Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.

  • davel [he/him]
    link
    fedilink
    English
    1553 months ago

    Yeah well, if you’re so smart let’s see you write a website in COBOL.

    • max
      link
      fedilink
      863 months ago

      no spaces in a string is a dead giveaway that theres Cobol in there somewhere meow

        • Cattypat
          link
          fedilink
          English
          533 months ago

          their name is kittykittycatboys what else do you expect :3 meow

            • my_hat_stinks
              link
              fedilink
              6
              edit-2
              3 months ago

              Username and display name can be set independently, you should have a “Display name” field in settings. Their non-unique display name is “max” and their unique username is “@[email protected]”. If you check their profile you should see both.

              If you don’t set a display name it will be the same as your username, if you set display name to the same as username (like I have) it’ll show your username without the instance even to people on other instances.

            • Obinice
              link
              53 months ago

              Where would max even come from? That’s not in their username o.O

    • @cm0002
      link
      43 months ago

      “We serve food sanity here, sir”

  • Scott
    link
    fedilink
    English
    843 months ago

    This implies they’re storing the plaintext password.

    Ideally the password would be hashed with a salt and then stored. Then it’s a fixed length field and it shouldn’t matter how long the password is.

    • Helix 🧬
      link
      fedilink
      English
      313 months ago

      Or a very very old database system, possibly DB2, where you can’t change the column limits or data types after the fact.

      • @[email protected]
        link
        fedilink
        93 months ago

        If they’re hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they’re not hashing, they should really be rewriting their database anyway.

      • @[email protected]
        link
        fedilink
        5
        edit-2
        3 months ago

        I’d rather see a paper explaining the flaws with salted passwords rather than “just use this instead”.

        My initial reaction is that this overcomplicates things for the majority of use-cases, and has way more to configure correctly compared to something basic like a salted sha256/sha512 hash that you can write in any language’s standard library.

        If the database of everyone’s salted password hashes gets leaked, this still gives everyone plenty of time to change passwords before anything has a chance of cracking them. (Unless you’re about to drop some news on me about long time standard practices being fundamentally flawed)

        • @[email protected]
          link
          fedilink
          13 months ago

          Wut. Is the competition not enough data for you? This is how we got AES.

          Can you name a single popular language where Argon2 isn’t implemented in a stamdard library?

          • @[email protected]
            link
            fedilink
            12 months ago

            I think you’re missing the point of what I’m asking. In what way are regular salted passwords insecure? Sure you can keep adding extra steps to encryption, but at a certain point you’re just wasting CPU cycles.

            I have no doubts about Argon2 being secure, I just think the extra steps are unnecessary for anything I would build (i.e. not touching financial transactions or people’s SSNs). By design argon2 uses a lot of memory and CPU time to make bruteforce attacks much harder, but that’s more of a downside when you’re just doing basic account logins on a low end server.

            I’ll happily retract my point about external dependencies. It’s available in most languages, and notably std C++ contains neither argon2 or sha256/512 hashing, so that kind of makes my original point invalid anyway.

  • Onno (VK6FLAB)
    link
    fedilink
    763 months ago

    Credit bureaus are not for your protection, they’re for the protection of their clients, the banks.

    • @[email protected]
      link
      fedilink
      223 months ago

      Banks aren’t much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I’m pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.

      • nocturneOP
        link
        fedilink
        113 months ago

        You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.

        • @[email protected]
          link
          fedilink
          33 months ago

          The first part I’m sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it

  • @[email protected]
    link
    fedilink
    533 months ago

    Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It’s like oh come on that is way too easy these days

    • @cm0002
      link
      183 months ago

      Oh but wait! That non-customizable account number user ID that you have to wait for in the mail is definitely top notch security!

    • @bassomitron
      link
      English
      133 months ago

      Honestly, that’s a sign to me that your bank doesn’t take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it’ll even send me a text to verify a purchase if their software thinks it’s weird I got across town too quickly, though that’s pretty rare so it isn’t overly aggressive/inconvenient.

      • @[email protected]
        link
        fedilink
        23 months ago

        In Germany at least, I hear that banks have weird law requirements for these weird security things, like photoTAN.

        I’d be much happier if they’d just let me do my usual setup with password, totp and my hardware token.

        • @[email protected]
          link
          fedilink
          English
          3
          edit-2
          2 months ago

          In the US the FDIC sets security requirements for banks and audits annually, and they keeps raising requirements every year or so. At this point its just easier for a bank to invest in following current best practices and keep updating to the current best practices than to keep chasing every new finding on the FDIC audits each year

          Source: I worked in IT at a bank for a while

  • kingthrillgore
    link
    fedilink
    50
    edit-2
    3 months ago

    A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren’t hashing your password with anything stronger than MD5. Or worse.

    • @[email protected]
      link
      fedilink
      English
      293 months ago

      My default is to generate a 32 character password and store it in a password manager. Doesn’t matter to me how many characters it has since I’m just going to copy and paste it anyway.

      Pretty surprising how many places enforce shorter passwords though… I had a bank that had a maximum character limit of 12. I don’t bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.

    • 🅿🅸🆇🅴🅻
      link
      213 months ago

      A hash has a fixed length, including MD5. There’s no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don’t even hash it, they’re idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that’s not how you deal with injections / escaping your inputs.

      • @drivepiler
        link
        4
        edit-2
        2 months ago

        Hashing takes longer the longer the string is, so it technically could impact performance if many people with very long passwords log in simultaneously. 20 characters is ridiculous though, you could probably cap it at hundreds and still be completely fine.

  • Ellia Plissken
    link
    fedilink
    English
    463 months ago

    the Ring app (I think) forced me to change my Wi-Fi password because I wasn’t allowed to use ampersands. according to support it’s because they “use ampersands in the code”

    • @scrion
      link
      58
      edit-2
      3 months ago

      You mean the company that had a feature in place that allowed law enforcement to request and access video footage from your devices without obtaining a warrant first?

      As expected, their security measures were also found to be lacking.

      Yeah, no thanks.

      • FuzzyRedPanda
        link
        fedilink
        English
        303 months ago

        It deeply saddens me when people pay money for locked down hardware that’s not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen…all insecure spyware.

      • Ellia Plissken
        link
        fedilink
        English
        23 months ago

        yeah I only have a ring for my outdoor cameras. I was considering switching my indoor system yo ring as my alarm company keeps raising their prices but I’m not putting ring cameras inside my house. especially because the privacy shutters on them are manual

    • @SendMePhotos
      link
      93 months ago

      Then wash the code! Son’s of bitches!

    • nocturneOP
      link
      fedilink
      63 months ago

      Eufy cameras will not allow spaces in the WiFi password.

    • @Puttaneska
      link
      33 months ago

      I encountered something like this at work. It wasn’t pass related, it was just a means of getting people to make text responses. Ampersands were replaced with some gibberish format, which annoyed everyone.

      I got some kind of explanation from our tech people, which I understood to mean that ampersand was used to indicate that what followed was live code. Turning the ampersand into gibberish text was a safety measure to stop mischief.

      I’ve noticed ampersand replacements in some news feeds too

    • @Hexbatch
      link
      43 months ago

      Except todays wordle answer cannot be made to multiply to 35

    • @[email protected]
      link
      fedilink
      23 months ago

      I got to rule #16 - I suck at chess. Secret to “multiply roman numerals” is just add them up to the value.

    • nocturneOP
      link
      fedilink
      12 months ago

      Rule 5 The digits in your password must add up to 25.

  • ℍ𝕂-𝟞𝟝
    link
    fedilink
    English
    283 months ago

    Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.

    • @exanime
      link
      92 months ago

      that they collect without your explicit consent

    • @[email protected]
      link
      fedilink
      02 months ago

      You signed a contract? Pretty sure they’re going to fuck it up either way and they definitely have all your data.

  • tired_n_bored
    link
    273 months ago

    My bank used to not let me type one longer than six (6) characters!

    • @[email protected]
      link
      fedilink
      193 months ago

      My bank disables paste as has code checking if the browser is greater than Netscape Navigator 4.

        • @[email protected]
          link
          fedilink
          1
          edit-2
          3 months ago

          I wrote a TamperMonkey script. 😅 I needed to so I could use my password manager. How dare I.

          Should be a general web dev usability note: always aim to make your code to be friendly for scraping & userStyles/userScripts. If a client isn’t updating shit, at least users can easily fix things. This is also another point against this Tailwind-only trend since you tend to lose anything semantic in the DOM & have nothing to select on.

    • @[email protected]
      cake
      link
      fedilink
      83 months ago

      Yup. My bank was even “translating” passwords to PINs behind the scene specifically so your password for the website would be the same as your password on the telephone.

  • CubitOom
    link
    fedilink
    English
    243 months ago

    I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there’s nonway someone could spoof a phone number and then unfreeze your credit.

    • @kameecoding
      link
      193 months ago

      And I use password manager, I don’t care of its 52 chars long, I just use the software to fill the field

    • @johannesvanderwhales
      link
      83 months ago

      I recommend Diceware for generating memorable passwords of sufficient complexity…but also, a password manager.

    • nocturneOP
      link
      fedilink
      43 months ago

      I use a 5 word phrase generated by my password locker. I will add a symbol or three to it if required.

  • Eager Eagle
    link
    English
    203 months ago

    that is a painfully bad list of requirements bullshit

  • @[email protected]
    link
    fedilink
    English
    192 months ago

    short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded

    • @[email protected]
      link
      fedilink
      22 months ago

      They’re supposed to be hashed so that shouldn’t matter

      Unless that’s the joke or something

  • @alkaliv2
    link
    173 months ago

    Just wait until you get to Transunion’s site. It is a dumpster fire of consisting of the worst sign up I’ve ever seen, “Contact our social team” and "If you haven’t logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.

    • nocturneOP
      link
      fedilink
      33 months ago

      Transunion was not too bad, and they did not require my full SSN, unlike Equifax. But transunion will not easily give me my credit score unlike the two Es.