Security

American Express password policy takes the cake

Bad password policy is one thing. Comically bad explanations of it are another thing entirely. It doesn't inspire confidence in the security organization.

Bad password policy is one thing. Comically bad explanations of it are another thing entirely.


In How does bad password policy like this even happen? we addressed the deep question of what goes through someone's head when he or she creates password policy that makes little or no sense and substantially damages security. The case in point was that of Nelnet, which had a comically bad password policy with restrictions that make no reasonable sense at all. For instance:

It can't contain two separated numbers (i.e., Abc12ef34 would be invalid)

Perhaps the developers are deathly afraid that someone will have 4+7 in a password and somehow cause SQL to do something dangerous with it. If the database is so brittle as to be incapable of handling something like that, even when special characters such as plus signs are disallowed anyway (another golden example of bad policy at the same site), we can be reasonably certain that the offending organization should not be trusted with any private data anyway.

What can be worse than such ludicrous password policy?

How about a slightly less ludicrous policy that is almost as bad for security and comes with a completely absurd, even insane, explanation for why the password policy is so bad?

This is the case of American Express, evidently. A customer received a thoroughly crazy customer service email explaining the reasoning behind a password policy limited to eight characters, with special characters prohibited. The most unbelievable thing about this entire situation is that the email reads like it was written by a Nigerian scammer, but it came from the American Express "Email Servicing Team."

Key phrases illustrating the lunacy of the explanation include:

  • We discourage the use of special characters because hacking softwares can recognize them very easily.Presumably, this is meant to refer to keyloggers that might harvest passwords, but the fact of the matter is that detecting passwords is not dependent on the characters used. Key factors such as words (or non-word strings of characters) appearing out of context in the middle of other logged keypresses and time delays at either end of a single, relative short string of characters are much more important for identifying passwords than whether an asterisk is typed.
  • The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed."For commonality of keypresses to be used to statistically identify passwords, your passwords will have to be incredibly long. Otherwise, every time you type Xerox, the date or time, or an emoticon, someone trying to parse a keypress log is going to have to check to see if it is a password. Sorry -- this part of the explanation is even less reasonable than the first quote.

This little gem of an email from Saturday has already spread like wildfire amongst online communities populated by people with an inkling of what "security" means, and the consensus is that whoever this person is, he or she does not not know what "security" is. One can only hope that this person is making things up to BS a customer, rather than actually expressing official American Express "security" policy.

The alternative is too horrible to imagine.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

72 comments
Deadly Ernest
Deadly Ernest

password policy is, and how it makes it easier for people to steal money from their Amex accounts, some people will start closing their Amex accounts, and when enough have left Amex management may start to get worried about losing salary and bonuses due to poor performance due to lowered customer rates and usage. THEN they may start acting intelligently - yeah, I know, unlikely; but one MUST be optimistic to some level.

dkoch
dkoch

I was an AMEX customer for nearly 20 years and I canceled my account in the late 90's because their customer service and security policies got so inane. The company has been going to hell in a hand cart for at least 15 years and I am amazed that people still use it.

.Martin.
.Martin.

your password must consist of: number number letter symbol number letter number letter letter

NickNielsen
NickNielsen

We used to use their Expense Reporting System for work. I was allowed to use a 15-character password with upper and lower case, numbers, and characters. Must be different programmers...or knowledgeable administrators.

david
david

As a part of my job I have to routinely use a variety of sites created by American Express. As a whole they are easily the most stupid, badly designed, non-functional collection of bulls--t I've ever seen. I can't tell you the number of server side errors I get. The number of times an incorrect click has actually crashed one of their servers or how many broken links I've had to endure. In the end it looks like American Express went out and hired a bunch of guys atanding outide of the Home Depot, put them in the back of a truck and had them build a web site.

TobiF
TobiF

I know of an internet bank where the password could ONLY consist of 6 letters and digits. No special characters, and no difference between uppercase and lowercase. I recommended them to at least allow longer passwords. The answer was that within one year, they expected to replace the whole system to a new one... In fact, the user-id was more secure than the password...

kburkenheim
kburkenheim

Yes I also log into amx and got the same explanation. I added a number and deleted a letter to make it work, but it is a pain. I like using special characters, even though the only time I had to switch was with a game, because there are some bright kids hacking games.. My game password uses over 10 characters, letters numbers and others.

kurekd
kurekd

After reading the "thoroughly crazy customer service email," so much of it seems like something out the 1990s. In addition to the nonsense you address above, are they really using 128-bit encryption? And a "webmaster"? Did you verify that this is indeed AmEx policy?

chris
chris

I just contacted LinkedIn. The site allowed me to join, but when I tried to login, my password was invalid. I knew I typed exactly what I had used when I joined; nevertheless, I did a password reset - still invalid. After a second unsuccessful password reset, I went to LinkedIn's Customer Service page and found after searching for several minutes that "Password are limited to 16 characters". Of course, my password length was 17. I don't have as much of a problem with a limit of 16 as I do with no validation code or user alert on the site to let you know. I shouldn't have been allowed the account in the first place until my password met the LinkedIn requirement.

Deadly Ernest
Deadly Ernest

Australia a few years back. The financial institute concerned had just bought some brand new software for their on-line transactions, and it couldn't handle a password unless it had a minimum of four character and a maximum of eight character and no special characters at all. At the time my password, that worked with the old software had the basic alpha numeric mix with one or more capitals, and ran to ten characters. My account locked up because the new software trashed the password as it was too long and no one knew how it cut it back. I had some issues with funds transfers and they hit me with fees. The management weren't impressed when they had to re-credit a couple of hundred dollars worth of fees to my account and pay another hundred to other organisations due to their stuff up that closed out my access to my account. I spoke with many of their senior people about passwords and what constitutes a good password. They had some very long talks with the software company ( a USA one). A locally made patch was put in place and it allowed up to sixteen characters, local problem solved. I later got told the issue was the base software of the program had a limited data fields for the passwords and eight characters was all it allowed for. It seems the company programmers weren't able to make the code changes to expand it. Later information came forward that the base software had been bought cheap when the original programer died in a car accident, the family sold the almost finished program that he'd been doing at home. The company finished making the GUI and started marketing the software. I wonder if Amex have now bought this program and it's still unchanged.

Kellerfarm
Kellerfarm

AmEx's policy on passwords is SO out-of-line with policies at virtually every other banking institution that using the same password as at another bank is often not possible. A "legal" pw on Amex's site is very likely rejected on another bank's site, and visa-versa. So in a perverted sort of way, they are assuring that their users' passwords are uniquely bad.

CharlieSpencer
CharlieSpencer

Now I know a keylog hacker will look at the end of every sentence, since the last word will have an adjoining '.' special character. They'll also waste time checking every word with 'E', 'S', 'R', and 'T', the most commonly used letters in the English alphabet. I'll be sure to use those letters and a trailing period in every password so the keystrokes will get lost among the false leads! Clearly, the most secure password in the world in 'tresses.' Yeah, right. Insert Sarcmark here.

portfola
portfola

i recently changed my bank password (used everywhere; i know, bad policy) and it is 10 characters with numbers, letters, and characters - very strong. But I had to come up with a new one at Amex because, apparently, they discourage strong passwords.

AzWiz
AzWiz

I was an AMEX employee for almost 25yrs (left in 2001) and in the early 70's the company was a joy to work for. We were at this cusp of the new technology (max backbone link speed was 9600baud). People were innovative, there was nothing we couldn't do or overcome. Then in came the bean counters and the greed of the 90's. Job cuts, outsourcing, and selling off business units (the entire DataCenter and staff are NOT employees of AMEX these days). The email that was sent sounds suspiciously East Indian, as TaTa does most of their customer service work as well as most of the back-end IT positions. At least their executives are well paid. Just wish the Stockholders could outsource them!

Deadly Ernest
Deadly Ernest

that work as those Home Depot DIY guys end up with odd things that do actually work, what you describe doesn't work well enough to be Home Depot DIY types.

CharlieSpencer
CharlieSpencer

Before 'within one year' was up, they were gone, right?

Terry Hebert
Terry Hebert

Here is the real password policy from American Express.... Your Password: Must be different from your User ID Must contain 8 to 20 characters, including one letter and number May include the following characters: %,&, _, ?, #, =, - Your new password cannot have any spaces and will not be case sensitive.

Luke G.
Luke G.

I changed my AMEX password this morning, prior to reading this thread. They demanded that I remove my special characters from the password. I was rather surprised that a company I would normally consider ahead of the curve as regards security would require something so (IMHO) bone-headed.

apotheon
apotheon

I do not have an account with American Express, so I don't know from personal experience -- but I did check a couple of other sources, and the restrictions on password length and contents match up: nothing longer than eight characters, no special characters, no spaces. It isn't even case sensitive. I cannot verify the encryption method at this time, nor even that the customer service representative in question isn't full of it.

none_shall_pass
none_shall_pass

AmEx uses the Archer Technologies Framework for Policy Management.

JCitizen
JCitizen

it seems that site really didn't advocate getting rid of passwords, just automating the process. Keepass or LastPass can do the same thing for free. Both very good [b]free[/b] solutions. I use LastPass because I don't even want my encrypted password stored on my machine; also they random generate very strong passwords for you, so you don't have to do it yourself.

LedLincoln
LedLincoln

In a less crucial but annoying setting, we had some Dell printers that would truncate their admin passwords without telling you. They caused us a lot of grief until we figured out what they were doing.

LedLincoln
LedLincoln

I wonder if the patch they applied simply changed the procedure from recognizing your long password didn't match their truncated version, to ignoring all characters beyond number eight and allowing the match. That'd make you feel good about "security" that was not really there.

Ocie3
Ocie3

eatonrish or etaonirsh. Hmmm ... apparently I've forgotten a letter.

1DaveN
1DaveN

Discover Card and American Century Investments limit passwords to 10 characters. Hard to believe in 2010, when we probably should be using pass phrases and 2-factor authentication for anything as potentially sensitive as a retirement portfolio.

mfa
mfa

You're going to love this. I just received a solicitation from Amex offering to wrap all of my financial accounts in their "Money Manager", presumably using the existing Amex account and password. It actually looks like a good idea, but for the weak security. It's 100% passive (i.e., it's a reporting service only, no transactions are executed), but there's still a huge risk of disclosure.

mlaw66202
mlaw66202

I could not be more in agreement, there is no excuse for such a miserable password such as AMEX limits you to; and, the explanation from AMEX takes the meaning of absurd to new heights.

stuartc
stuartc

About 15 years ago I was working for a huge government department and I sometimes needed access to the server where our data was stored. The password on this server was "unique". I didn?t think about it until I needed to access another server and was told the password was exactly the same. Then it struck me; someone must have send out a memo (before emails) and specified that each server?s password must be unique, which the person looking after the server promptly did; he changed all the passwords to ?unique?. Totally true story!

Ryk
Ryk

I work for a bank and our main system that processes wires literally has a limitation and corresponding error message that says "Passwords with the letter 'I' in the 3rd position are not supported. Please choose a different password." Say what?????

mfa
mfa

? No personally identifiable information, such as your Social Security number, birthdate, or telephone number ? 6-12 numbers and/or letters ? No sequential or single repeating characters (e.g. 12345, 11111) ? No symbols, punctuation marks, or spaces Better than Amex, but still not as strong as I'd like

NJnewsource.com
NJnewsource.com

Why when I to to log in to this website is the check box next to "Remember my e-mail and password for automatic log in" always already checked? I have to remember EACH AND EVERY SINGLE TIME to uncheck it. One day I might forget and then what will be involved with resetting it. Makes me wonder how this site is handling my data.

ic1nyc
ic1nyc

This must be something new on AMEXs part. My pw for them exceeds 8 characters and, for all intent and purposes, is alphanumeric gobbledygook.

PoconoChuck
PoconoChuck

"Please call our office and tell us your password. That way, in the event you forget your password, we can tell you what it is." While that's a fantasy I just made up, it isn't that far removed from their foolish policy.

myron.brubaker
myron.brubaker

Here's a really absurd idea. What if this email isn't really from Am Ex but someone who is trying to get you to set an easily hacked password so they can get access to your, and other, Amex accounts. Just an absurd idea. Sort of a variation on phishing.

JCitizen
JCitizen

Wouldn't put it past some boards to come up with that idea next! HA! Sweeet revenge!

JCitizen
JCitizen

I think he's talking about the [u]illegal[/u] immigrants standing around looking for jobs. Your right about the do-it-yourselfers though! :)

TobiF
TobiF

It's a big bank. Their brand is present around the world.

apotheon
apotheon

I think it's more likely that the organization just never updated its password policy. I think ING Direct allows nothing but numbers in its "passwords". After that, pretty much anything is believable.

sstrnod
sstrnod

Terry -- it's always helpful to consider context, especially time -- is correct that NOW (at the time of his post and since), the American Express password policy has indeed changed; however, Chad was correct at the TIME of his post that American Express passwords were limited to 8 characters. Thanks to Chad's article, I was able to recall my old AmEx password since it's my normal password truncated to the first 8 characters. So thanks to both Chad for the original info and to Terry for the update (with a scolding for having criticized Chad in the Subject of his post).

bblackmoor
bblackmoor

What I actually advocate is widespread adoption of OpenID. However, I had not heard of LastPass. I will check into that.

Deadly Ernest
Deadly Ernest

truncation as I tested for that and it failed, I needed the whole new password to get in.

Deadly Ernest
Deadly Ernest

after getting permission to do so. I did suspect a simple truncation routine and tested for that, and it didn't work. What I suspect they did do was to maned their old password access routine and use it to replace the one in the new on-line banking software.

Neon Samurai
Neon Samurai

There's a bank this side of the border limiting passwords to 8 characters. Sure, it's login try limit will lock out the account but such a short password will fall over quick if anyone gets the password hash and takes it home or sends it up to a cloud cracking project.

TobiF
TobiF

I'm hesitant even of revealing my gmail login to facebook or linkedin. I definitely don't like the idea of any one bank having the full track of my financial life...

CharlieSpencer
CharlieSpencer

TR isn't dealing with any financial data. A login here is necessary only to actively participate; passive reading requires no membership. The information you disclose to get an account here is minimal. Other than your e-mail address, none of it is checked for accuracy, and you can change that in your account to something false once it's been established.

majikthorne
majikthorne

Sorry Dude, just kinda sounds like Paxatawny Phil!! LOL but seriously, if people would just stop being bunnies and start acting like wolves instead, the "bad men" would stop thier foolish little games they try everyday. Every wolf has its fleas 'tis easy enough to scratch. Bad policy or not we are responsible for our own safety. There, Nuff Said!!

dougogd
dougogd

you need to enter a credit card to verify your account to make a withdrawal from your account and you have to empty your account before you close it or you loose the balance that is in it. But if you add a credit card every purchase is deducted directly off of the card??? How are you supposed use the money in the account or for that matter make a withdrawal?

TonytheTiger
TonytheTiger

"Your card is not signed. Please sign it, so I can compare it to the signature on the receipt." :)

Murfski-19971052791951115876031193613182
Murfski-19971052791951115876031193613182

I've disliked AmEx for about forty years for several reasons, but when I followed the link to the alleged email my first thought was, "Come on, even American Express is not dumb enough to initiate a policy like that, or to send out an email with so many grammatical errors." I figured it was either a joke or a Phishing attempt.

JCitizen
JCitizen

according to one of my British friends who moved here from England. Of course, I don't know who has hardware stores over there! ;)

Deadly Ernest
Deadly Ernest

that goes on down your neck of the wood, we only have the DIYs hanging around talking about their latest project or how one of the others can improve their latest project.

JCitizen
JCitizen

Very interesting! If enough of us pound on the doors of webmasters and bank systems, maybe the industry will finally wake up!

TobiF
TobiF

When I left the country, there was just a couple of dollars on the account. So I haven't bothered to check. My guess would, of course, be that eventually, they'll do the upgrade. But typically such projects have a tendency for delay (sometimes substantil or eternal delay...) Oh, their system had some more features: - Would only work with IE. - When you want to log in, the system opens a 2nd window, which launches a 3rd window where your login and banking session then happens. The third window IS delievered over https, but that's a bit hard to spot, since they strip this window from menu, status bar, address bar etc. (And the code also checks that the third window was launched from wihtin the site, so you can't go direct to that address.) - No client certificate. Why make things complicated for the user. Better to give your friends in Nigeria a couple of shots at your password, should they get hold of your uid... ++++++++ UPDATE! Just went back to http://www.oman.hsbc.com/ They have some links to information about the new logon procedure. So, I guess they did move to the new system, after all. I still didn't bother to check the boundaries of the new system and policies, but at least they now have migrated.

CharlieSpencer
CharlieSpencer

to me implied there were more problems than just an inadequate password policy. I coupled that with his omission of whether the updated system was ever implemented as scheduled / promised. Strictly a guess in search of confirmation.

Neon Samurai
Neon Samurai

"a precalculated lookup table of all possible passwords and password hashes" This assumes they know what a password hash is and it really doesn't explain why it's any faster than a than a basic dictionary. "a precalculated database of passwords" The only time it's come up at work we only discussed the details within the IT department. I did a table of simple to complex passwords from 4 char to 10 char. I then provided bruteforce and rainbow crack time result columns or estimates where times where too long to run. The cracking times for rainbows remaining short after bruteforce times become ineffectively long explained itself. I think the example given from testing results was far more effective then trying to explain the details of dictionary, brute and rainbow methods. It also gave me a solid basis to estimate cracking times when looking at user passwords before the new policy went into effect. "hm.. four characters. That'll break in about ten seconds." - 'Even with the the shift characters?' - "Yes. Capitals, letters, number and symbols can't be made complicated enough in four characters to last long then ten seconds." It's the same with overall system security though too. You can talk until your blue in the face about ways to get into or protect your network but no one cares. Have a third party pentest done and the results will make the point for you very clearly.

bboyd
bboyd

in clear layman's terms? It's hard to describe to people how even if you have 3 and out password systems your not safe. And the wiki is descriptive but not clear.

Neon Samurai
Neon Samurai

There are even a few places you can simply upload the password hash to then check back in a day to see if the cluster's popped it yet. (which reminds me, need to check and see if a new rainbow table set it out yet)

bboyd
bboyd

gimme three tries * botnetSize * timeOut/responseTime >charLimit^8 Prime it with a dictionary attack tailored to the password constraints, fun in the Bahamas? All of that would be stymied with one extra authentication factor.

Neon Samurai
Neon Samurai

Even with the limited information required by TR and lack of financial data being managed, any request for username and password should have the minimum protection of an https connection. I can't imagine an SSL cert breaking the budgets. Mind you, the majority seem to leave login forms completely unprotected so it's not like TR is in limited company.

Deadly Ernest
Deadly Ernest

a few cards like that where the person also signed beside the notation about the ID.

wwgorman
wwgorman

Government agencies will not accept credit cards like mine that have in lieu of signature "Photo ID Required." They claim that you have not agreed to the terms of the credit card company.

LedLincoln
LedLincoln

I attended a presentation by an IT provider to the financial services industry, who was bragging on the number of transactions they process. In the QA session after his talk, I asked him whether signatures on checks and credit card slips are actually verified. He said (as I suspected) they are practically never looked at. Go ahead and sign "Mickey Mouse" if you want. Point of sale is the only place that might be caught.

martian
martian

Here in Canada, (with Royal Bank), I can use from 4 to 12 characters for my PIN. Same for my "chipped" Visa. You may want to check with your bank, because I actually had to ask to find out, and actually had to talk to 4 reps to be able to get an answer to it! I am currently using 9, but I do rotate it and try to not duplicate it for anything else. It is, after all, my money it is protecting. Personally, I feel even that is too little in ways of protection measures for my cards, but they have yet to implement anything better. I keep emailing tips to my bank rep, for them to adopt to improve things and even told him he can take the credit for "finding the idea". Nothing yet.

Deadly Ernest
Deadly Ernest

I always sign, saves me fees as the pin gets processed as an EFT at $0.50 per go, a signature has no fee.

Deadly Ernest
Deadly Ernest

not an exact match - an exact match is usually a forgery, anyway.

Deadly Ernest
Deadly Ernest

match, nothing about if they watch you sing the card.

Neon Samurai
Neon Samurai

I tend to stick with truted bank machines like physically at my local brank branches. Interact payments are the exception as one is relying on the store's hardware and staff's ethics. Give the choice between going after a password hash from a web banking session and sniffing the key code from the banking machine, I'd put my time into hitting the first before the second. The bank can put security in place to watch for someone slipping in double-scan hardware to sniff your card but who knows how lax the security around someone's home machine is. I'd like to see longer pin numbers allowed but I don't think the increase in security would be the same as user passwords used outside the bank perimeter.

NZJester
NZJester

When I had a new direct debit bank card issued to me when my old one expired they made me sign it before they would put it in the machine to add the pin number to it and register it to my account. The stupid thing is the cards can only have a 4 number pin

Neon Samurai
Neon Samurai

I tend to forget to sign the card for a while after each new one is issued. Eventually, I'll use it at a cashier that cares. So far, they've simply handed me a pen to sign it then carry on with the transaction. No mus, no hoops.

archief
archief

... what's the alternative in that situation ? "Sorry, your card is not signed so we can't accept it. But if you step outside, sign the card where we can't see you, and come back in 5 minutes and repeat the transaction, that will be fine " ? Do people really check signatures anyway ? My signature of a plastic card always looks different to my signature on a piece of paper, but nobody ever questions this.

Editor's Picks