Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.
Both Experian and transunion had no password length limitations, nor did they require my username be my email address.
Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.
I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there’s nonway someone could spoof a phone number and then unfreeze your credit.
Financial companies ans banks and stuff have to follow regulations on their MFA method. That why you can’t just use any OTP authenticator and are stuck with email/SMS.
In case anybody’s curious about what those are:
- https://rublon.com/blog/nydfs-23-nycrr-part-500-mfa-compliance/
- https://metomic.io/resource-centre/financial-services-compliance-regulations
- https://rublon.com/blog/ffiec-mfa-compliance-best-practices/
- https://www.ffiec.gov/press/pdf/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf
The biggest reason they use phone calls or SMS, however, is because they don’t want to go to the hassle of getting an in-house MFA service (a TOTP backend, in other words), approved, pen tested, analyzed, verified… all things considered, it’s faster and easier to go with a service like Twilio that already did all that legwork. A couple of years back I worked for a company in just that position, and after we did all the legwork, research, and consultation with the independent third party specialists trying to run our own TOTP would have easily doubled the yearly cost because of all the compliance stuff.
Adding TOTP would be cheaper in the long run than continuing to pay those SMS rates. I dont think its about any kind of extra hassle they have to deal with. More of terrible NIST standards written by the center for internet security, which is a for profit corporation that apparently nist allows to write all their standards
It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we’d have to get everything re-vetted yearly.
That’s kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.
Yeah except you only have to spend the money once as opposed to paying twilio every year
for compliance we’d have to get everything re-vetted yearly
I’m just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.
That is assuming they do stuff right and there are no vulnerabilities, which they won’t and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don’t offer 2FA.
The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can’t atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.
With just
a saltpepper you can make a 16 char password effectively a 24 char password… Or a 2.000.000 char password. Assuming it is not stolen alongside that is.Edit: Changed ‘salt’ to ‘pepper’.
The actual length of the password isn’t the problem. If they were “doing stuff right” then it would make no difference to them whether the password was 20 characters or 200, because once it was hashed both would be stored in the same amount of space.
The fact that they’ve specified a limit is strong evidence that they’renot doing it right
Some hashing algorithms are suspectible to long password denial of service so it’s recommended to limit the length of password but certainly not to 20 characters but to a more reasonable limit, like 100 characters or so.
Fair enough, I didn’t consider compute resources
It does, I’ll give you that. However, I will hold the fact that their maximum is actually reasonable against that. The minimum of 8 is more concerning imo
That’s not how salt works. It will be stolen alongside the password hash, because salt is necessarily in plaintext. It doesn’t increase the guessability of passwords. It just makes it infeasible to precompute your guesses.
So what does the password length matter if they also get the salt?
A password only 8 chars long can still be brute forced, salt or not.
Without salt, the attacker would make a guess, run the hash on the password, and compare it to the stored version.
With salt, the attacker would make a guess, combine it with the salt, and then run the hash and compare like before.
What salt does is prevent a shortcut. The attacker has a big list of passwords and their associated hash values. They grab the hash out of the leaked database, compare it to the list, and match it to the original plaintext. When the hashes have a salt, they would need to generate the list for every possible salt value. For a sufficiently long salt that’s unique to each password entry, that list would be infeasible to generate, and infeasible to store even if you could.
If your passwords were long and random enough, then it’s also infeasible to generate that list to cover everything. It really only works against dictionary words and variations (like “P4ssw0rD”).
Yes, what I meant is actually a kind of pepper. Although I would like to point out that literally the only difference is that it’s stored elsewhere.
I tend to prefer pass phrases, they are a lot easier to type and speak, if required. Mine regularly blow past 20 characters.
As for salting, that only defends against rainbow table attacks. The salt needs to be stored along with the hash. That is find for most accounts, but once you’re in banking territory, that’s a bad bet.
You also can’t assume you have no vulnerabilities. If someone gets your database, you can’t defend against brute force attacks.
Lastly, if you are doing passwords properly, you shouldn’t care much about length. There are a few dos attacks to worry about, but a 512 char limit will stop those, and not limit any sane password.
Bcrypt and scrypt both have a byte limit of 72. That’s still enough for a secure passphrase, though some schemes might blow past it.
A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren’t hashing your password with anything stronger than MD5. Or worse.
A hash has a fixed length, including MD5. There’s no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don’t even hash it, they’re idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that’s not how you deal with injections / escaping your inputs.
Hashing takes longer the longer the string is, so it technically could impact performance if many people with very long passwords log in simultaneously. 20 characters is ridiculous though, you could probably cap it at hundreds and still be completely fine.
My default is to generate a 32 character password and store it in a password manager. Doesn’t matter to me how many characters it has since I’m just going to copy and paste it anyway.
Pretty surprising how many places enforce shorter passwords though… I had a bank that had a maximum character limit of 12. I don’t bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.
That’s security theater for you…
Correct me if I’m wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn’t this against some CISA recommendation?
There may also be a (very weak) reason around bounds checking and avoiding buffer overflows. By rejecting anything longer that 20 characters, the developer can be sure that there will be nothing longer sent to the back end code. While they should still be doing bounds checking in the rest of the code, if the team making the UI is not the same as the team making the back end code, the UI team may see it as a reasonable restriction to prevent a screw up, further down the stack, from being exploited. Again, it’s a very weak argument, but I can see such an argument being made in a large organization with lots of teams who don’t talk to each other. Or worse yet, different contractors standing up the front end and back end.
They really shouldn’t be sending the password over the line at all. It should be local hashed/salted, encrypted, and then sent. So plaintext length really shouldn’t matter much, if at all. But I see your point.
One other reason I could see is pure idiocy. Like I’ve seen that there is a bias to using every feature some software has, and if a max limit can be set, it will be set, to a “reasonable” value.
Maybe it’s also a “it’s the way we’ve always done it” BS that plays into it, too?
Even then, the difference between 20 and 2000 characters is negligible
Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.
that they collect without your explicit consent
You signed a contract? Pretty sure they’re going to fuck it up either way and they definitely have all your data.
short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded
They’re supposed to be hashed so that shouldn’t matter
Unless that’s the joke or something
I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?
Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil’d into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don’t do fucky things with passwords unless your backend is doing something really stupid.
Calculating hashes is supposedly more expensive for longer strings. That could be used to simplify some kind of overload attack like DDOS.
If they’re using md5 (which would be in line with their security practices), the block size is 512 bits. That means that everything less than 64 characters is the same cost
If they’re not already rate-limiting login attempts that’s another huge problem…
since the plain text isnt stored
I’m not sure I’d accept a bet on that assumption.
Huh - they increased it!
The 20 character length limit is so annoying because I once had 2 distinct passwords (not in use anymore) that were both coincidentally 21 characters long. Character limiting me by a single character at the end of those old passwords was annoying because I usually ended up, for some services I needed, having to change up and use a completely new password. Back when I was a lot worse about reusing passwords than now.
Just wait until you get to Transunion’s site. It is a dumpster fire of consisting of the worst sign up I’ve ever seen, “Contact our social team” and "If you haven’t logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.
Transunion was not too bad, and they did not require my full SSN, unlike Equifax. But transunion will not easily give me my credit score unlike the two Es.
I’ve seen even shorter limits. Still annoying.
that is a painfully bad list of
requirementsbullshitFuck1ngKil!M3
the Ring app (I think) forced me to change my Wi-Fi password because I wasn’t allowed to use ampersands. according to support it’s because they “use ampersands in the code”
Sure would be a shame of Bobby tables made a ring acct
The problem is quotes, not spaces and ampersands
Thats the least of your worries with Ring. Put that shit straight into the bin.
That implies that they pass parameters in URLs… FFS.
You mean the company that had a feature in place that allowed law enforcement to request and access video footage from your devices without obtaining a warrant first?
As expected, their security measures were also found to be lacking.
Yeah, no thanks.
yeah I only have a ring for my outdoor cameras. I was considering switching my indoor system yo ring as my alarm company keeps raising their prices but I’m not putting ring cameras inside my house. especially because the privacy shutters on them are manual
It deeply saddens me when people pay money for locked down hardware that’s not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen…all insecure spyware.
Then wash the code! Son’s of bitches!
Eufy cameras will not allow spaces in the WiFi password.
I encountered something like this at work. It wasn’t pass related, it was just a means of getting people to make text responses. Ampersands were replaced with some gibberish format, which annoyed everyone.
I got some kind of explanation from our tech people, which I understood to mean that ampersand was used to indicate that what followed was live code. Turning the ampersand into gibberish text was a safety measure to stop mischief.
I’ve noticed ampersand replacements in some news feeds too
