Saturday, July 31, 2010    
Home My Books Blog ColdFusion About Me Back    

Calendar
<< Mar 2010 >>
S M T W T F S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Search

Categories
 • Acrobat (5) [RSS]
 • Adobe (96) [RSS]
 • AdobeMAX06 (45) [RSS]
 • AdobeMAX07 (59) [RSS]
 • AdobeMAX08 (66) [RSS]
 • AdobeMAX09 (39) [RSS]
 • AdobeMAX10 (7) [RSS]
 • AIR (233) [RSS]
 • Appearances (198) [RSS]
 • Books (78) [RSS]
 • CFEclipse (15) [RSS]
 • ColdFusion (1409) [RSS]
 • ColdFusion Builder (9) [RSS]
 • Data Services (36) [RSS]
 • Fish Tank (5) [RSS]
 • Flash (248) [RSS]
 • Flex (513) [RSS]
 • Home Automation (5) [RSS]
 • Jobs (119) [RSS]
 • JRun (14) [RSS]
 • Labs (47) [RSS]
 • LiveCycle (35) [RSS]
 • MAX (238) [RSS]
 • Mobile (138) [RSS]
 • Regular Expressions (18) [RSS]
 • RIA (21) [RSS]
 • SQL (42) [RSS]
 • Stuff (543) [RSS]
 • Tips (CF Studio) (80) [RSS]
 • Tips (CF) (795) [RSS]
 • Tips (Dreamweaver) (91) [RSS]
 • Tips (Flex Builder) (2) [RSS]
 • Using CF (164) [RSS]

Other BLOGs
 • Charlie Arehart
 • Lee Brimelow
 • Ray Camden
 • Christophe Coenraets
 • Sean Corfield
 • Mihai Corlan
 • Cornel Creanga
 • Mark Doherty
 • John Dowdell
 • Danny Dura
 • Enrique Duvos
 • Steven Erat
 • Kevin Hoyt
 • Serge Jespers
 • Adam Lehman
 • Duane Nickull
 • Miti Pricope
 • Andrew Shorten
 • Ryan Stewart
 • James Ward
 • Greg Wilson
 • Full As A Goog

RSS Feeds
 • Feed
 • Subscribe

Join my mailing list and find out about new books and other topics of interest.
Thoughts, ideas, tips, musings, and pontifications (not necessarily in that order) by Ben Forta ...
NOTE: This is my personal blog, and the opinions and statements voiced here are my own.

Viewing By Entry / Main
March 9, 2010

Amex: Make Your Passwords Secure, Just Not Too Secure

Posted At : 3:33 PM
Related Categories: Stuff :

I reset online passwords regularly (as should everyone). And I approve of password restrictions (minimum lengths, no reuse, at least one digit and one uppercase, etc.). But, as you can see in this validation screen, American Express apparently does not want passwords to be *too* secure! FAIL!

Comments (6) | Print |
Comments
[Add Comment] [Subscribe to Comments]
and passwords are case-insensitive. Easily the worst password policy of all financial related accounts I have.
# Posted By Trout | 3/9/10 4:02 PM
It's surprising because their website is very modern, with lots of cool AJAX and Flash, but this policy is obviously out of date.
# Posted By Kalen Gibbons | 3/9/10 4:17 PM
PCMag ran a story including a response from AMEX about their ridiculous password policy:

http://www.pcmag.com/article2/0,2817,2358985,00.as...

From the article:

"We discourage the use of special characters because hacking softwares can recognize them very easily.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked."

Who knew? I've since changed all my passwords to 'qwerty'!
# Posted By Joe Zack | 3/9/10 5:40 PM
These are also the folks that limit an address line to 20 characters during an address change. Oops!
# Posted By Terry Schmitt | 3/9/10 5:50 PM
Oddly, banks and credit card companies seems to be the worst offenders of these terrible password policies. I cancelled one bank account (TCF) because of their terrible password policy.
# Posted By Jason Dean | 3/9/10 7:42 PM
Well... if they are too secure it takes the government too long to crack them ...
(Article: The government has all the keys ... summary title). The gov't keys really doesn't matter, banks scan for odd activity and report anyway!
# Posted By gtf | 3/15/10 9:00 AM
[Add Comment]

  © Copyright 1997-2009 Ben Forta, All Rights Reserved