I reset online passwords regularly (as should everyone). And I approve of password restrictions (minimum lengths, no reuse, at least one digit and one uppercase, etc.). But, as you can see in this validation screen, American Express apparently does not want passwords to be *too* secure! FAIL!
and passwords are case-insensitive. Easily the worst password policy of all financial related accounts I have.
It’s surprising because their website is very modern, with lots of cool AJAX and Flash, but this policy is obviously out of date.
PCMag ran a story including a response from AMEX about their ridiculous password policy:
http://www.pcmag.com/article2/0,2817,2358985,00.asp
From the article:
"We discourage the use of special characters because hacking softwares can recognize them very easily.
The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".
Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked."
Who knew? I’ve since changed all my passwords to ‘qwerty’!
These are also the folks that limit an address line to 20 characters during an address change. Oops!
Oddly, banks and credit card companies seems to be the worst offenders of these terrible password policies. I cancelled one bank account (TCF) because of their terrible password policy.
Well… if they are too secure it takes the government too long to crack them …
(Article: The government has all the keys … summary title). The gov’t keys really doesn’t matter, banks scan for odd activity and report anyway!