With that being said - here's a lovely screen-shot, complete with auto-pop-up from AmericanExpress.com.
I would absolutely LOVE to hear the community's feedback to this. Am I nuts to think this is a little low on the security totem?
User ID Policy:
Hey - wait a minute, what about PCI Compliance you ask? Well, the PCI DSS says the following about password(s) and password strength:
Proof positive folks, compliance does not equal security. Just because you're "PCI Compliant" doesn't mean you even begin to comprehend security policy creation and security strategy in general. Obviously...
Yikes. Shame on AmEx.
User ID Policy:
- 5-20 characters
- At least one letter (not case sensitive)
- No spaces or special characters (&, >, *, $, @)
- 6 to 8 characters
- At least one letter and one number (not case sensitive)
- No spaces or special characters (&, >, *, $, @)
- Different than UserID
Hey - wait a minute, what about PCI Compliance you ask? Well, the PCI DSS says the following about password(s) and password strength:
- 8.5.10 Require a minimum password length of at least seven characters
- 8.5.11 Use passwords containing both numeric and alphabetic characters
Proof positive folks, compliance does not equal security. Just because you're "PCI Compliant" doesn't mean you even begin to comprehend security policy creation and security strategy in general. Obviously...
Yikes. Shame on AmEx.
6 comments:
Rafal,
That's just plain silly. Security measures meant to protect consumers are never going to get ahead of the curve if the biggest players don't lead the way. Step up, Amex.
been bitching about that for the last couple of months
Outrageous. Another thing that baffles me is why many systems running in a particularly high security context (such as banking websites) arbitrarily limit password string by requiring only alphanumeric characters. I have used symbols and non-alphanumerics in many passwords for years, and I couldn't believe my bank (which I won't name) won't allow them at all. I imagine they're trying to protect against command injection of all sorts - but this is not the place to do it. Ultimately, they are hashing the passwords before they are placed into SQL queries, and I can't imagine where they would be placed in command line arguments.
I am surprised a big player like Amex would not have a better password policy in place.
jeff:Ultimately, they are hashing the passwords before they are placed into SQL queries
Unless they're not, and they only used a 8 character field in the database. With alphanumeric character restrictions they don't even have to worry about injections!
It gets better:
Amex Password Policies Declared Brain-Dead
Post a Comment