Passwords - 2

It's been two years since I posted an entry about Passwords and highlighted an issue where even a highly respected company like Amex would only allow you to create weak passwords.

Chase too has some 'interesting' limitations on what I can use in passwords. The reason I am highlighting Amex is that their version is extreme + I love Amex! My experience with their customer service has always been quite positive. Anyway, back to subject...

Two years ago, below were the rules under which American Express 'allowed' you to create a password:

Your Password should:
* Contain 6 to 8 characters - at least one letter and one number (not case sensitive)
* Contain no spaces or special characters (e.g., &, >, *, $, @)
* Be different from your User ID and your last Password

Two years later rules have changed for better, but not by much:

Your Password:
* Must be different from your User ID
* Must contain 8 to 20 characters, including one letter and number
* May include the following characters: %,&, _, ?, #, =, -
* Your new password cannot have any spaces and will not be case sensitive.

Why on earth Amex would still insist that their customers cannot create CaSe SenSitiVe passwords is beyond me. It's a well known 'good-practice' to mix Upper and Lower case letters in passwords. There is no way security team in Amex does not know about this. So, why not allow it???

I asked them in Twitter to find out. Well, as you can see from exchange below. They won't say why..

While on subject, Steve Gibson has a fun page titled Password Haystack. Worth taking a look.

No comments: