Amex: Make Your Passwords Secure, Just Not Too Secure

March 8, 2010 ·

I reset online passwords regularly (as should everyone). And I approve of password restrictions (minimum lengths, no reuse, at least one digit and one uppercase, etc.). But, as you can see in this validation screen, American Express apparently does not want passwords to be *too* secure! FAIL!

6 Comments

Jason Dean March 9, 2010

Oddly, banks and credit card companies seems to be the worst offenders of these terrible password policies. I cancelled one bank account (TCF) because of their terrible password policy.

Terry Schmitt March 9, 2010

These are also the folks that limit an address line to 20 characters during an address change. Oops!

Joe Zack March 9, 2010

PCMag ran a story including a response from AMEX about their ridiculous password policy: http://www.pcmag.com/article2/0,2817,2358985,00.asp From the article: "We discourage the use of special characters because hacking softwares can recognize them very easily. The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed". Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked." Who knew? I've since changed all my passwords to 'qwerty'!

Kalen Gibbons March 9, 2010

It's surprising because their website is very modern, with lots of cool AJAX and Flash, but this policy is obviously out of date.

Trout March 9, 2010

and passwords are case-insensitive. Easily the worst password policy of all financial related accounts I have.

gtf March 15, 2010

Well... if they are too secure it takes the government too long to crack them ... (Article: The government has all the keys ... summary title). The gov't keys really doesn't matter, banks scan for odd activity and report anyway!

6 Comments

Leave a Comment