Equifax clearly doesn’t want you to use a password manager

Graham Cluley

Equifax clearly doesn't want you to use a password manager

Like British Gas before them, Equifax clearly doesn’t want you to use a password manager to store your passwords.

What other explanation can there be for the credit rating company to frustrate any attempts to paste passwords (into its online form by instantly blanking them out again?

Equifax

It’s all very well for the Equifax website to ask you to choose a password that is up to 20 characters long (why the upper limit by the way?), and consisting of both numbers and letters, but wouldn’t it be great if it wasn’t discouraging the use of password managers like LastPass and 1Password through the company’s bizarre dislike of pasting a hard-to-crack, hard-to-remember password into the form’s field?

(Sorry, that was a long sentence. But this kind of dumb behaviour by websites is exasperating.)

Reader Clive Moon was similarly concerned, and dropped me a note tipping me off to the problem:

Wanted to check my credit score with Equifax, and the sign-in process requires a password. I always use the KeePass generator, but Equifax wouldn’t let me paste into the web form, using IE 11. (I usually use Firefox, but the site hardly worked at all in Firefox).

So, I ended up typing a 20 character password, with mixed case and numbers. Twice.

Come on Equifax, sort it out. Security-minded users want to have complex, hard-to-crack, unique passwords. And they want to be able to paste in those passwords rather than fumble around typing them in character by character.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

16 Replies to “Equifax clearly doesn’t want you to use a password manager”

  1. They must have changed something recently. I have an account there and by looking at the password I have saved in LastPass I know it isn't one I typed in myself.

  2. It's a pain this isn't it?

    I use 1Password and often encounter similar problems. had to laugh recently when asked to change a site password to "ensure security" only to find that I couldn't paste, couldn't use anything over 12 characters and couldn't use special characters. So much for "ensuring security"!

    Ken

  3. The simple answer is to use an offline password manager like Keepass. It emulates keystrokes and doesn't rely upon traditional 'copy and paste' The other benefit is that it uses obfuscation to trick key loggers that can intercept ordinary copy and paste operations.

    An offline manager is a more secure (and free) alternative. You do sacrifice some convenience and need to ensure that it's backed up regularly.

    It doesn't excuse Equifax's behaviour however – they should be encouraging and not dissuading users to store their credentials securely.

    1. Yes, but,
      I also use KeePass2 for it's good design and cross-platform ability.
      There are sites that have blocked using KP2, so you can't count on the particular pw manager. I have emailed certain companies asking why they would block my use of 30 char complex passwords and compromise my security (in more detail) and have had success in them changing their logon policy.
      You might not think those involved in the setup need that explanation, but sometimes they do. We all have are blind spots (often much to our own surprise).

      1. I've not noticed that Keepass has been blocked. I'll look out for that.

        Last time I checked Keepass emulates a keyboard so that when you use the Auto-Type function (and not the copy and paste) the website believes it is input from the keyboard being received.

        I don't know how a website would be able to block this behaviour because the OS sandboxes the keyboard process. Are you sure that it's Auto-Type that is being blocked and not plain copy and paste?

  4. Sometimes browsers with Javascript in forms won't accept the right-click Paste, but will accept CTRL-V (or OS equivalent).
    Seems to work in this case (at least from my browser). Agreed its not totally obvious though

  5. >to choose a password that is up to 20 characters long (why the upper limit by the way?)

    Outlook/Hotmail still has a max 16 character limit.

    1. If the company has an effective brute-force defence then the account will be locked after 3 [insert any number here] incorrect attempts. Therefore a 16 character password will provide more than adequate protection.

      If somebody managed to perform an offline attack against the passwords then having a really long password is the least of your concerns. The same hackers would very likely be able to bypass the password and go straight to the data.

      Longer passwords aren't beneficial for website logins. Effective early defence systems built in from the bottom up are the solution.

  6. Here's a great article about companies who block the use of password managers and it has a list to another site that tells you how you can disable a website blocking copy and paste operations.

    http://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/

  7. What concerns me even more is that it used to be possible to post off a ten pounds postal order and get a copy of your Credit statement posted to you, (it's actually one of the stated rights from the UK Data Commissioner and they have a certain time to respond). The credit companies that have a very substantial monopoly and power started the online systems that are another way of creaming off large l amounts of money and leaving people with just another direct debit to pay based out of fear, I recently wrote a sample letter to three of them. two refused point blank to return the report as requested , saying that it was a "security issue". and that they allow one a free credit report (this is true but it requires your credit card numbers and details) . It was only after two threatening letters to report them to the data commissioner that they actually then sent the printed report!

  8. I just logged into Equifax. I have not been on this site in a few years.
    I logged in with no problem using Last Pass.

  9. I recently found this on Ebay's password reset screen.

    I've also found there's sometimes a gap between certain elements of the UI team. For example, the sign-up screen will allow you to paste >32 characters, but when you log in to an account, you're limited to the 32 characters stipulated on the sign-up screen. It took me ages to figure out what was going on!

  10. No responsible user can NOT use a password manager any more. Web sites that defeat password managers are solidly in the idiotic category.

    Many sites are still living in the last century as far as passwords are concerned. For example, I know of a bank and a (separate) credit card company that do not allow passwords with special characters, no case-dependency for alphabetical characters, and impose a 16 character limit.

    And I'm still finding sites that want to be so very helpful by emailing my username and password in the clear (unencrypted) "for my convenience". Changing the password does no good; they just email the new one. Morons.

  11. This seemed relevant. Just found it and knew immediately where it belonged …

    http://www.prioritized.net/blog/re-enabling-password-pasting-on-annoying-web-forms/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES