Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.

157 points

Yeah well, if you’re so smart let’s see you write a website in COBOL.

permalink
report
reply
88 points

no spaces in a string is a dead giveaway that theres Cobol in there somewhere meow

permalink
report
parent
reply

meow

?

permalink
report
parent
reply
52 points

their name is kittykittycatboys what else do you expect :3 meow

permalink
report
parent
reply
3 points

Meow do you like to drink milk from a saucer?

permalink
report
parent
reply
6 points

You joke, but…

(No, I will never forgive the college I went to for undergrad for forcing us to take two semesters of COBOL. Why do you ask?)

permalink
report
parent
reply
3 points

I actually clicked on all the web-related Awesome Cobol links yesterday. Each one is either a broken link or golang code.

permalink
report
parent
reply
4 points

“We serve food sanity here, sir”

permalink
report
parent
reply
91 points

This implies they’re storing the plaintext password.

Ideally the password would be hashed with a salt and then stored. Then it’s a fixed length field and it shouldn’t matter how long the password is.

permalink
report
reply
32 points

Or a very very old database system, possibly DB2, where you can’t change the column limits or data types after the fact.

permalink
report
parent
reply
10 points

If they’re hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they’re not hashing, they should really be rewriting their database anyway.

permalink
report
parent
reply
7 points
*

Salted passwords are not recommended anymore. Better to use a memory hard key derivation function designed for passwords, like Argon.

https://en.wikipedia.org/wiki/Argon2

permalink
report
parent
reply
16 points

Those are salted, they just do it for you.

permalink
report
parent
reply
1 point

Where does the salt get stored?

permalink
report
parent
reply
5 points
*

I’d rather see a paper explaining the flaws with salted passwords rather than “just use this instead”.

My initial reaction is that this overcomplicates things for the majority of use-cases, and has way more to configure correctly compared to something basic like a salted sha256/sha512 hash that you can write in any language’s standard library.

If the database of everyone’s salted password hashes gets leaked, this still gives everyone plenty of time to change passwords before anything has a chance of cracking them. (Unless you’re about to drop some news on me about long time standard practices being fundamentally flawed)

permalink
report
parent
reply
1 point

Wut. Is the competition not enough data for you? This is how we got AES.

Can you name a single popular language where Argon2 isn’t implemented in a stamdard library?

permalink
report
parent
reply
81 points

Credit bureaus are not for your protection, they’re for the protection of their clients, the banks.

permalink
report
reply

Banks aren’t much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I’m pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.

permalink
report
parent
reply
11 points

You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.

permalink
report
parent
reply

The first part I’m sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it

permalink
report
parent
reply
54 points

Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It’s like oh come on that is way too easy these days

permalink
report
reply
18 points

Oh but wait! That non-customizable account number user ID that you have to wait for in the mail is definitely top notch security!

permalink
report
parent
reply
11 points

Honestly, that’s a sign to me that your bank doesn’t take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it’ll even send me a text to verify a purchase if their software thinks it’s weird I got across town too quickly, though that’s pretty rare so it isn’t overly aggressive/inconvenient.

permalink
report
parent
reply
2 points

In Germany at least, I hear that banks have weird law requirements for these weird security things, like photoTAN.

I’d be much happier if they’d just let me do my usual setup with password, totp and my hardware token.

permalink
report
parent
reply
3 points
*

In the US the FDIC sets security requirements for banks and audits annually, and they keeps raising requirements every year or so. At this point its just easier for a bank to invest in following current best practices and keep updating to the current best practices than to keep chasing every new finding on the FDIC audits each year

Source: I worked in IT at a bank for a while

permalink
report
parent
reply
51 points
*

A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren’t hashing your password with anything stronger than MD5. Or worse.

permalink
report
reply
31 points

My default is to generate a 32 character password and store it in a password manager. Doesn’t matter to me how many characters it has since I’m just going to copy and paste it anyway.

Pretty surprising how many places enforce shorter passwords though… I had a bank that had a maximum character limit of 12. I don’t bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.

permalink
report
parent
reply
22 points

A hash has a fixed length, including MD5. There’s no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don’t even hash it, they’re idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that’s not how you deal with injections / escaping your inputs.

permalink
report
parent
reply
4 points
*

Hashing takes longer the longer the string is, so it technically could impact performance if many people with very long passwords log in simultaneously. 20 characters is ridiculous though, you could probably cap it at hundreds and still be completely fine.

permalink
report
parent
reply

Privacy

!privacy@lemmy.ml

Create post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

Community stats

  • 5.4K

    Monthly active users

  • 3K

    Posts

  • 81K

    Comments