Grade

74/100

C

Grade Breakdown

Username and Password Limitations

Experian users log in with a custom username (which could be their email address) and password. Experian has the following password requirements:

• Between 8 and 35 characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number
• 1 or more of certain special characters: _ @ ~ ! ? # $ ^ + = : ; , | / ( ) & { } [ \ . -

5/5

Multi-factor Authentication

Experian supports SMS and a security question for MFA. SMS can be bypassed for just the security question and the user's 4-digit PIN (set up when creating the account).

Minus 2 points for weak form of MFA.

3/5

"Forgot Login" Flows

Experian has different flows for forgotten username and forgotten password.

The forgotten username flow asks for the user's birthday and SSN. If those are entered correctly, the user receives an email with the username enclosed. The page confirming that the email was sent shows an obscured version of the user's email address (e.g. du*****@gmail.com).

The forgotten password flow first asks for the username. It then asks for the user's phone number to text a verification code to. Like with the standard login flow, this can be bypassed for just the security question and 4-digit PIN.

At the end of the flow is a password reset page.

In short: in order to break into a user's Experian account, an attacker would need to know their username (which can only be recovered via email by providing their birthday and SSN), security question answer, and 4-digit PIN. Minus 1 point for being able to access the account with relatively easy-to-obtain/guess information.

4/5

Account Change Notification

Experian sends an email notification when the password, email address, PIN, or security question is changed. If the email address is changed, the notification goes to the old email address.

5/5