Equifax clearly doesn’t want you to use a password manager

Like British Gas before them, Equifax clearly doesn’t want you to use a password manager to store your passwords.

What other explanation can there be for the credit rating company to frustrate any attempts to paste passwords (into its online form by instantly blanking them out again?


It’s all very well for the Equifax website to ask you to choose a password that is up to 20 characters long (why the upper limit by the way?), and consisting of both numbers and letters, but wouldn’t it be great if it wasn’t discouraging the use of password managers like LastPass and 1Password through the company’s bizarre dislike of pasting a hard-to-crack, hard-to-remember password into the form’s field?

Sign up to our free newsletter.
Security news, advice, and tips.

(Sorry, that was a long sentence. But this kind of dumb behaviour by websites is exasperating.)

Reader Clive Moon was similarly concerned, and dropped me a note tipping me off to the problem:

Wanted to check my credit score with Equifax, and the sign-in process requires a password. I always use the KeePass generator, but Equifax wouldn’t let me paste into the web form, using IE 11. (I usually use Firefox, but the site hardly worked at all in Firefox).

So, I ended up typing a 20 character password, with mixed case and numbers. Twice.

Come on Equifax, sort it out. Security-minded users want to have complex, hard-to-crack, unique passwords. And they want to be able to paste in those passwords rather than fumble around typing them in character by character.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

16 comments on “Equifax clearly doesn’t want you to use a password manager”

  1. Wayne

    They must have changed something recently. I have an account there and by looking at the password I have saved in LastPass I know it isn't one I typed in myself.

  2. Ken eastwood

    It's a pain this isn't it?

    I use 1Password and often encounter similar problems. had to laugh recently when asked to change a site password to "ensure security" only to find that I couldn't paste, couldn't use anything over 12 characters and couldn't use special characters. So much for "ensuring security"!


  3. Bob

    The simple answer is to use an offline password manager like Keepass. It emulates keystrokes and doesn't rely upon traditional 'copy and paste' The other benefit is that it uses obfuscation to trick key loggers that can intercept ordinary copy and paste operations.

    An offline manager is a more secure (and free) alternative. You do sacrifice some convenience and need to ensure that it's backed up regularly.

    It doesn't excuse Equifax's behaviour however – they should be encouraging and not dissuading users to store their credentials securely.

    1. wally · in reply to Bob

      Yes, but,
      I also use KeePass2 for it's good design and cross-platform ability.
      There are sites that have blocked using KP2, so you can't count on the particular pw manager. I have emailed certain companies asking why they would block my use of 30 char complex passwords and compromise my security (in more detail) and have had success in them changing their logon policy.
      You might not think those involved in the setup need that explanation, but sometimes they do. We all have are blind spots (often much to our own surprise).

      1. Bob · in reply to wally

        I've not noticed that Keepass has been blocked. I'll look out for that.

        Last time I checked Keepass emulates a keyboard so that when you use the Auto-Type function (and not the copy and paste) the website believes it is input from the keyboard being received.

        I don't know how a website would be able to block this behaviour because the OS sandboxes the keyboard process. Are you sure that it's Auto-Type that is being blocked and not plain copy and paste?

  4. ElBarto

    Great behavior for keylogging!!

  5. Jim

    Sometimes browsers with Javascript in forms won't accept the right-click Paste, but will accept CTRL-V (or OS equivalent).
    Seems to work in this case (at least from my browser). Agreed its not totally obvious though

  6. Anonymous

    >to choose a password that is up to 20 characters long (why the upper limit by the way?)

    Outlook/Hotmail still has a max 16 character limit.

    1. Bob · in reply to Anonymous

      If the company has an effective brute-force defence then the account will be locked after 3 [insert any number here] incorrect attempts. Therefore a 16 character password will provide more than adequate protection.

      If somebody managed to perform an offline attack against the passwords then having a really long password is the least of your concerns. The same hackers would very likely be able to bypass the password and go straight to the data.

      Longer passwords aren't beneficial for website logins. Effective early defence systems built in from the bottom up are the solution.

  7. Bob

    Here's a great article about companies who block the use of password managers and it has a list to another site that tells you how you can disable a website blocking copy and paste operations.


  8. Rob Thornton

    What concerns me even more is that it used to be possible to post off a ten pounds postal order and get a copy of your Credit statement posted to you, (it's actually one of the stated rights from the UK Data Commissioner and they have a certain time to respond). The credit companies that have a very substantial monopoly and power started the online systems that are another way of creaming off large l amounts of money and leaving people with just another direct debit to pay based out of fear, I recently wrote a sample letter to three of them. two refused point blank to return the report as requested , saying that it was a "security issue". and that they allow one a free credit report (this is true but it requires your credit card numbers and details) . It was only after two threatening letters to report them to the data commissioner that they actually then sent the printed report!

  9. Joe M

    I just logged into Equifax. I have not been on this site in a few years.
    I logged in with no problem using Last Pass.

    1. Clive · in reply to Joe M

      Joe, this was the account registration form, not the log-in form, which backs up what Jamie says.

  10. Jamie Graves

    I recently found this on Ebay's password reset screen.

    I've also found there's sometimes a gap between certain elements of the UI team. For example, the sign-up screen will allow you to paste >32 characters, but when you log in to an account, you're limited to the 32 characters stipulated on the sign-up screen. It took me ages to figure out what was going on!

  11. Vito

    No responsible user can NOT use a password manager any more. Web sites that defeat password managers are solidly in the idiotic category.

    Many sites are still living in the last century as far as passwords are concerned. For example, I know of a bank and a (separate) credit card company that do not allow passwords with special characters, no case-dependency for alphabetical characters, and impose a 16 character limit.

    And I'm still finding sites that want to be so very helpful by emailing my username and password in the clear (unencrypted) "for my convenience". Changing the password does no good; they just email the new one. Morons.

  12. Jim

    This seemed relevant. Just found it and knew immediately where it belonged …


What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.