March 25, 2010

American Express and Security

This originally started as an email to some coworkers, but I think people here might find it more interesting.

If you have an amex online account they limit your password to 8 characters and you can only use numbers and letters. That’s not very secure (I could write a program to guess every password in those restraints in a matter of minutes.). So someone complained. (Note: I’ve complained by phone myself and got no response.)

I wish that I could use a stronger password for this site. 8 characters are NOT enough.
Response (Gaurav Sharma) 02/06/2010 05:53 AM

And the response.

Thank you for your email regarding your online password.

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Moreover, American Express is committed to protecting the privacy and security of all of our Cardmembers, both on-line and off-line. We believe that our current security measures, which include our sophisticated monitoring systems to detect unusual or fraudulent card activity, provide strong, ongoing protections for our Cardmembers.

Rest assured, I have forwarded your comments to our webmaster for review. During this review, we may contact you if additional information is required.

We value your membership and wish goodness and health to you and your family.
Gaurav Sharma
Email Servicing Team
American Express Interactive Services

Eight characters makes a pretty weak password. The rationalization is twofold. First, when looking though a keylogger's output the password will be hard to identify, and if it was really long and random it would be easy to pick out. (Think the output of virus that is reporting back thousands of people's keystrokes.)

Secondly when a password is stolen or guessed that they can detect the fraud with their "special sauce" monitoring and take care of things after the fact.

I'll assume that the credit card companies want to protect themselves from losses of which fraudulent charges are a large part. I can attest to credit card companies alerting me my number was stolen way before I noticed it. (It's happened a couple times, I even had my card copied by a cashier once.) So I figure they must have run tests and figured out this was the best way to protect their money.

The problem is I think they're wrong and the limitation is part of a hold over from old computer systems. They wouldn't lie would they? © 2023.
Powered by NextJS on Vercel.