Equifax clearly doesn't want you to use a password manager

Like British Gas before them, Equifax clearly doesn't want you to use a password manager to store your passwords.

What other explanation can there be for the credit rating company to frustrate any attempts to paste passwords (into its online form by instantly blanking them out again?

Equifax

It's all very well for the Equifax website to ask you to choose a password that is up to 20 characters long (why the upper limit by the way?), and consisting of both numbers and letters, but wouldn't it be great if it wasn't discouraging the use of password managers like LastPass and 1Password through the company's bizarre dislike of pasting a hard-to-crack, hard-to-remember password into the form's field?

(Sorry, that was a long sentence. But this kind of dumb behaviour by websites is exasperating.)

Reader Clive Moon was similarly concerned, and dropped me a note tipping me off to the problem:

Wanted to check my credit score with Equifax, and the sign-in process requires a password. I always use the KeePass generator, but Equifax wouldn't let me paste into the web form, using IE 11. (I usually use Firefox, but the site hardly worked at all in Firefox).

So, I ended up typing a 20 character password, with mixed case and numbers. Twice.

Come on Equifax, sort it out. Security-minded users want to have complex, hard-to-crack, unique passwords. And they want to be able to paste in those passwords rather than fumble around typing them in character by character.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

16 Responses

  1. Wayne

    August 25, 2015 at 7:08 pm #

    They must have changed something recently. I have an account there and by looking at the password I have saved in LastPass I know it isn't one I typed in myself.

  2. Ken eastwood

    August 25, 2015 at 7:11 pm #

    It's a pain this isn't it?

    I use 1Password and often encounter similar problems. had to laugh recently when asked to change a site password to "ensure security" only to find that I couldn't paste, couldn't use anything over 12 characters and couldn't use special characters. So much for "ensuring security"!

    Ken

  3. Bob

    August 25, 2015 at 9:06 pm #

    The simple answer is to use an offline password manager like Keepass. It emulates keystrokes and doesn't rely upon traditional 'copy and paste' The other benefit is that it uses obfuscation to trick key loggers that can intercept ordinary copy and paste operations.

    An offline manager is a more secure (and free) alternative. You do sacrifice some convenience and need to ensure that it's backed up regularly.

    It doesn't excuse Equifax's behaviour however – they should be encouraging and not dissuading users to store their credentials securely.

    • wally in reply to Bob.

      August 25, 2015 at 10:52 pm #

      Yes, but,
      I also use KeePass2 for it's good design and cross-platform ability.
      There are sites that have blocked using KP2, so you can't count on the particular pw manager. I have emailed certain companies asking why they would block my use of 30 char complex passwords and compromise my security (in more detail) and have had success in them changing their logon policy.
      You might not think those involved in the setup need that explanation, but sometimes they do. We all have are blind spots (often much to our own surprise).

      • Bob in reply to wally.

        August 26, 2015 at 11:58 am #

        I've not noticed that Keepass has been blocked. I'll look out for that.

        Last time I checked Keepass emulates a keyboard so that when you use the Auto-Type function (and not the copy and paste) the website believes it is input from the keyboard being received.

        I don't know how a website would be able to block this behaviour because the OS sandboxes the keyboard process. Are you sure that it's Auto-Type that is being blocked and not plain copy and paste?

  4. ElBarto

    August 25, 2015 at 9:47 pm #

    Great behavior for keylogging!!

  5. Jim

    August 26, 2015 at 6:12 am #

    Sometimes browsers with Javascript in forms won't accept the right-click Paste, but will accept CTRL-V (or OS equivalent).
    Seems to work in this case (at least from my browser). Agreed its not totally obvious though

  6. Anonymous

    August 26, 2015 at 9:48 am #

    >to choose a password that is up to 20 characters long (why the upper limit by the way?)

    Outlook/Hotmail still has a max 16 character limit.

    • Bob in reply to Anonymous.

      August 26, 2015 at 11:47 am #

      If the company has an effective brute-force defence then the account will be locked after 3 [insert any number here] incorrect attempts. Therefore a 16 character password will provide more than adequate protection.

      If somebody managed to perform an offline attack against the passwords then having a really long password is the least of your concerns. The same hackers would very likely be able to bypass the password and go straight to the data.

      Longer passwords aren't beneficial for website logins. Effective early defence systems built in from the bottom up are the solution.

  7. Bob

    August 26, 2015 at 12:21 pm #

    Here's a great article about companies who block the use of password managers and it has a list to another site that tells you how you can disable a website blocking copy and paste operations.

    http://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/

  8. Rob Thornton

    August 26, 2015 at 5:05 pm #

    What concerns me even more is that it used to be possible to post off a ten pounds postal order and get a copy of your Credit statement posted to you, (it's actually one of the stated rights from the UK Data Commissioner and they have a certain time to respond). The credit companies that have a very substantial monopoly and power started the online systems that are another way of creaming off large l amounts of money and leaving people with just another direct debit to pay based out of fear, I recently wrote a sample letter to three of them. two refused point blank to return the report as requested , saying that it was a "security issue". and that they allow one a free credit report (this is true but it requires your credit card numbers and details) . It was only after two threatening letters to report them to the data commissioner that they actually then sent the printed report!

  9. Joe M

    August 26, 2015 at 6:48 pm #

    I just logged into Equifax. I have not been on this site in a few years.
    I logged in with no problem using Last Pass.

    • Clive in reply to Joe M.

      August 27, 2015 at 11:09 am #

      Joe, this was the account registration form, not the log-in form, which backs up what Jamie says.

  10. Jamie Graves

    August 27, 2015 at 9:52 am #

    I recently found this on Ebay's password reset screen.

    I've also found there's sometimes a gap between certain elements of the UI team. For example, the sign-up screen will allow you to paste >32 characters, but when you log in to an account, you're limited to the 32 characters stipulated on the sign-up screen. It took me ages to figure out what was going on!

  11. Vito

    August 27, 2015 at 5:09 pm #

    No responsible user can NOT use a password manager any more. Web sites that defeat password managers are solidly in the idiotic category.

    Many sites are still living in the last century as far as passwords are concerned. For example, I know of a bank and a (separate) credit card company that do not allow passwords with special characters, no case-dependency for alphabetical characters, and impose a 16 character limit.

    And I'm still finding sites that want to be so very helpful by emailing my username and password in the clear (unencrypted) "for my convenience". Changing the password does no good; they just email the new one. Morons.

  12. Jim

    September 3, 2015 at 5:51 am #

    This seemed relevant. Just found it and knew immediately where it belonged …

    http://www.prioritized.net/blog/re-enabling-password-pasting-on-annoying-web-forms/

Leave a Reply