top | item 22357202

(no title)

smush | 6 years ago

TransUnion does plaintext passwords.

Found that out when I typed in a (example) 25 character password, but at some point the field was truncated down and I somehow figured out that if I backspace IIRC 4 characters away, my saved password worked.

-_-

discuss

GauntletWizard|6 years ago

This chain of logic does not follow. It is possible that your bank is properly salt+hashing your password - the truncation may have been on the back end before, and is now exposed to you because the field is shorter.

smush|6 years ago

Maybe - but why not indicate clear password length requirements on the password entry screen and/or have the PWE text input HTML form only accept password characters up to that max length?

Additionally, silent trucation and 'maybe we do salt and hash after all' makes no sense IMO. That's not to say that I disagree that this is a possibility, only that the whole point of a hash is that it converts something of arbitrary length to a single length.

Therefore, truncating data that gets inputted into the hash would be computationally wasteful for no benefit, because the hash function will always result in a single length.

jedberg|6 years ago

That doesn't necessarily mean they store in plaintext. They might just only hash the first 20 characters.