Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.
Both Experian and transunion had no password length limitations, nor did they require my username be my email address.
Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.
- davel [he/him] ( @davel@lemmy.ml ) English92•28 days ago
Yeah well, if you’re so smart let’s see you write a website in COBOL.
- max ( @kittykittycatboys@lemmy.blahaj.zone ) 56•28 days ago
no spaces in a string is a dead giveaway that theres Cobol in there somewhere meow
- EveryMuffinIsNowEncrypted ( @EveryMuffinIsNowEncrypted@lemmy.blahaj.zone ) English21•28 days ago
meow
?
- Cattypat ( @Cattypat@lemmy.blahaj.zone ) English40•28 days ago
their name is kittykittycatboys what else do you expect :3 meow
- EveryMuffinIsNowEncrypted ( @EveryMuffinIsNowEncrypted@lemmy.blahaj.zone ) English20•28 days ago
It shows up on my screen as merely “max”, nothing else.
- my_hat_stinks ( @my_hat_stinks@programming.dev ) 6•27 days ago
Username and display name can be set independently, you should have a “Display name” field in settings. Their non-unique display name is “max” and their unique username is “@kittykittycatboys@lemmy.blahaj.zone”. If you check their profile you should see both.
If you don’t set a display name it will be the same as your username, if you set display name to the same as username (like I have) it’ll show your username without the instance even to people on other instances.
- EveryMuffinIsNowEncrypted ( @EveryMuffinIsNowEncrypted@lemmy.blahaj.zone ) English1•27 days ago
Oh, I see. Thanks.
- ReversalHatchery ( @ReversalHatchery@beehaw.org ) English6•28 days ago
If you open the profile it seems to have two names. I have the feeling that only one of them is valid with the instance postfix, despite it being shown with both
- The Doctor ( @drwho@beehaw.org ) English1•27 days ago
Mew!
- The Doctor ( @drwho@beehaw.org ) English6•27 days ago
You joke, but…
- https://www.microfocus.com/documentation/visual-cobol/vc70/VS2017/GUID-78091B18-A9B3-4212-BE5F-3E28C7196413.html
- https://github.com/loveOSS/awesome-cobol
(No, I will never forgive the college I went to for undergrad for forcing us to take two semesters of COBOL. Why do you ask?)
- davel [he/him] ( @davel@lemmy.ml ) English3•27 days ago
I actually clicked on all the web-related Awesome Cobol links yesterday. Each one is either a broken link or golang code.
- Scott ( @scott@lem.free.as ) English62•28 days ago
This implies they’re storing the plaintext password.
Ideally the password would be hashed with a salt and then stored. Then it’s a fixed length field and it shouldn’t matter how long the password is.
- Helix 🧬 ( @helix@feddit.org ) English18•28 days ago
Or a very very old database system, possibly DB2, where you can’t change the column limits or data types after the fact.
- xthexder ( @xthexder@l.sw0.com ) 10•27 days ago
If they’re hashing, the column size should be irrelevant. Ideally the database should never see the plaintext password in the first place (though I could understand calculating the hash in the query itself). If they’re not hashing, they should really be rewriting their database anyway.
- delirious_owl ( @delirious_owl@discuss.online ) 6•27 days ago
Salted passwords are not recommended anymore. Better to use a memory hard key derivation function designed for passwords, like Argon.
- frezik ( @frezik@midwest.social ) 11•27 days ago
Those are salted, they just do it for you.
- delirious_owl ( @delirious_owl@discuss.online ) 1•27 days ago
Where does the salt get stored?
- frezik ( @frezik@midwest.social ) 9•27 days ago
It’s usually part of the string stored to the DB.
Edit: you can see the PHC spec here:
https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
Which is a common format for various password storage algorithms, including Argon2. It has a salt field.
- xthexder ( @xthexder@l.sw0.com ) 5•27 days ago
I’d rather see a paper explaining the flaws with salted passwords rather than “just use this instead”.
My initial reaction is that this overcomplicates things for the majority of use-cases, and has way more to configure correctly compared to something basic like a salted sha256/sha512 hash that you can write in any language’s standard library.
If the database of everyone’s salted password hashes gets leaked, this still gives everyone plenty of time to change passwords before anything has a chance of cracking them. (Unless you’re about to drop some news on me about long time standard practices being fundamentally flawed)
- delirious_owl ( @delirious_owl@discuss.online ) 1•27 days ago
Wut. Is the competition not enough data for you? This is how we got AES.
Can you name a single popular language where Argon2 isn’t implemented in a stamdard library?
- xthexder ( @xthexder@l.sw0.com ) 1•26 days ago
I think you’re missing the point of what I’m asking. In what way are regular salted passwords insecure? Sure you can keep adding extra steps to encryption, but at a certain point you’re just wasting CPU cycles.
I have no doubts about Argon2 being secure, I just think the extra steps are unnecessary for anything I would build (i.e. not touching financial transactions or people’s SSNs). By design argon2 uses a lot of memory and CPU time to make bruteforce attacks much harder, but that’s more of a downside when you’re just doing basic account logins on a low end server.
I’ll happily retract my point about external dependencies. It’s available in most languages, and notably std C++ contains neither argon2 or sha256/512 hashing, so that kind of makes my original point invalid anyway.
- Onno (VK6FLAB) ( @vk6flab@lemmy.radio ) 51•28 days ago
Credit bureaus are not for your protection, they’re for the protection of their clients, the banks.
- ShepherdPie ( @ShepherdPie@midwest.social ) 14•28 days ago
Banks aren’t much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I’m pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.
You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.
- ShepherdPie ( @ShepherdPie@midwest.social ) 2•28 days ago
The first part I’m sure about because I had to create a bookmark of a line of javascript that would bypass the on-screen keyboard and allow you to autofill the password. It was sometime in the last 3 or 4 years that they finally joined the 1990s and updated it
- Ellia Plissken ( @tilefan@lemm.ee ) English36•28 days ago
the Ring app (I think) forced me to change my Wi-Fi password because I wasn’t allowed to use ampersands. according to support it’s because they “use ampersands in the code”
- delirious_owl ( @delirious_owl@discuss.online ) 16•27 days ago
Thats the least of your worries with Ring. Put that shit straight into the bin.
- The Doctor ( @drwho@beehaw.org ) English8•27 days ago
That implies that they pass parameters in URLs… FFS.
Eufy cameras will not allow spaces in the WiFi password.
- shortwavesurfer ( @shortwavesurfer@lemmy.zip ) 36•28 days ago
Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It’s like oh come on that is way too easy these days
- kingthrillgore ( @KingThrillgore@lemmy.ml ) 29•27 days ago
A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren’t hashing your password with anything stronger than MD5. Or worse.
- Toribor ( @Toribor@corndog.social ) English21•27 days ago
My default is to generate a 32 character password and store it in a password manager. Doesn’t matter to me how many characters it has since I’m just going to copy and paste it anyway.
Pretty surprising how many places enforce shorter passwords though… I had a bank that had a maximum character limit of 12. I don’t bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.
- ℍ𝕂-𝟞𝟝 ( @HK65@sopuli.xyz ) English20•27 days ago
Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.
- sik0fewl ( @sik0fewl@lemmy.ca ) 2•26 days ago
You signed a contract? Pretty sure they’re going to fuck it up either way and they definitely have all your data.
- CubitOom ( @CubitOom@infosec.pub ) English19•28 days ago
I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there’s nonway someone could spoof a phone number and then unfreeze your credit.
- krolden ( @krolden@lemmy.ml ) 5•27 days ago
Financial companies ans banks and stuff have to follow regulations on their MFA method. That why you can’t just use any OTP authenticator and are stuck with email/SMS.
- The Doctor ( @drwho@beehaw.org ) English5•27 days ago
In case anybody’s curious about what those are:
- https://rublon.com/blog/nydfs-23-nycrr-part-500-mfa-compliance/
- https://metomic.io/resource-centre/financial-services-compliance-regulations
- https://rublon.com/blog/ffiec-mfa-compliance-best-practices/
- https://www.ffiec.gov/press/pdf/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf
The biggest reason they use phone calls or SMS, however, is because they don’t want to go to the hassle of getting an in-house MFA service (a TOTP backend, in other words), approved, pen tested, analyzed, verified… all things considered, it’s faster and easier to go with a service like Twilio that already did all that legwork. A couple of years back I worked for a company in just that position, and after we did all the legwork, research, and consultation with the independent third party specialists trying to run our own TOTP would have easily doubled the yearly cost because of all the compliance stuff.
- krolden ( @krolden@lemmy.ml ) 3•27 days ago
Adding TOTP would be cheaper in the long run than continuing to pay those SMS rates. I dont think its about any kind of extra hassle they have to deal with. More of terrible NIST standards written by the center for internet security, which is a for profit corporation that apparently nist allows to write all their standards
- The Doctor ( @drwho@beehaw.org ) English3•26 days ago
It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we’d have to get everything re-vetted yearly.
That’s kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.
- krolden ( @krolden@lemmy.ml ) 1•26 days ago
Yeah except you only have to spend the money once as opposed to paying twilio every year
- The Doctor ( @drwho@beehaw.org ) English2•25 days ago
for compliance we’d have to get everything re-vetted yearly
- __init__ ( @__init__@programming.dev ) 13•28 days ago
That’s security theater for you…
- TheReturnOfPEB ( @TheReturnOfPEB@reddthat.com ) English12•26 days ago
short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded
- azalty ( @azalty@jlai.lu ) 1•25 days ago
They’re supposed to be hashed so that shouldn’t matter
Unless that’s the joke or something
- 𝕸𝖔𝖘𝖘 ( @01189998819991197253@infosec.pub ) English11•27 days ago
Correct me if I’m wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn’t this against some CISA recommendation?
- ℍ𝕂-𝟞𝟝 ( @HK65@sopuli.xyz ) English10•27 days ago
One other reason I could see is pure idiocy. Like I’ve seen that there is a bias to using every feature some software has, and if a max limit can be set, it will be set, to a “reasonable” value.
- 𝕸𝖔𝖘𝖘 ( @01189998819991197253@infosec.pub ) English3•26 days ago
Maybe it’s also a “it’s the way we’ve always done it” BS that plays into it, too?
- itslilith ( @itslilith@lemmy.blahaj.zone ) 4•27 days ago
Even then, the difference between 20 and 2000 characters is negligible
- The Doctor ( @drwho@beehaw.org ) English10•27 days ago
Huh - they increased it!
- Asafum ( @Asafum@feddit.nl ) 10•27 days ago
I happened to freeze all my credit in the same weekend I switched car insurance so I don’t know who is to blame (my bet is on GEICO) but starting Monday I’ve been getting a bunch of spam calls and texts…
Such scumbags… If it’s the credit agencies they caused the problem for me to be there and are now profiting off the “solution” and if it’s GEICO it’s probably worse since I’m already fucking paying them, but no they need more.
- Trainguyrom ( @Trainguyrom@reddthat.com ) English3•26 days ago
Just a quick tip: I’ve had good luck getting insurance through a broker. I have cheaper insurance through some B2B place that doesn’t work directly with consumers with better coverage than if I went through some national brand that spends millions of dollars a month on advertising to consumers. The other benefit of a broker is now you have a third party who’s incentivized to not only find you the best deal but also someone you can get advice from during a claim should anything seem off to you.
- Asafum ( @Asafum@feddit.nl ) 1•25 days ago
Thanks for the tip! I’ll have to look into that.
- js10 ( @js10@reddthat.com ) 9•27 days ago
I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?
- digdilem ( @digdilem@lemmy.ml ) English12•27 days ago
since the plain text isnt stored
I’m not sure I’d accept a bet on that assumption.
- Vivendi ( @Vivendi@lemmy.zip ) 11•27 days ago
Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil’d into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don’t do fucky things with passwords unless your backend is doing something really stupid.
- henfredemars ( @henfredemars@infosec.pub ) English8•28 days ago
I’d like to not solve a boolean satisfiability problem along the way, please.