this post was submitted on 21 Aug 2024
615 points (98.3% liked)

Privacy

31996 readers
1052 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is "well all of our other customers are okay with this".

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 19 points 2 months ago (3 children)

I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?

[–] [email protected] 20 points 2 months ago

since the plain text isnt stored

I'm not sure I'd accept a bet on that assumption.

[–] [email protected] 19 points 2 months ago

Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil'd into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don't do fucky things with passwords unless your backend is doing something really stupid.

[–] [email protected] 10 points 2 months ago (2 children)

Calculating hashes is supposedly more expensive for longer strings. That could be used to simplify some kind of overload attack like DDOS.

[–] [email protected] 10 points 2 months ago

If they're not already rate-limiting login attempts that's another huge problem...

[–] [email protected] 5 points 2 months ago

If they're using md5 (which would be in line with their security practices), the block size is 512 bits. That means that everything less than 64 characters is the same cost