Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.
Both Experian and transunion had no password length limitations, nor did they require my username be my email address.
Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.
Super long passwords aren’t going to do you any good when their database is compromised and sold to anyone with a few bucks.
Its not like some one is gonna be brute forcing your account password, it would lock your account after like ten tries.
Quite the contrary.
Password hashing is standard nowadays.
When a database is compromised, brute forcing hashes is necessary to recover passwords, and the short ones are the first ones to be recovered.
So what? They’ll get your single use randomly generated password months/years/decades after you’ve already changed it?
Which begs the question, how often do people really change their passwords unless they’re forced to? This feels like the sort of thing that somebody should have studied.
If its not been pwned then why bother? As long as you’re using a password generator and only using per a service passwords plus MFA youll be fine
Literally this
Except todays wordle answer cannot be made to multiply to 35
I got to rule #16 - I suck at chess. Secret to “multiply roman numerals” is just add them up to the value.
My bank used to not let me type one longer than six (6) characters!
Yup. My bank was even “translating” passwords to PINs behind the scene specifically so your password for the website would be the same as your password on the telephone.
My bank disables paste as has code checking if the browser is greater than Netscape Navigator 4.
Goddamn I really hate that shit.
https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-with-paste/
Removed by mod
I always get a chuckle when financial institutions have requirements like these, or lack 2FA. My Lemmy account has more security at this point.
short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded
They’re supposed to be hashed so that shouldn’t matter
Unless that’s the joke or something
The 20 character length limit is so annoying because I once had 2 distinct passwords (not in use anymore) that were both coincidentally 21 characters long. Character limiting me by a single character at the end of those old passwords was annoying because I usually ended up, for some services I needed, having to change up and use a completely new password. Back when I was a lot worse about reusing passwords than now.
I swear password restrictions are getting to the point where there’s eventually going to only be one usable password.
Yeah, it’s counterproductive to lay out a bunch of restrictions. Let people make a long-ass password that’s a memorable phrase - it’s safer anyway.
Although I don’t know how anyone makes it without a password manager at this point.
I don’t know how anyone makes it without a password manager at this point.
Password reuse. Password reuse everywhere.
We’re all guilty of it. No shame in admitting it. I know I’ve been guilty of it from time to time.
When I have to sign up for something on my phone I will use my pre Bitwarden default password. Then once I have a sec to sit down iPad or laptop I will change it to something more secure.
I am currently fighting with my wife and children to start using a password manager.
The funny thing about that is that I am currently on my laptop getting keepassxc set up. This post has somehow motivated me to finally get a password manager.
If it converts one person that is a good thing.
What’s the best password manager you’d recommend?
I have only used lastpass (they have had several breeches and I do not recommend them), Bitwarden (my current daily driver and my recommendation), and I have used Apple keychain a little for passwords at work that my wife can access without having full access to my Bitwarden.
Thank you!
On your phone, you can select autofill, then ask bitwarden to generate a password, save and use that to register
Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It’s like oh come on that is way too easy these days
Honestly, that’s a sign to me that your bank doesn’t take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it’ll even send me a text to verify a purchase if their software thinks it’s weird I got across town too quickly, though that’s pretty rare so it isn’t overly aggressive/inconvenient.
In Germany at least, I hear that banks have weird law requirements for these weird security things, like photoTAN.
I’d be much happier if they’d just let me do my usual setup with password, totp and my hardware token.
In the US the FDIC sets security requirements for banks and audits annually, and they keeps raising requirements every year or so. At this point its just easier for a bank to invest in following current best practices and keep updating to the current best practices than to keep chasing every new finding on the FDIC audits each year
Source: I worked in IT at a bank for a while
Oh but wait! That non-customizable
account numberuser ID that you have to wait for in the mail is definitely top notch security!
At least they show you their requirements. Usually I use passwords with up to 150 characters (including special ones). Getting a vague response like “Password is invalid” is so annoying. I then have to remove special characters and reduce the length step by step until it is accepted by the website. (But 20 characters is way too short, resulting in these hilarious other requirements. You just want to create an account, without having to do a PhD in creating passwords first.)
There shouldn’t be an arbitrary limit on the length of a password but how is 20 characters “way too short”? It’s more than 10^36 combinations.
It doesn’t even matter. Because the limit implies that they don’t hash and salt their passwords.
Plus they had a breach already in 2017.
Twitch is bad about this. It’s not a fucking ballistic missile installation - just tell me what you want.
I’d like to not solve a boolean satisfiability problem along the way, please.
“Cannot contain your email address” - damn right it can’t contain my email address in 20 characters!
Credit bureaus are not for your protection, they’re for the protection of their clients, the banks.
Banks aren’t much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I’m pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.
You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.
The first part I’m sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it
@nokturne213 In Canada, we also have transunion; they officially say max pw size is 30 but it’s actually 15. Complete joke. At least Equifax has proper 2FA.
I tried to log in to see if I could activate 2FA and it says I have to call customer service to log in now.
Don’t worry this is easily solved by sending a fax of your drivers license Mo-Fr between the hours of 8:05am and 8:09am
Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.
that they collect without your explicit consent
You signed a contract? Pretty sure they’re going to fuck it up either way and they definitely have all your data.
