this post was submitted on 21 Aug 2024
607 points (98.1% liked)

Privacy

33266 readers
434 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
607
Signed up for Equifax to freeze my credit, password can not be longer than 20 characters (i.imgur.com)
submitted 5 months ago* (last edited 5 months ago) by [email protected] to c/[email protected]
147 comments fedilink hide all child comments
 

Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is "well all of our other customers are okay with this".

(page 3) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 5 months ago

Open a bug report

[–] [email protected] 30 points 5 months ago (3 children)

Literally this

load more comments (3 replies)
[–] [email protected] 18 points 5 months ago (1 children)

Just wait until you get to Transunion's site. It is a dumpster fire of consisting of the worst sign up I've ever seen, "Contact our social team" and "If you haven't logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.

load more comments (1 replies)
[–] [email protected] 28 points 5 months ago (3 children)

My bank used to not let me type one longer than six (6) characters!

[–] [email protected] 7 points 5 months ago

Yup. My bank was even "translating" passwords to PINs behind the scene specifically so your password for the website would be the same as your password on the telephone.

[–] [email protected] 20 points 5 months ago (2 children)

My bank disables paste as has code checking if the browser is greater than Netscape Navigator 4.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 13 points 5 months ago

Fuck1ngKil!M3

[–] [email protected] -2 points 5 months ago* (last edited 5 months ago) (6 children)

I'm just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.

That is assuming they do stuff right and there are no vulnerabilities, which they won't and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don't offer 2FA.

The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can't atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.

With just ~~a salt~~ pepper you can make a 16 char password effectively a 24 char password... Or a 2.000.000 char password. Assuming it is not stolen alongside that is.

Edit: Changed 'salt' to 'pepper'.

[–] [email protected] 8 points 5 months ago (1 children)

I tend to prefer pass phrases, they are a lot easier to type and speak, if required. Mine regularly blow past 20 characters.

As for salting, that only defends against rainbow table attacks. The salt needs to be stored along with the hash. That is find for most accounts, but once you're in banking territory, that's a bad bet.

You also can't assume you have no vulnerabilities. If someone gets your database, you can't defend against brute force attacks.

Lastly, if you are doing passwords properly, you shouldn't care much about length. There are a few dos attacks to worry about, but a 512 char limit will stop those, and not limit any sane password.

load more comments (1 replies)
[–] [email protected] 5 points 5 months ago (2 children)

The actual length of the password isn't the problem. If they were "doing stuff right" then it would make no difference to them whether the password was 20 characters or 200, because once it was hashed both would be stored in the same amount of space.

The fact that they've specified a limit is strong evidence that they'renot doing it right

[–] [email protected] 6 points 5 months ago (1 children)

Some hashing algorithms are suspectible to long password denial of service so it's recommended to limit the length of password but certainly not to 20 characters but to a more reasonable limit, like 100 characters or so.

load more comments (1 replies)
[–] [email protected] 3 points 5 months ago

It does, I'll give you that. However, I will hold the fact that their maximum is actually reasonable against that. The minimum of 8 is more concerning imo

load more comments (4 replies)
[–] [email protected] 90 points 5 months ago (8 children)

This implies they're storing the plaintext password.

Ideally the password would be hashed with a salt and then stored. Then it's a fixed length field and it shouldn't matter how long the password is.

[–] [email protected] 32 points 5 months ago (1 children)

Or a very very old database system, possibly DB2, where you can't change the column limits or data types after the fact.

load more comments (1 replies)
load more comments (7 replies)
[–] [email protected] 4 points 5 months ago* (last edited 5 months ago)

I went through that bullshit so many times trying to get the characters etc then the next step said not available try again later, then repeat that a few times. What BS a max of 20 characters is too.

[–] [email protected] 11 points 5 months ago

Oh boy. If you think this is bad, you should try waiting a few weeks or months after you're signed up this time, then sign up for a new account using your current details, just with a different email. Spoiler: if you can answer the security questions, you're home free.

And remember that between the Equifax leak and more recent hacks, at this point, every sensitive detail for every member of the economy is now in the hands of bad actors. If they want your shit, or into it, they'll social engineer it.

Should passwords have maximum character counts? Sure, to prevent overflow attacks (or whatever) by pasting five different analyses of the movie Primer as your password. It should be longer than 20 in any case. But are there other, way worse security issues? Yes.

[–] [email protected] 27 points 5 months ago (1 children)

I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there's nonway someone could spoof a phone number and then unfreeze your credit.

[–] [email protected] 5 points 5 months ago* (last edited 5 months ago) (5 children)

Financial companies ans banks and stuff have to follow regulations on their MFA method. That why you can't just use any OTP authenticator and are stuck with email/SMS.

load more comments (5 replies)
[–] [email protected] 47 points 5 months ago (7 children)

the Ring app (I think) forced me to change my Wi-Fi password because I wasn't allowed to use ampersands. according to support it's because they "use ampersands in the code"

[–] [email protected] 5 points 5 months ago

Eufy cameras will not allow spaces in the WiFi password.

[–] [email protected] 17 points 5 months ago (1 children)

Sure would be a shame of Bobby tables made a ring acct

load more comments (1 replies)
[–] [email protected] 60 points 5 months ago* (last edited 5 months ago) (2 children)

You mean the company that had a feature in place that allowed law enforcement to request and access video footage from your devices without obtaining a warrant first?

As expected, their security measures were also found to be lacking.

Yeah, no thanks.

[–] [email protected] 30 points 5 months ago

It deeply saddens me when people pay money for locked down hardware that's not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen...all insecure spyware.

load more comments (1 replies)
[–] [email protected] 9 points 5 months ago

Then wash the code! Son's of bitches!

load more comments (3 replies)
[–] [email protected] 6 points 5 months ago

Reminds me of this

[–] [email protected] 20 points 5 months ago

that is a painfully bad list of ~~requirements~~ bullshit

[–] [email protected] 19 points 5 months ago

That’s security theater for you…

[–] [email protected] 14 points 5 months ago (1 children)

I'd like to not solve a boolean satisfiability problem along the way, please.

load more comments (1 replies)
[–] [email protected] 3 points 5 months ago

@nokturne213 Add it to https://dumbpasswordrules.com/

#DumbPasswordRules

[–] [email protected] 82 points 5 months ago (1 children)

Credit bureaus are not for your protection, they're for the protection of their clients, the banks.

[–] [email protected] 23 points 5 months ago (1 children)

Banks aren't much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I'm pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.

[–] [email protected] 12 points 5 months ago (1 children)

You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.

[–] [email protected] 3 points 5 months ago

The first part I'm sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it

[–] [email protected] 55 points 5 months ago (2 children)

Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It's like oh come on that is way too easy these days

[–] [email protected] 12 points 5 months ago (2 children)

Honestly, that's a sign to me that your bank doesn't take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it'll even send me a text to verify a purchase if their software thinks it's weird I got across town too quickly, though that's pretty rare so it isn't overly aggressive/inconvenient.

load more comments (2 replies)
[–] [email protected] 18 points 5 months ago

Oh but wait! That non-customizable ~~account number~~ user ID that you have to wait for in the mail is definitely top notch security!

[–] [email protected] 159 points 5 months ago (4 children)

Yeah well, if you’re so smart let’s see you write a website in COBOL.

[–] [email protected] 4 points 5 months ago

"We serve ~~food~~ sanity here, sir"

[–] [email protected] 88 points 5 months ago (1 children)

no spaces in a string is a dead giveaway that theres Cobol in there somewhere meow

[–] [email protected] 34 points 5 months ago (2 children)

meow

?

[–] [email protected] 53 points 5 months ago (2 children)

their name is kittykittycatboys what else do you expect :3 meow

[–] [email protected] 32 points 5 months ago (4 children)

It shows up on my screen as merely "max", nothing else.

[–] [email protected] 5 points 5 months ago (2 children)

Where would max even come from? That's not in their username o.O

load more comments (1 replies)
[–] [email protected] 6 points 5 months ago

If you open the profile it seems to have two names. I have the feeling that only one of them is valid with the instance postfix, despite it being shown with both

load more comments (2 replies)
load more comments (1 replies)
load more comments (1 replies)
load more comments (2 replies)
load more comments
view more: ‹ prev next ›