Down the Security Rabbithole Blog - Supplemental: AMEX password policy

Monday, May 19, 2008

AMEX password policy - "a daily WTF"

This, as my good buddy Russ points out - belongs on the daily WTF. I was registering my account on the AMEX (American Express) site and came across this mind-boggling "feature". Apparently, AMEX has a policy, as follows, for their login and password that I would whole-heartedly disagree with. To be fair, there are many schools of thought that would dictate that password policy is irrelevant on a website, and that security shouldn't be based on password strength alone - but I don't necessarily think that this means that you should forgo logic on password policy either.

With that being said - here's a lovely screen-shot, complete with auto-pop-up from AmericanExpress.com.

I would absolutely LOVE to hear the community's feedback to this. Am I nuts to think this is a little low on the security totem?

User ID Policy:

5-20 characters
At least one letter (not case sensitive)
No spaces or special characters (&, >, *, $, @)

Password Policy:

6 to 8 characters
At least one letter and one number (not case sensitive)
No spaces or special characters (&, >, *, $, @)
Different than UserID

Hey - wait a minute, what about PCI Compliance you ask? Well, the PCI DSS says the following about password(s) and password strength:

8.5.10 Require a minimum password length of at least seven characters

8.5.11 Use passwords containing both numeric and alphabetic characters

While technically, AmEx conforms to the PCI Standards I would argue their "compliance" is half-hearted (letter of the law, rather than the spirit). PCI DSS says your password has to be at least 7 characters long - but what if it's no more than 8 characters long? So... wow - way to go American Express. Leading the way in security and customer protection once again.

Proof positive folks, compliance does not equal security. Just because you're "PCI Compliant" doesn't mean you even begin to comprehend security policy creation and security strategy in general. Obviously...

Yikes. Shame on AmEx.

6 comments:

Russ McRee said...: Rafal,
That's just plain silly. Security measures meant to protect consumers are never going to get ahead of the curve if the biggest players don't lead the way. Step up, Amex.; May 19, 2008 at 3:42 PM
CG said...: been bitching about that for the last couple of months; May 19, 2008 at 7:31 PM
Anonymous said...: Outrageous. Another thing that baffles me is why many systems running in a particularly high security context (such as banking websites) arbitrarily limit password string by requiring only alphanumeric characters. I have used symbols and non-alphanumerics in many passwords for years, and I couldn't believe my bank (which I won't name) won't allow them at all. I imagine they're trying to protect against command injection of all sorts - but this is not the place to do it. Ultimately, they are hashing the passwords before they are placed into SQL queries, and I can't imagine where they would be placed in command line arguments.; May 19, 2008 at 11:00 PM
Anonymous said...: I am surprised a big player like Amex would not have a better password policy in place.; May 27, 2008 at 12:28 PM
Michael Speer said...: jeff:Ultimately, they are hashing the passwords before they are placed into SQL queries

Unless they're not, and they only used a 8 character field in the database. With alphanumeric character restrictions they don't even have to worry about injections!; June 30, 2008 at 10:00 AM
Keilaron said...: It gets better:

Amex Password Policies Declared Brain-Dead; February 8, 2010 at 7:14 PM