this post was submitted on 21 Aug 2024

607 points (98.1% liked)

Privacy

33266 readers

434 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]

607

Signed up for Equifax to freeze my credit, password can not be longer than 20 characters (i.imgur.com)

submitted 5 months ago* (last edited 5 months ago) by [email protected] to c/[email protected]

147 comments fedilink hide all child comments

Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is "well all of our other customers are okay with this".

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 5 months ago (1 children)

I had an account there with a proton email address and suddenly I couldn't log in anymore. After 6 months of calling, someone finally told me proton emails are blocked because they are not secure. So I changes it to a tutanota email

What a clusterf**k

[–] [email protected] 2 points 5 months ago

I almost used my proton mail because I can create an alias, where equifax would not accept a plused gmail account.

[–] [email protected] 6 points 5 months ago

I always get a chuckle when financial institutions have requirements like these, or lack 2FA. My Lemmy account has more security at this point.

[–] [email protected] 20 points 5 months ago (1 children)

short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded

[–] [email protected] 2 points 5 months ago

They’re supposed to be hashed so that shouldn’t matter

Unless that’s the joke or something

[–] [email protected] 6 points 5 months ago* (last edited 5 months ago)

The 20 character length limit is so annoying because I once had 2 distinct passwords (not in use anymore) that were both coincidentally 21 characters long. Character limiting me by a single character at the end of those old passwords was annoying because I usually ended up, for some services I needed, having to change up and use a completely new password. Back when I was a lot worse about reusing passwords than now.

[–] [email protected] 17 points 5 months ago (1 children)

I swear password restrictions are getting to the point where there's eventually going to only be one usable password.

[–] [email protected] 8 points 5 months ago (1 children)

Yeah, it's counterproductive to lay out a bunch of restrictions. Let people make a long-ass password that's a memorable phrase - it's safer anyway.

Although I don't know how anyone makes it without a password manager at this point.

[–] [email protected] 8 points 5 months ago (1 children)

I don’t know how anyone makes it without a password manager at this point.

Password reuse. Password reuse everywhere.

[–] [email protected] 2 points 5 months ago (1 children)

We're all guilty of it. No shame in admitting it. I know I've been guilty of it from time to time.

[–] [email protected] 3 points 5 months ago (3 children)

When I have to sign up for something on my phone I will use my pre Bitwarden default password. Then once I have a sec to sit down iPad or laptop I will change it to something more secure.

I am currently fighting with my wife and children to start using a password manager.

[–] [email protected] -3 points 5 months ago (1 children)

What's the best password manager you'd recommend?

[–] [email protected] 2 points 5 months ago (1 children)

I have only used lastpass (they have had several breeches and I do not recommend them), Bitwarden (my current daily driver and my recommendation), and I have used Apple keychain a little for passwords at work that my wife can access without having full access to my Bitwarden.

[–] [email protected] -3 points 5 months ago (1 children)

Thank you!

[–] [email protected] 2 points 5 months ago

I have heard really good things about proton pass too, but I have never used it. I use proton mail and VPN, trying to space my security between providers.

[–] [email protected] 3 points 5 months ago

On your phone, you can select autofill, then ask bitwarden to generate a password, save and use that to register

[–] [email protected] 5 points 5 months ago (1 children)

The funny thing about that is that I am currently on my laptop getting keepassxc set up. This post has somehow motivated me to finally get a password manager.

[–] [email protected] 2 points 5 months ago

If it converts one person that is a good thing.

[–] [email protected] 6 points 5 months ago (2 children)

At least they show you their requirements. Usually I use passwords with up to 150 characters (including special ones). Getting a vague response like "Password is invalid" is so annoying. I then have to remove special characters and reduce the length step by step until it is accepted by the website. (But 20 characters is way too short, resulting in these hilarious other requirements. You just want to create an account, without having to do a PhD in creating passwords first.)

[–] [email protected] 2 points 5 months ago

Twitch is bad about this. It's not a fucking ballistic missile installation - just tell me what you want.

[–] [email protected] 1 points 5 months ago (1 children)

There shouldn't be an arbitrary limit on the length of a password but how is 20 characters "way too short"? It's more than 10^36 combinations.

[–] [email protected] 4 points 5 months ago* (last edited 5 months ago) (1 children)

It doesn't even matter. Because the limit implies that they don't hash and salt their passwords.

Plus they had a breach already in 2017.

[–] [email protected] 1 points 5 months ago

yep. you are right.

[–] [email protected] 30 points 5 months ago (2 children)

Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.

[–] [email protected] 0 points 5 months ago

You signed a contract? Pretty sure they're going to fuck it up either way and they definitely have all your data.

[–] [email protected] 9 points 5 months ago

that they collect without your explicit consent

[–] [email protected] 0 points 5 months ago

[–] [email protected] 16 points 5 months ago (3 children)

Correct me if I'm wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn't this against some CISA recommendation?

[–] [email protected] 3 points 5 months ago (1 children)

There may also be a (very weak) reason around bounds checking and avoiding buffer overflows. By rejecting anything longer that 20 characters, the developer can be sure that there will be nothing longer sent to the back end code. While they should still be doing bounds checking in the rest of the code, if the team making the UI is not the same as the team making the back end code, the UI team may see it as a reasonable restriction to prevent a screw up, further down the stack, from being exploited. Again, it's a very weak argument, but I can see such an argument being made in a large organization with lots of teams who don't talk to each other. Or worse yet, different contractors standing up the front end and back end.

[–] [email protected] 1 points 5 months ago

They really shouldn't be sending the password over the line at all. It should be local hashed/salted, encrypted, and then sent. So plaintext length really shouldn't matter much, if at all. But I see your point.

[–] [email protected] 5 points 5 months ago

Even then, the difference between 20 and 2000 characters is negligible

[–] [email protected] 13 points 5 months ago (1 children)

One other reason I could see is pure idiocy. Like I've seen that there is a bias to using every feature some software has, and if a max limit can be set, it will be set, to a "reasonable" value.

[–] [email protected] 3 points 5 months ago

Maybe it's also a "it's the way we've always done it" BS that plays into it, too?

load more comments