Yeah well, if you’re so smart let’s see you write a website in COBOL.

This implies they're storing the plaintext password.

Ideally the password would be hashed with a salt and then stored. Then it's a fixed length field and it shouldn't matter how long the password is.

Credit bureaus are not for your protection, they're for the protection of their clients, the banks.

Financial institution security is quite frankly a freaking joke. My bank only has the options for 11 character passwords at maximum. It's like oh come on that is way too easy these days

A 20 character password of case insensitive letters and numbers is quite unbreakable (taking billions of years to brute force). Still, what a strange way to announce your database is old and you probably aren't hashing your password with anything stronger than MD5. Or worse.

the Ring app (I think) forced me to change my Wi-Fi password because I wasn't allowed to use ampersands. according to support it's because they "use ampersands in the code"

Literally this

Imagine having to contract with a company in order for them not to fuck your life up with your own data. This is ridiculous.

My bank used to not let me type one longer than six (6) characters!

I also like that the only type of MFA that all 3 agencies implement is text/phone call. Cause likes there's nonway someone could spoof a phone number and then unfreeze your credit.

short passwords because they are trying to save bandwidth for their next time their entire database structure is downloaded

that is a painfully bad list of ~~requirements~~ bullshit

That’s security theater for you…

I have seen this on a site before and I never understood why. Whats the point of limiting the length of the password? Its not to save storage space since the plain text isnt stored and the hash should be a uniform length. So whats the advantage?

I swear password restrictions are getting to the point where there's eventually going to only be one usable password.

Just wait until you get to Transunion's site. It is a dumpster fire of consisting of the worst sign up I've ever seen, "Contact our social team" and "If you haven't logged in for awhile create a new account. I could not believe how awful it was. I had to just call and do it over the phone.

Correct me if I'm wrong, but the only reason to limit password length, is to save carrying cost on the database. But the only reason that this would be value added, is if the passwords are encrypted in reversible encryption, instead of hashed. Isn't this against some CISA recommendation?

I'd like to not solve a boolean satisfiability problem along the way, please.

I happened to freeze all my credit in the same weekend I switched car insurance so I don't know who is to blame (my bet is on GEICO) but starting Monday I've been getting a bunch of spam calls and texts...

Such scumbags... If it's the credit agencies they caused the problem for me to be there and are now profiting off the "solution" and if it's GEICO it's probably worse since I'm already fucking paying them, but no they need more.

Fuck1ngKil!M3

Oh boy. If you think this is bad, you should try waiting a few weeks or months after you're signed up this time, then sign up for a new account using your current details, just with a different email. Spoiler: if you can answer the security questions, you're home free.

And remember that between the Equifax leak and more recent hacks, at this point, every sensitive detail for every member of the economy is now in the hands of bad actors. If they want your shit, or into it, they'll social engineer it.

Should passwords have maximum character counts? Sure, to prevent overflow attacks (or whatever) by pasting five different analyses of the movie Primer as your password. It should be longer than 20 in any case. But are there other, way worse security issues? Yes.

Open a bug report