(via iamdanw)
The reasons given don’t sound quite right. If there’s really anything to this, I’d love if an expert in the matter could enlighten me with the details.
Translation: This sounds like bullshit, but if I’m wrong, I don’t want to appear too ignorant.
I’ll skip out on commenting on the American Express response, but the idea that you can’t have an 8 character alphanumeric password that is secure is just as much bullshit. Especially on a financial site where they’ll typically shut you down after a few consecutive failed login attempts. There are other responses online from American Express that indicate they believe more in their ability to detect failed log in attempts than in “excessively strong” passwords.
I read a couple pieces by people online complaining about this. Some things to note:
- If someone doesn’t care what account they break into, really what they’re guessing is a combination of your username and password. I don’t know what American Express’s restrictions on usernames are, but I do know someone said their username is longer than their password on the site. These random attacks don’t care that your username is displayed in the clear when you type it on your screen logging in, they still have to guess it. This makes the “entropy” that many people have been calculating using just the password is actually much larger for a random attack.
- the corollary this is that a nonrandom attack where they already know your username is protected against by the failed login attempts policy
- Many of the people complaining seem to not being able to use their “normal” passwords. Using the same password on every site is essentially giving a table to certain sites of usernames with passwords to try on other sites. Not many people seem to talk about this, but I think it’s actually a huge industry in the background. Maybe I care because I believe at an early age my hotmail account password got stolen this way. (Site has your email, if you give them the same password as you use to log in to your email, why can’t they can’t they get into your account).
- I know of some sites that have strange requirements just to force users to change their password from what they use on other sites. I very much dislike this policy, but I can’t argue that it isn’t effective.
- It’s surprising how many people online think a longer password will protect them from phishing. This is just illogical. Someone creates a phishing site and users input their real username and password, then the phishing site has it. It doesn’t matter how long your username and password were.
- I’m not aware of any financial rewards someone gets from breaking into your american express account. They can’t see your full card number and they can’t charge anything to your card from what I can tell. People can tell me if I’m wrong, but all they can see is where you’ve spent money. Sure, your privacy is at risk and you could be blackmailed or something for spending money in some sketchy way, but it’s not like a banking site where someone can transfer your whole account to another institution if they break into your account (but that too isn’t actually that easy, usually you receive a confirmation email from your bank and the transfer takes two days between institutions by law, so you can stop that shit as long as you have access to your email).
So, American Express might have a nonsensical response, but I think many of the complaints are for extremely invalid reasons. The only valid complaint is that there’s no reason for American Express to have this restriction. They would have more satisfied customers if they just removed this restriction. Claiming that it is negatively impacting their security though is just not true.
