this post was submitted on 21 Aug 2024
349 points (100.0% liked)

Privacy

789 readers
3 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
349
Signed up for Equifax to freeze my credit, password can not be longer than 20 characters (i.imgur.com)
submitted 2 months ago* (last edited 2 months ago) by nokturne213@sopuli.xyz to c/privacy@lemmy.ml
78 comments fedilink hide all child comments
 

Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is "well all of our other customers are okay with this".

top 50 comments
sorted by: hot top controversial new old
[–] davel@lemmy.ml 92 points 2 months ago (2 children)

Yeah well, if you’re so smart let’s see you write a website in COBOL.

[–] kittykittycatboys@lemmy.blahaj.zone 56 points 2 months ago (1 children)

no spaces in a string is a dead giveaway that theres Cobol in there somewhere meow

[–] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 21 points 2 months ago (1 children)

meow

?

[–] Cattypat@lemmy.blahaj.zone 40 points 2 months ago (2 children)

their name is kittykittycatboys what else do you expect :3 meow

[–] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 20 points 2 months ago (2 children)

It shows up on my screen as merely "max", nothing else.

[–] ReversalHatchery 6 points 2 months ago

If you open the profile it seems to have two names. I have the feeling that only one of them is valid with the instance postfix, despite it being shown with both

[–] my_hat_stinks@programming.dev 6 points 2 months ago* (last edited 2 months ago) (1 children)

Username and display name can be set independently, you should have a "Display name" field in settings. Their non-unique display name is "max" and their unique username is "@kittykittycatboys@lemmy.blahaj.zone". If you check their profile you should see both.

If you don't set a display name it will be the same as your username, if you set display name to the same as username (like I have) it'll show your username without the instance even to people on other instances.

load more comments (1 replies)
load more comments (1 replies)
[–] drwho 6 points 2 months ago (1 children)

You joke, but...

(No, I will never forgive the college I went to for undergrad for forcing us to take two semesters of COBOL. Why do you ask?)

load more comments (1 replies)
[–] scott@lem.free.as 62 points 2 months ago (2 children)

This implies they're storing the plaintext password.

Ideally the password would be hashed with a salt and then stored. Then it's a fixed length field and it shouldn't matter how long the password is.

[–] helix@feddit.org 18 points 2 months ago (1 children)

Or a very very old database system, possibly DB2, where you can't change the column limits or data types after the fact.

[–] xthexder@l.sw0.com 10 points 2 months ago

If they're hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they're not hashing, they should really be rewriting their database anyway.

[–] delirious_owl@discuss.online 6 points 2 months ago* (last edited 2 months ago) (2 children)

Salted passwords are not recommended anymore. Better to use a memory hard key derivation function designed for passwords, like Argon.

https://en.wikipedia.org/wiki/Argon2

[–] frezik@midwest.social 11 points 2 months ago (2 children)

Those are salted, they just do it for you.

load more comments (2 replies)
[–] xthexder@l.sw0.com 5 points 2 months ago* (last edited 2 months ago) (2 children)

I'd rather see a paper explaining the flaws with salted passwords rather than "just use this instead".

My initial reaction is that this overcomplicates things for the majority of use-cases, and has way more to configure correctly compared to something basic like a salted sha256/sha512 hash that you can write in any language's standard library.

If the database of everyone's salted password hashes gets leaked, this still gives everyone plenty of time to change passwords before anything has a chance of cracking them. (Unless you're about to drop some news on me about long time standard practices being fundamentally flawed)

load more comments (2 replies)
[–] vk6flab@lemmy.radio 51 points 2 months ago (1 children)

Credit bureaus are not for your protection, they're for the protection of their clients, the banks.

[–] ShepherdPie@midwest.social 14 points 2 months ago (1 children)

Banks aren't much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I'm pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.

[–] nokturne213@sopuli.xyz 11 points 2 months ago (1 children)

You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.

load more comments (1 replies)
[–] shortwavesurfer@lemmy.zip 36 points 2 months ago

Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It's like oh come on that is way too easy these days

[–] tilefan@lemm.ee 36 points 2 months ago (3 children)

the Ring app (I think) forced me to change my Wi-Fi password because I wasn't allowed to use ampersands. according to support it's because they "use ampersands in the code"

[–] delirious_owl@discuss.online 16 points 2 months ago

Thats the least of your worries with Ring. Put that shit straight into the bin.

[–] drwho 8 points 2 months ago

That implies that they pass parameters in URLs... FFS.

[–] nokturne213@sopuli.xyz 5 points 2 months ago

Eufy cameras will not allow spaces in the WiFi password.

[–] KingThrillgore@lemmy.ml 29 points 2 months ago* (last edited 2 months ago) (1 children)

A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren't hashing your password with anything stronger than MD5. Or worse.

[–] Toribor@corndog.social 21 points 2 months ago

My default is to generate a 32 character password and store it in a password manager. Doesn't matter to me how many characters it has since I'm just going to copy and paste it anyway.

Pretty surprising how many places enforce shorter passwords though... I had a bank that had a maximum character limit of 12. I don't bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.

[–] HK65@sopuli.xyz 20 points 2 months ago (1 children)

Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.

load more comments (1 replies)
[–] CubitOom@infosec.pub 19 points 2 months ago (1 children)

I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there's nonway someone could spoof a phone number and then unfreeze your credit.

[–] krolden@lemmy.ml 5 points 2 months ago* (last edited 2 months ago) (1 children)

Financial companies ans banks and stuff have to follow regulations on their MFA method. That why you can't just use any OTP authenticator and are stuck with email/SMS.

[–] drwho 5 points 2 months ago (4 children)

In case anybody's curious about what those are:

The biggest reason they use phone calls or SMS, however, is because they don't want to go to the hassle of getting an in-house MFA service (a TOTP backend, in other words), approved, pen tested, analyzed, verified... all things considered, it's faster and easier to go with a service like Twilio that already did all that legwork. A couple of years back I worked for a company in just that position, and after we did all the legwork, research, and consultation with the independent third party specialists trying to run our own TOTP would have easily doubled the yearly cost because of all the compliance stuff.

load more comments (4 replies)
[–] __init__@programming.dev 13 points 2 months ago

That’s security theater for you…

[–] TheReturnOfPEB@reddthat.com 12 points 2 months ago (1 children)

short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded

load more comments (1 replies)
[–] 01189998819991197253@infosec.pub 11 points 2 months ago (2 children)

Correct me if I'm wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn't this against some CISA recommendation?

[–] HK65@sopuli.xyz 10 points 2 months ago (1 children)

One other reason I could see is pure idiocy. Like I've seen that there is a bias to using every feature some software has, and if a max limit can be set, it will be set, to a "reasonable" value.

load more comments (1 replies)
[–] itslilith@lemmy.blahaj.zone 4 points 2 months ago

Even then, the difference between 20 and 2000 characters is negligible

[–] js10@reddthat.com 9 points 2 months ago (2 children)

I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?

[–] digdilem@lemmy.ml 12 points 2 months ago

since the plain text isnt stored

I'm not sure I'd accept a bet on that assumption.

[–] Vivendi@lemmy.zip 11 points 2 months ago

Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil'd into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don't do fucky things with passwords unless your backend is doing something really stupid.

[–] drwho 9 points 2 months ago

Huh - they increased it!

[–] Asafum@feddit.nl 9 points 2 months ago (2 children)

I happened to freeze all my credit in the same weekend I switched car insurance so I don't know who is to blame (my bet is on GEICO) but starting Monday I've been getting a bunch of spam calls and texts...

Such scumbags... If it's the credit agencies they caused the problem for me to be there and are now profiting off the "solution" and if it's GEICO it's probably worse since I'm already fucking paying them, but no they need more.

load more comments (2 replies)
[–] henfredemars@infosec.pub 8 points 2 months ago

I'd like to not solve a boolean satisfiability problem along the way, please.

[–] drukqs@hachyderm.io 7 points 2 months ago (1 children)

@nokturne213 In Canada, we also have transunion; they officially say max pw size is 30 but it’s actually 15. Complete joke. At least Equifax has proper 2FA.

[–] nokturne213@sopuli.xyz 11 points 2 months ago (1 children)

I tried to log in to see if I could activate 2FA and it says I have to call customer service to log in now.

[–] ShepherdPie@midwest.social 18 points 2 months ago

Don't worry this is easily solved by sending a fax of your drivers license Mo-Fr between the hours of 8:05am and 8:09am

[–] guemax@lemmy.today 5 points 2 months ago (3 children)

At least they show you their requirements. Usually I use passwords with up to 150 characters (including special ones). Getting a vague response like "Password is invalid" is so annoying. I then have to remove special characters and reduce the length step by step until it is accepted by the website. (But 20 characters is way too short, resulting in these hilarious other requirements. You just want to create an account, without having to do a PhD in creating passwords first.)

load more comments (3 replies)
[–] AceFuzzLord@lemm.ee 5 points 2 months ago* (last edited 2 months ago)

The 20 character length limit is so annoying because I once had 2 distinct passwords (not in use anymore) that were both coincidentally 21 characters long. Character limiting me by a single character at the end of those old passwords was annoying because I usually ended up, for some services I needed, having to change up and use a completely new password. Back when I was a lot worse about reusing passwords than now.

[–] delirious_owl@discuss.online 5 points 2 months ago

Open a bug report

[–] StorageAware@lemmings.world 5 points 2 months ago

I always get a chuckle when financial institutions have requirements like these, or lack 2FA. My Lemmy account has more security at this point.

[–] krolden@lemmy.ml 5 points 2 months ago (1 children)

Super long passwords aren't going to do you any good when their database is compromised and sold to anyone with a few bucks.

Its not like some one is gonna be brute forcing your account password, it would lock your account after like ten tries.

[–] Hirom 15 points 2 months ago (3 children)

Quite the contrary.

Password hashing is standard nowadays.

When a database is compromised, brute forcing hashes is necessary to recover passwords, and the short ones are the first ones to be recovered.

load more comments (3 replies)
[–] doggle@lemmy.dbzer0.com 4 points 2 months ago

I've seen even shorter limits. Still annoying.

load more comments
view more: next ›