September 28, 2007

621 words 3 mins read

Password Security – Or Lack There Of

I have to tell you about something that really pisses me off. That is sites with really crappy password security policies. I don’t mean the sites that require alpha, numeric & symbols — it makes sense, makes it harder to brute force. The sites that really piss me off are the sites that unreasonably limit your password length. I use a password that is between 11 and 18 characters long, depending on the security level. Granted, 18 characters is a bit long for most people, but I like to have my passwords a little longer, a little more secure. I can accept sites limiting you to something like 16 characters. Microsoft’s “Live” service does this (it truncates w/o warning) and US Bank does the same thing (again, Silently). But I found a financial site today that I just want to stab, for having such STUPID password policies.

Yes. The very same company that brought you the unlimited “Black” card (properly known as the “Centurion Card") has one of the WORST password requirements I’ve ever seen. My AIM password is more complex that their system allows!!! If you are wondering exactly what their policy is, here you go (Direct from their Registration Page):

Your Password should contain 6 to 8 characters . at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, *, $, @) and be different from your User ID.

You read that correctly, they allow a max password length of 8 characters. Its case insensitive. Oh, and you can’t use special characters. … I’m sorry… WHAT THE F***?!!?!?! This is a financial website!!! This is a big company!! They should know freaking better!! MY USERNAME IS LONGER THAN MY PASSWORD!! There are huge concerns about phising on the internet, and brute forcing an 8 character password is cake for computers these days. This password limit is arbitrary and asinine at best.

Ok… Calming down here. I really am a big fan of internet banking. I love being able to do everything online. I just signed up for American Express, and I’m already tempted to cancel my account simply due to this password policy. Compared to every other financial website I use, American Express is just depressing. Many financial companies websites go as far as making you register your computer (annoying, but it is more secure). Some you have to enter multiple pieces of secure information. Am Ex? 8 Characters, tops. I’m not asking for them alot. In fact, if anyone from American Express reads this, this is exactly what I want:

  1. You need to increase the max length to at least 18 characters.
  • You need to make the alpha text case sensitive.
  • You need to allow for symbols. Update (2007-09-28 @ 11:10) I actually wrote American Express customer service last night and asked them about this. They sent me back a nice canned response. Its about a page long, but here is the “important part”:

Please be advised that American Express monitors all accounts to detect suspicious activity and we do not hold our Cardmembers liable for any unauthorized charges.

If you suspect that you have unauthorized charges on your statement, please contact us at the number on the back of your Card as soon as possible (24 hours/7 days). If you are outside of the United States, please call us collect at 1-336-393-1111. For a list of phone numbers, please visit

So there you go. American Express apparently believes more in their background monitoring than the need for passwords. Ok, Fine. I still wish I could use some of my regular passwords though.

Update (2007-09-28 @ 12:05) This article made top 10 at Digg. What the Duce?!