Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.
Both Experian and transunion had no password length limitations, nor did they require my username be my email address.
Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.
I’m just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.
That is assuming they do stuff right and there are no vulnerabilities, which they won’t and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don’t offer 2FA.
The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can’t atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.
With just a salt you can make a 16 char password effectively a 24 char password… Or a 2.000.000 char password. Assuming it is not stolen alongside that is.
The actual length of the password isn’t the problem. If they were “doing stuff right” then it would make no difference to them whether the password was 20 characters or 200, because once it was hashed both would be stored in the same amount of space.
The fact that they’ve specified a limit is strong evidence that they’renot doing it right
It does, I’ll give you that. However, I will hold the fact that their maximum is actually reasonable against that. The minimum of 8 is more concerning imo
Some hashing algorithms are suspectible to long password denial of service so it’s recommended to limit the length of password but certainly not to 20 characters but to a more reasonable limit, like 100 characters or so.
That’s not how salt works. It will be stolen alongside the password hash, because salt is necessarily in plaintext. It doesn’t increase the guessability of passwords. It just makes it infeasible to precompute your guesses.
So what does the password length matter if they also get the salt?
I tend to prefer pass phrases, they are a lot easier to type and speak, if required. Mine regularly blow past 20 characters.
As for salting, that only defends against rainbow table attacks. The salt needs to be stored along with the hash. That is find for most accounts, but once you’re in banking territory, that’s a bad bet.
You also can’t assume you have no vulnerabilities. If someone gets your database, you can’t defend against brute force attacks.
Lastly, if you are doing passwords properly, you shouldn’t care much about length. There are a few dos attacks to worry about, but a 512 char limit will stop those, and not limit any sane password.
Bcrypt and scrypt both have a byte limit of 72. That’s still enough for a secure passphrase, though some schemes might blow past it.