Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.

  • shortwavesurfer@lemmy.zip
    0·
    29 days ago

    Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It’s like oh come on that is way too easy these days

    • bassomitron@lemmy.worldEnglish
      0·
      29 days ago

      Honestly, that’s a sign to me that your bank doesn’t take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it’ll even send me a text to verify a purchase if their software thinks it’s weird I got across town too quickly, though that’s pretty rare so it isn’t overly aggressive/inconvenient.

      • PlexSheep@infosec.pub
        0·
        27 days ago

        In Germany at least, I hear that banks have weird law requirements for these weird security things, like photoTAN.

        I’d be much happier if they’d just let me do my usual setup with password, totp and my hardware token.

        • Trainguyrom@reddthat.comEnglish
          0·
          27 days ago

          In the US the FDIC sets security requirements for banks and audits annually, and they keeps raising requirements every year or so. At this point its just easier for a bank to invest in following current best practices and keep updating to the current best practices than to keep chasing every new finding on the FDIC audits each year

          Source: I worked in IT at a bank for a while

    • cm0002@lemmy.world
      0·
      29 days ago

      Oh but wait! That non-customizable account number user ID that you have to wait for in the mail is definitely top notch security!

    • ShepherdPie@midwest.social
      0·
      29 days ago

      Banks aren’t much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I’m pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.

      • nocturne@sopuli.xyzOP
        0·
        29 days ago

        You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.

        • ShepherdPie@midwest.social
          0·
          29 days ago

          The first part I’m sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it

  • davel@lemmy.mlEnglish
    0·
    29 days ago

    Yeah well, if you’re so smart let’s see you write a website in COBOL.

  • CubitOom@infosec.pubEnglish
    0·
    29 days ago

    I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there’s nonway someone could spoof a phone number and then unfreeze your credit.

    • krolden@lemmy.ml
      0·
      28 days ago

      Financial companies ans banks and stuff have to follow regulations on their MFA method. That why you can’t just use any OTP authenticator and are stuck with email/SMS.

      • The Doctor@beehaw.orgEnglish
        0·
        28 days ago

        In case anybody’s curious about what those are:

        The biggest reason they use phone calls or SMS, however, is because they don’t want to go to the hassle of getting an in-house MFA service (a TOTP backend, in other words), approved, pen tested, analyzed, verified… all things considered, it’s faster and easier to go with a service like Twilio that already did all that legwork. A couple of years back I worked for a company in just that position, and after we did all the legwork, research, and consultation with the independent third party specialists trying to run our own TOTP would have easily doubled the yearly cost because of all the compliance stuff.

        • krolden@lemmy.ml
          0·
          28 days ago

          Adding TOTP would be cheaper in the long run than continuing to pay those SMS rates. I dont think its about any kind of extra hassle they have to deal with. More of terrible NIST standards written by the center for internet security, which is a for profit corporation that apparently nist allows to write all their standards

          • The Doctor@beehaw.orgEnglish
            0·
            27 days ago

            It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we’d have to get everything re-vetted yearly.

            That’s kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.

  • Ellia Plissken@lemm.eeEnglish
    0·
    29 days ago

    the Ring app (I think) forced me to change my Wi-Fi password because I wasn’t allowed to use ampersands. according to support it’s because they “use ampersands in the code”

    • scrion@lemmy.world
      0·
      28 days ago

      You mean the company that had a feature in place that allowed law enforcement to request and access video footage from your devices without obtaining a warrant first?

      Yeah, no thanks.

      • Ellia Plissken@lemm.eeEnglish
        0·
        28 days ago

        yeah I only have a ring for my outdoor cameras. I was considering switching my indoor system yo ring as my alarm company keeps raising their prices but I’m not putting ring cameras inside my house. especially because the privacy shutters on them are manual

      • FuzzyRedPanda@lemm.eeEnglish
        0·
        28 days ago

        It deeply saddens me when people pay money for locked down hardware that’s not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen…all insecure spyware.

    • Puttaneska@lemmy.world
      0·
      28 days ago

      I encountered something like this at work. It wasn’t pass related, it was just a means of getting people to make text responses. Ampersands were replaced with some gibberish format, which annoyed everyone.

      I got some kind of explanation from our tech people, which I understood to mean that ampersand was used to indicate that what followed was live code. Turning the ampersand into gibberish text was a safety measure to stop mischief.

      I’ve noticed ampersand replacements in some news feeds too

  • voracitude@lemmy.world
    0·
    28 days ago

    Oh boy. If you think this is bad, you should try waiting a few weeks or months after you’re signed up this time, then sign up for a new account using your current details, just with a different email. Spoiler: if you can answer the security questions, you’re home free.

    And remember that between the Equifax leak and more recent hacks, at this point, every sensitive detail for every member of the economy is now in the hands of bad actors. If they want your shit, or into it, they’ll social engineer it.

    Should passwords have maximum character counts? Sure, to prevent overflow attacks (or whatever) by pasting five different analyses of the movie Primer as your password. It should be longer than 20 in any case. But are there other, way worse security issues? Yes.

  • Scott@lem.free.asEnglish
    0·
    28 days ago

    This implies they’re storing the plaintext password.

    Ideally the password would be hashed with a salt and then stored. Then it’s a fixed length field and it shouldn’t matter how long the password is.

      • xthexder@l.sw0.com
        0·
        28 days ago

        I’d rather see a paper explaining the flaws with salted passwords rather than “just use this instead”.

        My initial reaction is that this overcomplicates things for the majority of use-cases, and has way more to configure correctly compared to something basic like a salted sha256/sha512 hash that you can write in any language’s standard library.

        If the database of everyone’s salted password hashes gets leaked, this still gives everyone plenty of time to change passwords before anything has a chance of cracking them. (Unless you’re about to drop some news on me about long time standard practices being fundamentally flawed)

        • delirious_owl@discuss.online
          0·
          27 days ago

          Wut. Is the competition not enough data for you? This is how we got AES.

          Can you name a single popular language where Argon2 isn’t implemented in a stamdard library?

    • Helix 🧬@feddit.orgEnglish
      0·
      28 days ago

      Or a very very old database system, possibly DB2, where you can’t change the column limits or data types after the fact.

      • xthexder@l.sw0.com
        0·
        28 days ago

        If they’re hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they’re not hashing, they should really be rewriting their database anyway.

  • UnbalancedFox@lemmy.ca
    0·
    27 days ago

    I had an account there with a proton email address and suddenly I couldn’t log in anymore. After 6 months of calling, someone finally told me proton emails are blocked because they are not secure. So I changes it to a tutanota email

    What a clusterf**k

    • nocturne@sopuli.xyzOP
      0·
      27 days ago

      I almost used my proton mail because I can create an alias, where equifax would not accept a plused gmail account.

  • UnfortunateShort@lemmy.world
    0·
    28 days ago

    I’m just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.

    That is assuming they do stuff right and there are no vulnerabilities, which they won’t and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don’t offer 2FA.

    The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can’t atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.

    With just a salt you can make a 16 char password effectively a 24 char password… Or a 2.000.000 char password. Assuming it is not stolen alongside that is.

    • frezik@midwest.social
      0·
      28 days ago

      That’s not how salt works. It will be stolen alongside the password hash, because salt is necessarily in plaintext. It doesn’t increase the guessability of passwords. It just makes it infeasible to precompute your guesses.

    • cynar@lemmy.worldEnglish
      0·
      28 days ago

      I tend to prefer pass phrases, they are a lot easier to type and speak, if required. Mine regularly blow past 20 characters.

      As for salting, that only defends against rainbow table attacks. The salt needs to be stored along with the hash. That is find for most accounts, but once you’re in banking territory, that’s a bad bet.

      You also can’t assume you have no vulnerabilities. If someone gets your database, you can’t defend against brute force attacks.

      Lastly, if you are doing passwords properly, you shouldn’t care much about length. There are a few dos attacks to worry about, but a 512 char limit will stop those, and not limit any sane password.

      • frezik@midwest.social
        0·
        28 days ago

        Bcrypt and scrypt both have a byte limit of 72. That’s still enough for a secure passphrase, though some schemes might blow past it.

    • MartianSands@sh.itjust.works
      0·
      28 days ago

      The actual length of the password isn’t the problem. If they were “doing stuff right” then it would make no difference to them whether the password was 20 characters or 200, because once it was hashed both would be stored in the same amount of space.

      The fact that they’ve specified a limit is strong evidence that they’renot doing it right

      • UnfortunateShort@lemmy.world
        0·
        28 days ago

        It does, I’ll give you that. However, I will hold the fact that their maximum is actually reasonable against that. The minimum of 8 is more concerning imo

      • ghu@lemmy.ml
        0·
        28 days ago

        Some hashing algorithms are suspectible to long password denial of service so it’s recommended to limit the length of password but certainly not to 20 characters but to a more reasonable limit, like 100 characters or so.