amex.jpgI was reminded today of a problem I noticed long ago: American Express's policies for passwords for their customer logins require weak passwords: I quote:

    Your Password should:
    • Contain 6 to 8 characters - at least one letter and one number (not case sensitive)
    • Contain no spaces or special characters (e.g., &, >, *, $, @)
    • Be different from your User ID and your last Password

Click the nearby image to see it also.



Then I saw on twice-refried news that the author there complained to Amex about this and got a response. It's a real side-splitter:

Thank you for your email regarding your online password.

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Moreover, American Express is committed to protecting the privacy and security of all of our Cardmembers, both on-line and off-line. We believe that our current security measures, which include our sophisticated monitoring systems to detect unusual or fraudulent card activity, provide strong, ongoing protections for our Cardmembers.

Rest assured, I have forwarded your comments to our webmaster for review. During this review, we may contact you if additional information is required.

We value your membership and wish goodness and health to you and your family.
Sincerely,
Gaurav Sharma
Email Servicing Team
American Express Interactive Services

Where to begin...

This is extremely low password "entropy," a term used to express the size of the range of possible values, especially since the passwords are user-selected. On the other hand, it's still enough that, if American Express locks users out after a few failures, anyone trying to guess it will likely be caught.

But the nonsense in the e-mail response above is too much to bear. The 128-bit encryption is beside the point. The idea that hackers can easily identify non-alphabetic characters is disturbingly wrong. Yes it's true that some software can detect passwords based on the most common keys pressed, but the solution to that is to allow special characters and long passwords, the exact opposite of Amex's approach. These notions are so far from reality that you actually have to hope that they are condescending lies rather than misimpressions. If Amex really believes this then we cardholders are in deep trouble.

Originally posted to the PCMag.com security blog, Security Watch.