Not only does the credit bureau max out their password length, you have a small list of available non-alphanumeric characters you can use, and no spaces. Also you cannot used a plused email address, and it had an issue with my self hosted email alias, forcing me to use my gmail address.

Both Experian and transunion had no password length limitations, nor did they require my username be my email address.

Update: I have been unable to log into my account for the last 3 days now. Every time I try I get a page saying to call customer service. After a total of 2 hours on hold I finally found the issue, you cannot connect to Equifax using a VPN. In addition there is no option for 2FA (not even email or sms) and they will hang up on you if you push the issue of their security being lax. Their reasoning for lax security and no vpn usage is “well all of our other customers are okay with this”.

  • js10@reddthat.com
    link
    fedilink
    arrow-up
    19
    ·
    4 months ago

    I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?

    • DigitalDilemma
      link
      fedilink
      English
      arrow-up
      20
      ·
      4 months ago

      since the plain text isnt stored

      I’m not sure I’d accept a bet on that assumption.

    • Vivendi@lemmy.zip
      link
      fedilink
      arrow-up
      19
      ·
      4 months ago

      Their backend is really, REALLY garbage. Maybe it is some of that Microsoft trash that they snake oil’d into a lot of public offices and dumbass corpo managers, but whatever is running that site, has me concerned. You don’t do fucky things with passwords unless your backend is doing something really stupid.

    • daddy32@lemmy.world
      link
      fedilink
      arrow-up
      10
      ·
      4 months ago

      Calculating hashes is supposedly more expensive for longer strings. That could be used to simplify some kind of overload attack like DDOS.

      • xthexder@l.sw0.com
        link
        fedilink
        arrow-up
        10
        ·
        4 months ago

        If they’re not already rate-limiting login attempts that’s another huge problem…

      • ReveredOxygen@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        5
        ·
        4 months ago

        If they’re using md5 (which would be in line with their security practices), the block size is 512 bits. That means that everything less than 64 characters is the same cost