var json_comments = new Array("

$\"user-pic\"$

September 24, 2009 5:39 PM

Moderate | Flag for review

This has driven me crazy for ages. They are constantly offering to \"make my account more secure,\" too, but instead of adhering to a non-idiotic password policy, the offer is instead to enroll me in some bullshit fee service that pays my bill if I get fired while hopping one one foot under a full moon with my hair on fire and I'm singing the Star Spangled Banner.

I like my Amex, but yeah, the password issue blows. Hard.

4 replies

$\"user-pic\"$

GuinevereRucker

September 24, 2009 6:17 PM

Moderate |Flag for review

@Juliekins: On the other hand, I hate it when websites require security passwords that are difficult to remember and have to have certain things.

Enter Password: frank

*Sorry, your password must be six or more characters*

Enter Password: frankfrank

*Sorry, your password must contain at least one of !@#$%^&*.

Enter Password: frankfrank*

*Sorry, your password must contain at least one uppercase letter.

And so on... that bugs me just as much as requiring a simple password. Please, large companies with overpaid IT guys with stupid ideas, let us choose our own passwords yah?

$\"user-pic\"$

September 25, 2009 12:01 AM

Moderate |Flag for review

@GuinevereRucker: I feel you. I'm actually an IT security professional and spend a lot of time working with end users, doing security awareness workshops, what have you. I find it infuriating when a site won't lay out password requirements and force you to guess, or when they have particularly onerous requirements (15 characters, upper/lower/number/special, changes every 30 days, etc). Allowing users to use a utility like KeePass or PasswordSafe can help bridge that gap--you can make passwords as complex as is required/allowed, and you don't have to memorize anything but the master passphrase for your archive file. I'd much rather see an end user jump into something like KeePass have them write their passwords on post-its.

$\"user-pic\"$

XTC46

September 24, 2009 8:40 PM

Moderate |Flag for review

@GuinevereRucker: As one of those IT guys you seem to dislike so much, I can say with certainty that most people pick bad passwords when not told to do otherwise. I cant even count how many times ive guessed a clients password for their servers, routers, email accounts, etc. And then there were countless more that i was able to crack VERY quickly (minutes, not hours or days) with some basic software.

Like it or not, its for your own protection.

$\"user-pic\"$

September 25, 2009 12:04 AM

Moderate |Flag for review

@xtc46 - thinksmarter on twitter: The challenge, though is getting your users to buy into the idea that a strong password with an X days change interval is good for them. I can assure you they only think you're doing it to protect \"your\" stuff. Getting out there in front of your users, engaging them, helping them understand how they fit into the process (and how IT fits into the business) will go a long way towards getting them to not hate you for asking them to change their passwords and use the occasional ! or @ in the damn things.

$\"user-pic\"$

XTC46

September 25, 2009 12:41 AM

Moderate |Flag for review

@Juliekins: Getting people to understand just how important some things are is the most difficult part. The best way that i have found is to include them in the planning of things like this when possible and listen when they have concerns. But sometimes, we do have to be the bad guy and just force certain things.

$\"user-pic\"$

johnva

September 24, 2009 6:31 PM

Moderate |Flag for review

@GuinevereRucker: The reason that places have those kinds of policies is because study after study has shown that a significant percentage of people choose very weak passwords when no restrictions are placed on them. As long as we're still using passwords as authentication measures, there's going to be a tension between security and the usability problems you mention.

","

$\"user-pic\"$

zomgorly

September 24, 2009 5:43 PM

Moderate |Flag for review

I wish I could remember the credit company that I use that has the same exact policy that I found was very odd considering how secure some sites are with log ins and don't deal with my finances.

4 replies

$\"user-pic\"$

tcolberg

September 26, 2009 3:48 AM

Moderate |Flag for review

@zomgorly: Charles Schwab's site also has the same problem.

$\"user-pic\"$

September 24, 2009 8:28 PM

Moderate |Flag for review

@zomgorly: Chase has the \"no special characters\" rule, and I think they have a minimum and maximum length too, but it's not as restrictive as this one. However, Chase also has some way of remembering what computers have been used to log into the account, and requires a telephone authentication when logging on from a new computer, so that's kept me from complaining too much. Still, I always wondered why a credit card company would set either minimum or maximum password lengths, as all it does is make a brute force easier.

$\"user-pic\"$

nybiker

September 24, 2009 10:23 PM

Moderate |Flag for review

@sn1per: That Chase 'feature' isn't so much a feature as a PITA since I delete all cookies from all my browsers, so every time I log in to check my statement, it's 'oh, you're on a new computer, please let us call you to tell you the new auth code.'

$\"user-pic\"$

September 24, 2009 6:45 PM

Moderate |Flag for review

@zomgorly: Citibank? My mortgage was bought by Citi a few years ago, and I remember trying to use a better password and being denied. (In fact, IIRC, it didn't tell me why my password was unacceptable, it just didn't let me submit it. I had to use my developer brain to guess that it wanted only numbers and letters.)

Although now my Citi password is longer than 8 characters, so it may not be an exact match ...

","

$\"user-pic\"$

citking

September 24, 2009 5:43 PM

Moderate |Flag for review

Our corporate US Bank site is similar to this - I can't use special characters, only letters (upper and lower thankfully) and numbers. They also expire every 30 days, it has to start with a letter, and you can't use the same passwords within a year. I understand the year part, but seriously, no special characters??

There is no good reason on earth why a password cannot contain certain characters or has to start with a letter or can only be x characters long. Ciphers don't care what is in a password. The only reason many companies disallow the use of spaces, special characters, length, etc. is lazy programming - programmers don't sanitize text input properly and are all worried that someone might break their DB should a \"Bobby Tables\" get into the system.

One thing I love about Windows and Linux passwords: They can contain whatever you can throw at them: spaces, symbols, alt codes, you name it.

3 replies

$\"user-pic\"$

September 24, 2009 5:55 PM

Moderate |Flag for review

@citking: Little bobby tables!

One more comment like that and I wont have any option but to heart you ;)

Speaking of which, I just got the Volume 0 of the xkcd book on tuesday. The annotations and side notes are worth it (for the unsigned version anyways).

$\"user-pic\"$

citking

September 24, 2009 5:45 PM

Moderate |Flag for review

@citking: And for those not getting the Bobby Tables reference: [xkcd.com]

$\"user-pic\"$

nybiker

September 24, 2009 10:25 PM

Moderate |Flag for review

@citking: Thx. That's precious.

","

$\"user-pic\"$

September 24, 2009 5:43 PM

Moderate |Flag for review

Hmmm my Amex login does not have any such limitations... My password is in the double digits. Though now that I think of it, it does not have any special characters... Not that it makes a difference with a password that convoluted.

","

$\"user-pic\"$

September 24, 2009 5:45 PM

Moderate |Flag for review

No special characters just limits the possible character combinations that can be used for passwords to the 26 letters plus numbers 0-9. How can that be MORE secure?

","","

$\"user-pic\"$

Preyfar

September 24, 2009 5:46 PM

Moderate |Flag for review

Yeah. It's been like that for about over a year now, too. When I signed up for AMEX Plum card (free hotel nights - makes traveling and conventions dirt cheap!) they did the same thing. I was forced to choose a password that was obnoxiously stupid.

You can still do some secure passwords, but it's just not the same.

Then again, I stopped caring about my AMEX card after they dropped my credit limit by $5K... while I was staying at a hotel and the card got reject /for the room I was already staying in/. Oh, and I never got a warning, notice, e-mail, latter, etc. about my reduced limit for that. Then every time I paid off the card they dropped it by $200 here, $200 there. It's ridiculous.

","

$\"user-pic\"$

September 24, 2009 5:48 PM

Moderate |Flag for review

I tweeted about this a few weeks ago. I had a 15-character password ready to go and had to restrict it to the shorter version (which I forgot, actually, come to think of it).

","

$\"user-pic\"$

September 24, 2009 5:49 PM

Moderate |Flag for review

I've wondered that too. When all my other passwords for other sites are random letters, numbers, special characters, this one is 8 characters long. I made it as random as possible, but I don't feel too secure with it...

","

$\"user-pic\"$

September 24, 2009 5:49 PM

Moderate |Flag for review

Yep...out of all my online accounts I find it funny that my AMEX password is the LEAST secure...less secure than the one I use to login to this site.

I've sent a couple of emails but they seem to fall on dead ears. It's a shame too because I like my AMEX card because it's through Costco and I like the perks.

","

$\"user-pic\"$

September 24, 2009 5:51 PM

Moderate |Flag for review

Even my local credit union has better online password policies than my AMEX Blue Card. In fact, out of all my online banking/financial accounts, my AMEX Blue Card has the least password security.

","

$\"user-pic\"$

September 24, 2009 5:51 PM

Moderate |Flag for review

But if there is a security breach and the perps go on a shopping spree with the account info they obtain, wouldn't Amex be the only one footing the bill?

Or are we concerned that the information can lead to even more sensitive information like SS#s and new accounts with other lenders? I know nothing about web security.

1 replies

$\"user-pic\"$

September 24, 2009 7:50 PM

Moderate |Flag for review

@TinkishDelight:

I believe that you are asked to agree to their Terms of Service before signing up for online access. I don't remember the details, but I'd be surprised if they didn't include a clause saying that you're solely responsible for safeguarding your password. The one that they insist be of such low quality that it is easily cracked through brute-force methods.

[www.lockdown.co.uk]

","","

$\"user-pic\"$

Raekwon

September 24, 2009 6:04 PM

Moderate |Flag for review

My bank (PSECU) has the same lame policies. It was hard coming up with such a crappy password to protect my banking.

","

$\"user-pic\"$

wagenejm

September 24, 2009 6:04 PM

Moderate |Flag for review

6-8 characters, no special characters and not case-sensitive? That seems eerily like the password policy for a 30-year-old mainframe.

1 replies

$\"user-pic\"$

b4k4

September 24, 2009 8:39 PM

Moderate |Flag for review

@wagenejm: Sounds about right. They're probably trying to support some legacy system that should've be sent to a landfill years ago

","

$\"user-pic\"$

Red_Eye

September 24, 2009 6:12 PM

Moderate |Flag for review

Sometimes its not a matter of a lame policy but a lame Database backend. There are some Large systems out there with old policies simply because the password fields are 10 chars long or less and cant take all the odd duck characters. The cost of replacing one of these systems can be in the 8-9 digit range depending on the size of the organization.

","

$\"user-pic\"$

September 24, 2009 6:14 PM

Moderate |Flag for review

The no special characters is the fault of a kid named Little Bobby Tables.. [xkcd.com]

Funny, but also sad that its so true in big companies.

","

$\"user-pic\"$

Jeff_McAwes0me

September 24, 2009 6:15 PM

Moderate |Flag for review

Ok computer nerds, accorting to my calculations, there are exactly 2.9017 Trillion possible passwords for AMEX (36^8+36^7+36^6, that's right, right?). How long would it take to crack using brute force?

7 replies

$\"user-pic\"$

rickn99

September 24, 2009 11:10 PM

Moderate |Flag for review

@Jeff_McAwes0me: Either immediately or forever. My account locks after 3 bad attempts. Probably shouldn't have used 'aaaaaaaa', I guess.

$\"user-pic\"$

September 24, 2009 6:44 PM

Moderate |Flag for review

@Jeff_McAwes0me: What johnva said.

Most savvy hackers use Rainbow Tables. Makes thier life SOOO much easier.

$\"user-pic\"$

September 24, 2009 6:33 PM

Moderate |Flag for review

@Jeff_McAwes0me: It actually makes a huge difference. You can write a fairly simple brute force hacker that can go through all those possibilities in...well, a few hours, maybe. Under a day, for sure. Granted, they probably have a \"3 tries\" limit or something, but I wouldn't be surprised if they didn't, given this disastrous policy. Also, the vast majority of people use real words for their passwords, so if you cheated and only went through those, it'd be even faster.

$\"user-pic\"$

September 24, 2009 7:18 PM

Moderate |Flag for review

@katstermonster: I'm willing to bet that a company that has a password policy like AmEx probably is lacking on the other IT things for security.

$\"user-pic\"$

Jeff_McAwes0me

September 24, 2009 6:19 PM

Moderate |Flag for review

@Jeff_McAwes0me: In fact, it is probably slightly less than that, since there can't be any passwords that are either all numbers or all letters. Stupid AMEX. It ends up being only 2.684 Trillion.

$\"user-pic\"$

johnva

September 24, 2009 6:33 PM

Moderate |Flag for review

@Jeff_McAwes0me: Any reasonable search would not use brute force.

$\"user-pic\"$

Cant_stop_the_rock

September 24, 2009 6:31 PM

Moderate |Flag for review

@Jeff_McAwes0me:
If you could make 1000 attempts per second (keeping in mind this is a remote system you're accessing over HTTP), it would take an average of 41 years. If you could make 100,000 attempts per second, someone would notice.

$\"user-pic\"$

sqlrob

September 24, 2009 6:43 PM

Moderate |Flag for review

@Cant_stop_the_rock:
Spread across a botnet, and you're talking a lot less than 41 years.

$\"user-pic\"$

Cant_stop_the_rock

September 24, 2009 7:49 PM

Moderate |Flag for review

A random password would still take an average of 1.3 trillion attempts to find with a botnet, and I'm confident that American Expres would notice the 1.3 trillion failed login attempts on a single account.

$\"user-pic\"$

johnva

September 25, 2009 1:11 AM

Moderate |Flag for review

@Cant_stop_the_rock: Read and understand my post above about \"online\" vs. \"offline\" cracking.

$\"user-pic\"$

johnva

September 24, 2009 6:36 PM

Moderate |Flag for review

@Cant_stop_the_rock: You're assuming that it would be an online search. There's also the possibility of someone breaking into their systems, stealing their database of password hashes, and doing it offline.

$\"user-pic\"$

glorpy

September 25, 2009 2:34 AM

Moderate |Flag for review

@johnva: No special characters and case-insensitive means they're likely directly accessing the mainframe without any offloaded pre-processing, which could convert the special characters into a friendly hash. No, the password is very likely stored plaintext. And a trivial DoS attack would simply throw the same password at every possible accountname from a slew of zombie machines. You'll almost certainly get a hit, and meanwhile, you'll prevent AmEx from actually doing real authentication.

All in all, AmEx really needs to resolve this problem - especially since it's not a huge IT investment to do pre-processing on the fields on an intermediary machine.

","

$\"user-pic\"$

Cant_stop_the_rock

September 24, 2009 6:16 PM

Moderate |Flag for review

Before we assume that your password is susceptible to a brute force attack because there are only 2.9 trillion possible passwords, do we know what happens if you actually attempt a brute force attack? I don't know about American Express, but some of my financial accounts will lock me out if I make a certain number of failed login attempts.

3 replies

$\"user-pic\"$

September 24, 2009 9:26 PM

Moderate |Flag for review

@Cant_stop_the_rock: Yeah, Amex only allows 3 attempts before lockout

$\"user-pic\"$

legwork

September 24, 2009 10:13 PM

Moderate |Flag for review

@Cant_stop_the_rock: I'll bite. Who made the rule that attacks can only be made via their web interface?

Sounds like a child's \"monster\" rule, where we're safe so long as our arms don't hang off the bed.

Lazy people are a thief's best ally.

$\"user-pic\"$

September 24, 2009 7:20 PM

Moderate |Flag for review

@Cant_stop_the_rock: You're right- Maybe they spent all their money on other security procedures, rather than password strength. Then again, they probably don't give a shit about computer security.

","","

$\"user-pic\"$

knyghtryda

September 24, 2009 6:19 PM

Moderate |Flag for review

you know what is even worse than this? Banks that make you use a 4 number pin. My Wells Fargo account allows a pin of any length, but Wamu (excuse me... chase) and Citi both only allow 4 number pins. That's far worse than a 6-8 character password.

5 replies

$\"user-pic\"$

nybiker

September 24, 2009 10:30 PM

Moderate |Flag for review

@knyghtryda: My citibank pin is 6 digits.

$\"user-pic\"$

September 25, 2009 12:40 AM

Moderate |Flag for review

@nybiker: Why wouldn't the online account access be any different and not lock an account after a few failed attempts?

$\"user-pic\"$

Jeff_McAwes0me

September 24, 2009 6:22 PM

Moderate |Flag for review

@knyghtryda: Yes, but you also have to physically posess the card (unless you are referring to an internet account password, in which case... yikes). Also, I would think an ATM would eventually stop you after you try 0000, 0001, 0002... etc.

$\"user-pic\"$

XTC46

September 25, 2009 12:53 AM

Moderate |Flag for review

@Jeff_McAwes0me: My Bank's atm will actually keep the card if you type the pin wrong 5 times.

$\"user-pic\"$

JGKojak

September 24, 2009 6:27 PM

Moderate |Flag for review

@Jeff_McAwes0me:
You would THINK it would, wouldn't you?

I had a friend randomly assigned some obvious pin (0001) and the bank gave him a hard time when he wanted to change it.

","","","

$\"user-pic\"$

McFister

September 24, 2009 6:24 PM

Moderate |Flag for review

It's particularly irritating if you are auto-generating random passwords.

","

$\"user-pic\"$

JGKojak

September 24, 2009 6:26 PM

Moderate |Flag for review

The point is that this goes against established IT procedure.

This is what happens when overpaid executives who don't understand tech have to negotiate with underpaid IT contractors- that security scheme is a big F.U.-U-get-whut-u-payfor from whoever their department or contractor is- because they know the exec don't understand to ask for more.

","","","","","","

$\"user-pic\"$

ubermex

September 24, 2009 6:33 PM

Moderate |Flag for review

I hate password requirements of ANY kind. Excessive requirements end up causing me to make simple passwords out of frustration.

3 replies

$\"user-pic\"$

knyghtryda

September 24, 2009 6:41 PM

Moderate |Flag for review

There definitely needs to be some kind of minimum password requirement though. I agree that overly stringent password requirements just make users hate their passwords, but a 4 character password that's a common word isn't gonna be much better. I say stick with a minimum length (8 characters is a good minimum) and a number/special character requirement. Leave the rest to the user's discretion.

$\"user-pic\"$

September 24, 2009 7:11 PM

Moderate |Flag for review

@knyghtryda: I get especially irritated at sites that aren't anything special and that I'm only giving a name and an email address, yet ask you to give a complicated password (and even better don't tell you before you input it). I have a low end password that appears to be random letters. For most of these sites, I don't care as the damage to be done is minimal.

I also find it funny that the password gods decide my choice is much more secure if I add a 1 to the end of my random letters.

$\"user-pic\"$

XTC46

September 25, 2009 12:58 AM

Moderate |Flag for review

@RandomHookup: adding that 1 does make it more secure, not only does it add an extra character, but it adds another kind of character. use the following as an example.

password - 8 characters, all one kind of character, can be found in a dictionary, so it s very easy (and fast to crack)
Password - a bit more difficult than the above becasue now the cracker has exponentially increased the number of possibilites since now upper and lower case letters have to be taken into consideration
Password1 - Even more difficult becasue now the password is even longer, and includes 3 kinds of characters, (uppercase letters, lower case letters, and numbers) and this would meet most basic complexity requirements.

So to you, it looks pretty much the same, no big deal. To a computer trying to crack it, its significantly more work.

$\"user-pic\"$

johnva

September 24, 2009 6:40 PM

Moderate |Flag for review

@ubermex: That's always a danger, but what should be done when half of people will pick their birthday or their kid's name without restrictions? There's no great solution yet, but at least it's recognized now that the usability concerns are important to the actual security of password schemes.

","","","","","","","

$\"user-pic\"$

Skaperen

September 24, 2009 6:59 PM

Moderate |Flag for review

Having worked with computers that involve users who have passwords for over 30 years, I've learned plenty on user behavior with regard to passwords. While it is the case that the simpler password is easier to crack, the more complex passwords can actually be more vulnerable. How is this? Such passwords are generally hard to remember. So people write them down and stick them somewhere that turns out to be a common place to find passwords, and generally very near the computer (even at home). Adding in digits and special characters to a password someone can remember may be the thing that makes them forget. They forget which special character they added, and where.

The advice I give to people is to think of a phrase they figure is important (the longer the better, but at least 6 words). Use the first letter of each word. For the key words in the phrase, capitalize the letters for those. My archive master password is well over 20 characters, looks like a jumble to anyone that might see it, but is easy for me to remember despite never having written it down.

","","","","

$\"user-pic\"$

nucwin83

September 24, 2009 7:31 PM

Moderate |Flag for review

Apple's Juniper (now Barclay) card has the same types of restrictions. I've never been told my password was too long until I signed up for that website. Oh well.

","","","","","","

$\"user-pic\"$

September 24, 2009 8:52 PM

Moderate |Flag for review

Heres the deal people. There are technical reasons in the background that your password needs to be more than 8 characters. They really need to be more than 16 character actually.

In most (not all) systems the password storing tool used to encrypt the passwords was some variation of something called (LM HASH) ([en.wikipedia.org]).

Most of the hacker tools used for cracking passwords was based on cracking LM HASH. Hacker tools like \"l0pht\" and others were quite good at cracking LM HASH. Someones earlier example in this thread suggested how a password of \"AMEX\" or some combination of AMEX like \"MAXE\" would be to crack. Unfortunately it would only take l0pht about 30 to 40 minutes to crack. So anytime you see a new requirement of \"more than 16 characters, and must contain a capital letter and a special character\" are companies that have implemented a password system STRONGER than the weak LM HASH.

Now enter the world of GPGPU's (using your video cards microprocessor as a General Purpose GPU) what used to take a regualr Intel CPU 30 to 40 minutes to crack \"MAXE\" now unfortunately takes about 5 minutes using a GPGPU.

So word to the wise. Stop complaining about those long passwords. I tried to put this post in laymans terms so everyone could follow what I am saying, but trust me. An 8 character password that has only lower case passwords is TRIVIAL to crack with the tools the \"script kiddies\" have available to them today.

","

$\"user-pic\"$

Waiting for the next Ren Fest

September 24, 2009 9:10 PM

Moderate |Flag for review

I despise all the different password requirements. Since 98%* of all of all break ins are by either:

A) Someone who has hacked into their system and stolen the whole database (most common)
or
B) Social engineering (I'll give you this $5 Starbux card for your password or they look under your keyboard for a post it note)

It does not matter how strong or weak your password is at that point. It does not matter if your password is \"Password\" or \"gte*4Dr3@Z8?\", once they have stolen the main database, or found the postit note under your keyboard, you are done for.

Just let me use whatever password I want (OK, rule out Password, my name, etc), and keep your freaking systems secure.

*This is a made up statistic, but I will wager a HardCore Cider that the actual number of breeches from those is higher than that.

","","

$\"user-pic\"$

dwasifar

September 24, 2009 9:41 PM

Moderate |Flag for review

I used to work for a major bank (which I shall not name here) and I was always frustrated by the password requirements for the internal systems: Must be exactly eight characters, must contain at least one number not at the beginning or end, may not contain any of a huge number of dictionary words. With every such restriction, you knock huge groups of potential passwords out of the range of possible options, and make a brute-force attack easier to achieve. It really irked me but there was nothing I could do about it.

","","","","","

$\"user-pic\"$

nybiker

September 24, 2009 10:32 PM

Moderate |Flag for review

Let's also remember that you need to know not only the password, but my account's username to get in. I am guessing that the password is of no use if you don't know the username to which it belongs.

Or am I missing something?

","","

$\"user-pic\"$

slulplal

September 24, 2009 11:54 PM

Moderate |Flag for review

Not only are they behind on passwords, but their entire database/field limitations. their street address field only allows 20 characters. I have to remove all of the vowels from my street address just to fit it. This also makes it so that I can't use my card on the websites that do checks on exact street address names for billing address. I have to remember to devowel my address just to place an order. I will get the message once and switch to my Visa.

","","","","","

$\"user-pic\"$

September 25, 2009 12:43 AM

Moderate |Flag for review

While not the strongest, or recent \"best practices,\" but having a 6-8 character password does allow somebody to have a relatively strong level of protection.

I would also venture to guess that after a limited number of failed login attempts, the account would be locked.

Also, alphanumeric passwords avoid the possibility of SQL-injection or other variants.

Not terribly worried here.

","","","","","

$\"user-pic\"$

robo_geek

September 25, 2009 7:32 AM

Moderate |Flag for review

The lack of special characters does not make the front-end a whole lot weaker, because their authentication service is going to lock the user account after three tries, so the other 14 billion brute force attempts will be all in vain.

You could create a script to try only twice, end the session, try another two times, but the catch is that you can also have to create your own login id, which is something you cannot brute force.

The bigger concern is that the lack of special characters tells me that it's a simple database behind the scenes storing your password, as any of the more sophisticated authentication front ends for web apps (e.g. RSA ClearTrust) allow you to use a good password.

Simple databases behind web applications are frequent attack targets.

","

$\"user-pic\"$

David in Brasil

September 25, 2009 10:04 AM

Moderate |Flag for review

Slightly off topic, but my favorite Amex security rant: My company accepted Amex as a source of payment several years ago. Then we found that one of my partners was a crook; we forced him out and he set up a competing company. He diverted all of our Amex correspondence to his new company, but our name was still on the account. I called Amex to cancel our merchant agreement, but they told me that only the person who originally set the account up could do that. I explained to them that this person was now a competitor, had a history of fraud, had access to our account and I was afraid of some type of shenanigans that he could pull just to make life miserable for us. \"Too bad\", they said, and refused to make any changes to our account. I called their loss prevention department, their identity theft dept., and their customer service dept. and always got the same answer.

I decided then and there that Amex only gives lip service to identity theft.

","

$\"user-pic\"$

September 25, 2009 11:45 AM

Moderate |Flag for review

Password limitations like this were discussed on an episode of Security Now a while ago. Someone from a bank wrote in and said it was because the back end systems are so old that's all they support.

","

$\"user-pic\"$

chiieddy

September 25, 2009 12:47 PM

Moderate |Flag for review

AmEx isn't the only one. I've recently begun redoing my passwords in KeepPass and have been surprised on the lax security on some financial and other sites that have personal information (insurance, etc):

Citizens Bank - No Symbols, spaces
ING Direct - Only 4 numbers
Emigrant Direct - No Symbols, spaces
Chase - No Symbols, spaces
Discover - no Symbols, spaces
Comcast - no Symbols, spaces
ADP - limited symbols, no spaces

The vast majority of sites requires 6 - 8 characters, and I'm extremely happy when I can randomly generate 10 random ANSI characters.

","

$\"user-pic\"$

uffa

September 25, 2009 1:47 PM

Moderate |Flag for review

A few years back, Amex had different password policies. My password at the time did contain special characters and then one day I couldn't login. I knew the password was right because I used the same one on another cc site. I had to reset it and it was then that I was presented with the restrictions they have today. Strange that they would go backward like that.

","

$\"user-pic\"$

September 25, 2009 6:58 PM

Moderate |Flag for review

Yeah lots of banks and other financial institutions have a problem with this. The problem is that the financial sector were using mainframe networks long before the advent of the commercial Internet back in a time when these rules were sufficient and more complex rule were impractical and unnecessary. The problem is they are still operating on these old program and cannot handle more complex passwords.

My guess is the problem with upgrading besides the time and money involved is the systems probably has to do with being able to interface with other global institutions which may or may not be able to upgrade.

Eh - you can still construct a fairly secure password under those rules. The one I use is rated strong at PasswordMeter and with a couple of tweaks I can get it up to very strong. The hard part is creating one that is easily memorable. That is why I use Roboform and I'm considering LastPass.

To be honest while it is important to implement a strong password policy - the fact is most security breaches occur not by cracking the password, but by simply getting people to give up their password.

","","

$\"user-pic\"$

tekdemon

September 27, 2009 11:10 AM

Moderate |Flag for review

Far as I can tell having access to your account password mostly means that whoever stole it could pay your bill for you. It's not the same as your bank where you have accounts that actually hold money, and they can't use the card just from having your online account password so I suspect they haven't changed the password policy because this way it's convenient.
And I for one am going to go against the grain and say that I don't want the Amex login to be as difficult as those of other places.
Amex happens to have pretty damned good algorithms for spotting when a purchase isn't yours, and stealing your online account information is pretty worthless for Amex's website so I hope they ignore any idiotic e-mails demanding 90 character passwords.

");