this post was submitted on 21 Aug 2024
609 points (98.1% liked)

Privacy

31219 readers
1531 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
609
Signed up for Equifax to freeze my credit, password can not be longer than 20 characters (i.imgur.com)
submitted 3 weeks ago* (last edited 3 weeks ago) by nokturne213@sopuli.xyz to c/privacy@lemmy.ml
147 comments fedilink hide all child comments
 

Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is "well all of our other customers are okay with this".

top 50 comments
sorted by: hot top controversial new old
[–] davel@lemmy.ml 157 points 3 weeks ago (4 children)

Yeah well, if you’re so smart let’s see you write a website in COBOL.

[–] kittykittycatboys@lemmy.blahaj.zone 87 points 3 weeks ago (1 children)

no spaces in a string is a dead giveaway that theres Cobol in there somewhere meow

[–] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 34 points 3 weeks ago (2 children)

meow

?

[–] Cattypat@lemmy.blahaj.zone 54 points 3 weeks ago (2 children)

their name is kittykittycatboys what else do you expect :3 meow

[–] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 32 points 3 weeks ago (7 children)

It shows up on my screen as merely "max", nothing else.

load more comments (7 replies)
load more comments (1 replies)
load more comments (1 replies)
load more comments (3 replies)
[–] scott@lem.free.as 91 points 3 weeks ago (8 children)

This implies they're storing the plaintext password.

Ideally the password would be hashed with a salt and then stored. Then it's a fixed length field and it shouldn't matter how long the password is.

[–] helix@feddit.org 32 points 3 weeks ago (1 children)

Or a very very old database system, possibly DB2, where you can't change the column limits or data types after the fact.

load more comments (1 replies)
load more comments (7 replies)
[–] vk6flab@lemmy.radio 81 points 3 weeks ago (1 children)

Credit bureaus are not for your protection, they're for the protection of their clients, the banks.

[–] ShepherdPie@midwest.social 23 points 3 weeks ago (1 children)

Banks aren't much better. Up until just a couple years ago, the Treasury Direct website (to buy bonds/etc from the US Treasury) forced you to use a god damned on-screen keyboard to input your password and the passwords were not case sensitive. I'm pretty sure it also only read the first X number of characters of your input because I recall that people tried typing extra characters after their passwords and it would still accept it as valid, though I could be conflating this with some other archaic site.

[–] nokturne213@sopuli.xyz 12 points 3 weeks ago (1 children)

You are unable to paste your password into the “confirm password” field. I thought I was going to have to type it in, but Bitwarden’s autofill worked.

load more comments (1 replies)
[–] shortwavesurfer@lemmy.zip 55 points 3 weeks ago (2 children)

Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It's like oh come on that is way too easy these days

[–] cm0002@lemmy.world 18 points 3 weeks ago

Oh but wait! That non-customizable ~~account number~~ user ID that you have to wait for in the mail is definitely top notch security!

[–] bassomitron@lemmy.world 12 points 3 weeks ago (2 children)

Honestly, that's a sign to me that your bank doesn't take cybersecurity seriously and would possibly consider switching. Mine has amazing security as well as fraud detection. Sometimes it'll even send me a text to verify a purchase if their software thinks it's weird I got across town too quickly, though that's pretty rare so it isn't overly aggressive/inconvenient.

load more comments (2 replies)
[–] KingThrillgore@lemmy.ml 51 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren't hashing your password with anything stronger than MD5. Or worse.

[–] Toribor@corndog.social 30 points 3 weeks ago

My default is to generate a 32 character password and store it in a password manager. Doesn't matter to me how many characters it has since I'm just going to copy and paste it anyway.

Pretty surprising how many places enforce shorter passwords though... I had a bank that had a maximum character limit of 12. I don't bank with them anymore. Short password limits is definitely is an indicator of bad underlying security practices.

[–] 314xel@lemmy.world 21 points 3 weeks ago (1 children)

A hash has a fixed length, including MD5. There's no reason to cap password (input) Iength. You can hash the whole bible and still get the same length hash. So either they don't even hash it, they're idiots, or they try to be unnecessarily cautious to avoid some other limit / overflow, like POST max size (which would still be counted in at least KB, not several characters). The limit on what special characters you can use is also highly suspicious - that's not how you deal with injections / escaping your inputs.

load more comments (1 replies)
[–] tilefan@lemm.ee 48 points 3 weeks ago (7 children)

the Ring app (I think) forced me to change my Wi-Fi password because I wasn't allowed to use ampersands. according to support it's because they "use ampersands in the code"

[–] scrion@lemmy.world 59 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

You mean the company that had a feature in place that allowed law enforcement to request and access video footage from your devices without obtaining a warrant first?

As expected, their security measures were also found to be lacking.

Yeah, no thanks.

[–] Fuzzy_Red_Panda@lemm.ee 30 points 3 weeks ago

It deeply saddens me when people pay money for locked down hardware that's not only designed to spy on them, but their family, friends, and neighbors as well. Ring, Amazon Echo, Google Home, that creepy Facebook robot screen...all insecure spyware.

load more comments (1 replies)
[–] delirious_owl@discuss.online 21 points 3 weeks ago

Thats the least of your worries with Ring. Put that shit straight into the bin.

[–] Aquila@sh.itjust.works 17 points 3 weeks ago (1 children)

Sure would be a shame of Bobby tables made a ring acct

load more comments (1 replies)
load more comments (4 replies)
[–] caramelslice@lemmy.world 32 points 3 weeks ago (3 children)

Literally this

load more comments (3 replies)
[–] HK65@sopuli.xyz 30 points 3 weeks ago (2 children)

Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.

load more comments (2 replies)
[–] tired_n_bored@lemmy.world 27 points 3 weeks ago (3 children)

My bank used to not let me type one longer than six (6) characters!

[–] toastal@lemmy.ml 19 points 3 weeks ago (2 children)

My bank disables paste as has code checking if the browser is greater than Netscape Navigator 4.

load more comments (2 replies)
load more comments (2 replies)
[–] CubitOom@infosec.pub 26 points 3 weeks ago (6 children)

I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there's nonway someone could spoof a phone number and then unfreeze your credit.

load more comments (6 replies)
[–] eager_eagle@lemmy.world 20 points 3 weeks ago

that is a painfully bad list of ~~requirements~~ bullshit

[–] TheReturnOfPEB@reddthat.com 19 points 3 weeks ago (1 children)

short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded

load more comments (1 replies)
[–] __init__@programming.dev 19 points 3 weeks ago

That’s security theater for you…

[–] js10@reddthat.com 19 points 3 weeks ago (5 children)

I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?

[–] digdilem@lemmy.ml 20 points 3 weeks ago

since the plain text isnt stored

I'm not sure I'd accept a bet on that assumption.

[–] Vivendi@lemmy.zip 19 points 3 weeks ago

Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil'd into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don't do fucky things with passwords unless your backend is doing something really stupid.

load more comments (3 replies)
[–] alkaliv2@lemmy.world 17 points 3 weeks ago (1 children)

Just wait until you get to Transunion's site. It is a dumpster fire of consisting of the worst sign up I've ever seen, "Contact our social team" and "If you haven't logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.

load more comments (1 replies)
[–] chiliedogg@lemmy.world 17 points 3 weeks ago (11 children)

I swear password restrictions are getting to the point where there's eventually going to only be one usable password.

load more comments (11 replies)
[–] 01189998819991197253@infosec.pub 16 points 3 weeks ago (4 children)

Correct me if I'm wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn't this against some CISA recommendation?

[–] HK65@sopuli.xyz 13 points 3 weeks ago (1 children)

One other reason I could see is pure idiocy. Like I've seen that there is a bias to using every feature some software has, and if a max limit can be set, it will be set, to a "reasonable" value.

load more comments (1 replies)
load more comments (3 replies)
[–] henfredemars@infosec.pub 14 points 3 weeks ago (1 children)

I'd like to not solve a boolean satisfiability problem along the way, please.

load more comments (1 replies)
[–] TheBat@lemmy.world 13 points 3 weeks ago

Fuck1ngKil!M3

[–] Asafum@feddit.nl 13 points 3 weeks ago (2 children)

I happened to freeze all my credit in the same weekend I switched car insurance so I don't know who is to blame (my bet is on GEICO) but starting Monday I've been getting a bunch of spam calls and texts...

Such scumbags... If it's the credit agencies they caused the problem for me to be there and are now profiting off the "solution" and if it's GEICO it's probably worse since I'm already fucking paying them, but no they need more.

load more comments (2 replies)
[–] voracitude@lemmy.world 11 points 3 weeks ago

Oh boy. If you think this is bad, you should try waiting a few weeks or months after you're signed up this time, then sign up for a new account using your current details, just with a different email. Spoiler: if you can answer the security questions, you're home free.

And remember that between the Equifax leak and more recent hacks, at this point, every sensitive detail for every member of the economy is now in the hands of bad actors. If they want your shit, or into it, they'll social engineer it.

Should passwords have maximum character counts? Sure, to prevent overflow attacks (or whatever) by pasting five different analyses of the movie Primer as your password. It should be longer than 20 in any case. But are there other, way worse security issues? Yes.

[–] delirious_owl@discuss.online 11 points 3 weeks ago

Open a bug report

[–] drwho@beehaw.org 10 points 3 weeks ago

Huh - they increased it!

load more comments
view more: next ›