Germany at least, I hear that banks have weird law requirements for these weird security things, like photoTAN.

        I’d be much happier if they’d just let me do my usual setup with password, totp and my hardware token.

        • Trainguyrom@reddthat.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          4 months ago

          In the US the FDIC sets security requirements for banks and audits annually, and they keeps raising requirements every year or so. At this point its just easier for a bank to invest in following current best practices and keep updating to the current best practices than to keep chasing every new finding on the FDIC audits each year

          Source: I worked in IT at a bank for a while

  • chiliedogg@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    I swear password restrictions are getting to the point where there’s eventually going to only be one usable password.

    • filcuk@lemmy.zip
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Yeah, it’s counterproductive to lay out a bunch of restrictions. Let people make a long-ass password that’s a memorable phrase - it’s safer anyway.

      Although I don’t know how anyone makes it without a password manager at this point.

      • sylver_dragon@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        I don’t know how anyone makes it without a password manager at this point.

        Password reuse. Password reuse everywhere.

          • nocturne@sopuli.xyzOP
            link
            fedilink
            arrow-up
            1
            ·
            4 months ago

            When I have to sign up for something on my phone I will use my pre Bitwarden default password. Then once I have a sec to sit down iPad or laptop I will change it to something more secure.

            I am currently fighting with my wife and children to start using a password manager.

            • Dizzy Devil Ducky@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 months ago

              The funny thing about that is that I am currently on my laptop getting keepassxc set up. This post has somehow motivated me to finally get a password manager.

            • filcuk@lemmy.zip
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              On your phone, you can select autofill, then ask bitwarden to generate a password, save and use that to register

              • nocturne@sopuli.xyzOP
                link
                fedilink
                arrow-up
                0
                ·
                4 months ago

                I have only used lastpass (they have had several breeches and I do not recommend them), Bitwarden (my current daily driver and my recommendation), and I have used Apple keychain a little for passwords at work that my wife can access without having full access to my Bitwarden.

  • js10@reddthat.com
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?

    • daddy32@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Calculating hashes is supposedly more expensive for longer strings. That could be used to simplify some kind of overload attack like DDOS.

      • xthexder@l.sw0.com
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        If they’re not already rate-limiting login attempts that’s another huge problem…

      • ReveredOxygen@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        If they’re using md5 (which would be in line with their security practices), the block size is 512 bits. That means that everything less than 64 characters is the same cost

    • Vivendi@lemmy.zip
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil’d into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don’t do removedy things with passwords unless your backend is doing something really stupid.