Amex: Make Your Passwords Secure, Just Not Too Secure

I reset online passwords regularly (as should everyone). And I approve of password restrictions (minimum lengths, no reuse, at least one digit and one uppercase, etc.). But, as you can see in this validation screen, American Express apparently does not want passwords to be *too* secure! FAIL!

6 responses to “Amex: Make Your Passwords Secure, Just Not Too Secure”

  1. Trout Avatar

    and passwords are case-insensitive. Easily the worst password policy of all financial related accounts I have.

  2. Kalen Gibbons Avatar
    Kalen Gibbons

    It’s surprising because their website is very modern, with lots of cool AJAX and Flash, but this policy is obviously out of date.

  3. Joe Zack Avatar
    Joe Zack

    PCMag ran a story including a response from AMEX about their ridiculous password policy:,2817,2358985,00.asp
    From the article:
    "We discourage the use of special characters because hacking softwares can recognize them very easily.
    The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".
    Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked."
    Who knew? I’ve since changed all my passwords to ‘qwerty’!

  4. Terry Schmitt Avatar
    Terry Schmitt

    These are also the folks that limit an address line to 20 characters during an address change. Oops!

  5. Jason Dean Avatar
    Jason Dean

    Oddly, banks and credit card companies seems to be the worst offenders of these terrible password policies. I cancelled one bank account (TCF) because of their terrible password policy.

  6. gtf Avatar

    Well… if they are too secure it takes the government too long to crack them …
    (Article: The government has all the keys … summary title). The gov’t keys really doesn’t matter, banks scan for odd activity and report anyway!

Leave a Reply