Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.

  • kingthrillgore@lemmy.ml
    0·
    2 months ago

    A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren’t hashing your password with anything stronger than MD5. Or worse.

    • 🅿🅸🆇🅴🅻@lemmy.world
      0·
      2 months ago

      A hash has a fixed length, including MD5. There’s no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don’t even hash it, they’re idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that’s not how you deal with injections / escaping your inputs.

      • drivepiler@lemmy.world
        0·
        1 month ago

        Hashing takes longer the longer the string is, so it technically could impact performance if many people with very long passwords log in simultaneously. 20 characters is ridiculous though, you could probably cap it at hundreds and still be completely fine.

    • Toribor@corndog.socialEnglish
      0·
      2 months ago

      My default is to generate a 32 character password and store it in a password manager. Doesn’t matter to me how many characters it has since I’m just going to copy and paste it anyway.

      Pretty surprising how many places enforce shorter passwords though… I had a bank that had a maximum character limit of 12. I don’t bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.

  • js10@reddthat.com
    0·
    2 months ago

    I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?

    • digdilem@lemmy.mlEnglish
      0·
      2 months ago

      since the plain text isnt stored

      I’m not sure I’d accept a bet on that assumption.

    • Vivendi@lemmy.zip
      0·
      2 months ago

      Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil’d into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don’t do fucky things with passwords unless your backend is doing something really stupid.

    • daddy32@lemmy.world
      0·
      2 months ago

      Calculating hashes is supposedly more expensive for longer strings. That could be used to simplify some kind of overload attack like DDOS.

      • xthexder@l.sw0.com
        0·
        2 months ago

        If they’re not already rate-limiting login attempts that’s another huge problem…

      • ReveredOxygen@sh.itjust.worksEnglish
        0·
        2 months ago

        If they’re using md5 (which would be in line with their security practices), the block size is 512 bits. That means that everything less than 64 characters is the same cost

  • davel@lemmy.mlEnglish
    0·
    2 months ago

    Yeah well, if you’re so smart let’s see you write a website in COBOL.

  • CubitOom@infosec.pubEnglish
    0·
    2 months ago

    I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there’s nonway someone could spoof a phone number and then unfreeze your credit.

    • krolden@lemmy.ml
      0·
      2 months ago

      Financial companies ans banks and stuff have to follow regulations on their MFA method. That why you can’t just use any OTP authenticator and are stuck with email/SMS.

      • The Doctor@beehaw.orgEnglish
        0·
        2 months ago

        In case anybody’s curious about what those are:

        The biggest reason they use phone calls or SMS, however, is because they don’t want to go to the hassle of getting an in-house MFA service (a TOTP backend, in other words), approved, pen tested, analyzed, verified… all things considered, it’s faster and easier to go with a service like Twilio that already did all that legwork. A couple of years back I worked for a company in just that position, and after we did all the legwork, research, and consultation with the independent third party specialists trying to run our own TOTP would have easily doubled the yearly cost because of all the compliance stuff.

        • krolden@lemmy.ml
          0·
          2 months ago

          Adding TOTP would be cheaper in the long run than continuing to pay those SMS rates. I dont think its about any kind of extra hassle they have to deal with. More of terrible NIST standards written by the center for internet security, which is a for profit corporation that apparently nist allows to write all their standards

          • The Doctor@beehaw.orgEnglish
            0·
            1 month ago

            It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we’d have to get everything re-vetted yearly.

            That’s kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.

  • Ellia Plissken@lemm.eeEnglish
    0·
    2 months ago

    the Ring app (I think) forced me to change my Wi-Fi password because I wasn’t allowed to use ampersands. according to support it’s because they “use ampersands in the code”

      • Ellia Plissken@lemm.eeEnglish
        0·
        2 months ago

        yeah I only have a ring for my outdoor cameras. I was considering switching my indoor system yo ring as my alarm company keeps raising their prices but I’m not putting ring cameras inside my house. especially because the privacy shutters on them are manual

      • FuzzyRedPanda@lemm.eeEnglish
        0·
        2 months ago

        It deeply saddens me when people pay money for locked down hardware that’s not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen…all insecure spyware.

    • Puttaneska@lemmy.world
      0·
      2 months ago

      I encountered something like this at work. It wasn’t pass related, it was just a means of getting people to make text responses. Ampersands were replaced with some gibberish format, which annoyed everyone.

      I got some kind of explanation from our tech people, which I understood to mean that ampersand was used to indicate that what followed was live code. Turning the ampersand into gibberish text was a safety measure to stop mischief.

      I’ve noticed ampersand replacements in some news feeds too

  • voracitude@lemmy.world
    0·
    2 months ago

    Oh boy. If you think this is bad, you should try waiting a few weeks or months after you’re signed up this time, then sign up for a new account using your current details, just with a different email. Spoiler: if you can answer the security questions, you’re home free.

    And remember that between the Equifax leak and more recent hacks, at this point, every sensitive detail for every member of the economy is now in the hands of bad actors. If they want your shit, or into it, they’ll social engineer it.

    Should passwords have maximum character counts? Sure, to prevent overflow attacks (or whatever) by pasting five different analyses of the movie Primer as your password. It should be longer than 20 in any case. But are there other, way worse security issues? Yes.

  • TheReturnOfPEB@reddthat.comEnglish
    0·
    1 month ago

    short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded

    • azalty@jlai.lu
      0·
      1 month ago

      They’re supposed to be hashed so that shouldn’t matter

      Unless that’s the joke or something

  • chiliedogg@lemmy.world
    0·
    1 month ago

    I swear password restrictions are getting to the point where there’s eventually going to only be one usable password.

    • filcuk@lemmy.zip
      0·
      1 month ago

      Yeah, it’s counterproductive to lay out a bunch of restrictions. Let people make a long-ass password that’s a memorable phrase - it’s safer anyway.

      Although I don’t know how anyone makes it without a password manager at this point.

      • sylver_dragon@lemmy.worldEnglish
        0·
        1 month ago

        I don’t know how anyone makes it without a password manager at this point.

        Password reuse. Password reuse everywhere.

          • nocturne@sopuli.xyzOP
            0·
            1 month ago

            When I have to sign up for something on my phone I will use my pre Bitwarden default password. Then once I have a sec to sit down iPad or laptop I will change it to something more secure.

            I am currently fighting with my wife and children to start using a password manager.

  • Scott@lem.free.asEnglish
    0·
    2 months ago

    This implies they’re storing the plaintext password.

    Ideally the password would be hashed with a salt and then stored. Then it’s a fixed length field and it shouldn’t matter how long the password is.

    • Helix 🧬@feddit.orgEnglish
      0·
      2 months ago

      Or a very very old database system, possibly DB2, where you can’t change the column limits or data types after the fact.

      • xthexder@l.sw0.com
        0·
        2 months ago

        If they’re hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they’re not hashing, they should really be rewriting their database anyway.

      • xthexder@l.sw0.com
        0·
        2 months ago

        I’d rather see a paper explaining the flaws with salted passwords rather than “just use this instead”.

        My initial reaction is that this overcomplicates things for the majority of use-cases, and has way more to configure correctly compared to something basic like a salted sha256/sha512 hash that you can write in any language’s standard library.

        If the database of everyone’s salted password hashes gets leaked, this still gives everyone plenty of time to change passwords before anything has a chance of cracking them. (Unless you’re about to drop some news on me about long time standard practices being fundamentally flawed)

        • delirious_owl@discuss.online
          0·
          1 month ago

          Wut. Is the competition not enough data for you? This is how we got AES.

          Can you name a single popular language where Argon2 isn’t implemented in a stamdard library?

  • UnfortunateShort@lemmy.world
    0·
    2 months ago

    I’m just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.

    That is assuming they do stuff right and there are no vulnerabilities, which they won’t and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don’t offer 2FA.

    The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can’t atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.

    With just a salt pepper you can make a 16 char password effectively a 24 char password… Or a 2.000.000 char password. Assuming it is not stolen alongside that is.

    Edit: Changed ‘salt’ to ‘pepper’.

    • MartianSands@sh.itjust.works
      0·
      2 months ago

      The actual length of the password isn’t the problem. If they were “doing stuff right” then it would make no difference to them whether the password was 20 characters or 200, because once it was hashed both would be stored in the same amount of space.

      The fact that they’ve specified a limit is strong evidence that they’renot doing it right

      • ghu@lemmy.ml
        0·
        2 months ago

        Some hashing algorithms are suspectible to long password denial of service so it’s recommended to limit the length of password but certainly not to 20 characters but to a more reasonable limit, like 100 characters or so.

      • UnfortunateShort@lemmy.world
        0·
        2 months ago

        It does, I’ll give you that. However, I will hold the fact that their maximum is actually reasonable against that. The minimum of 8 is more concerning imo

    • cynar@lemmy.worldEnglish
      0·
      2 months ago

      I tend to prefer pass phrases, they are a lot easier to type and speak, if required. Mine regularly blow past 20 characters.

      As for salting, that only defends against rainbow table attacks. The salt needs to be stored along with the hash. That is find for most accounts, but once you’re in banking territory, that’s a bad bet.

      You also can’t assume you have no vulnerabilities. If someone gets your database, you can’t defend against brute force attacks.

      Lastly, if you are doing passwords properly, you shouldn’t care much about length. There are a few dos attacks to worry about, but a 512 char limit will stop those, and not limit any sane password.

      • frezik@midwest.social
        0·
        2 months ago

        Bcrypt and scrypt both have a byte limit of 72. That’s still enough for a secure passphrase, though some schemes might blow past it.

    • frezik@midwest.social
      0·
      2 months ago

      That’s not how salt works. It will be stolen alongside the password hash, because salt is necessarily in plaintext. It doesn’t increase the guessability of passwords. It just makes it infeasible to precompute your guesses.

  • guemax@lemmy.todayDeutsch
    0·
    1 month ago

    At least they show you their requirements. Usually I use passwords with up to 150 characters (including special ones). Getting a vague response like “Password is invalid” is so annoying. I then have to remove special characters and reduce the length step by step until it is accepted by the website. (But 20 characters is way too short, resulting in these hilarious other requirements. You just want to create an account, without having to do a PhD in creating passwords first.)

    • chiliedogg@lemmy.world
      0·
      1 month ago

      Twitch is bad about this. It’s not a fucking ballistic missile installation - just tell me what you want.

    • kureta@lemmy.ml
      0·
      1 month ago

      There shouldn’t be an arbitrary limit on the length of a password but how is 20 characters “way too short”? It’s more than 10^36 combinations.

      • dubyakay@lemmy.ca
        0·
        1 month ago

        It doesn’t even matter. Because the limit implies that they don’t hash and salt their passwords.

        Plus they had a breach already in 2017.