American Express doesn't take security seriously

We've already established that when it comes to security, passwords alone are not a very good choice. Sure, they're better than nothing, but with most people picking insecure passwords and companies saving them in unencrypted formats, there are better solutions out there.

American Express takes insecure passwords and makes them even more insecure. When registering your credit card, the site asks a series of questions including username, password, and "special question," but the restrictions they put on the answers is downright baffling.


First, when creating your account, they require the username to have both letters and numbers. Why this is in place isn't especially clear and while it doesn't hurt security, it really doesn't improve it either since usernames are generally fairly public.

Another piece of information that must be provided is a "personal security key." This is a backdoor that can be used in cases when customers forget a password. It's also used as a challenge phrase when you call into customer service. There are only three questions that a user is allowed to select: a purely numeric PIN, the name of the city you were born in, or the name of the first school you attended. While the questions may be relatively normal, the restrictions placed on the answers are puzzling: They do not allow special characters nor do they allow spaces. So if you were born in Los Angeles or went to 50th Street School, you either need to concatinate your answer or come up with an incorrect answer. (We actually recommend NOT answering these questions honestly as it makes it much easier to steal your personal information).

Even stranger is the confirmation email you receive from American Express after signing up. Though "Place of Birth" is public record, the company tells you to keep the answer confidential and to not share it with anyone. Does everyone with an AmEx card have to murder their parents to protect their security?

As if all of these silly requirements were not enough, American Express outdid itself with its password policy. First, the company limits the use of special characters to one of only seven selections. The icing on the cake is the fact that all passwords "will not be case senstive." This reduces the number of available characters from 52 down to only 26. Once you add in numbers and the limited special characters, customers only have 43 characters to choose from. While a secure password can still be created under these rules, American Express is making it more difficult for users who care about security.

We can't figure out why American Express would have such ridiculous password requirements, but it's something that is easy to fix and we hope they address it in the near future.

Report a problem with article
Previous Story

New PC app wants to "welcome" users to Windows Phone

Next Story

From the Forums: Windows 8 Experience (How do you like it?)

23 Comments

Commenting is disabled on this article.

shoot that's lame My bank requires an 9 digit number from the back of my card and an pin number plus 3 random numbers / letters from a card they hand out to you and which they replace every 6 months if you try to use an old one it just wont work because the random number wont match the card they have on record

it's called netguard

At least my banks use some rather creative challenge questions. Some of mine are "what color was your first car", "who is your favorite person", "what is your maternal grandmother's first name".

roadwarrior said,
At least my banks use some rather creative challenge questions. Some of mine are "what color was your first car", "who is your favorite person", "what is your maternal grandmother's first name".

Yeah, I think that makes more sense honestly. All it requires is some creativity. Lol

roadwarrior said,
At least my banks use some rather creative challenge questions. Some of mine are "what color was your first car", "who is your favorite person", "what is your maternal grandmother's first name".

would it be nana or grandma lol

huh well even i am password paranoid my passwords are bcrypted for it's only way to make it sure won't be cracked other pseudo security won't save long unless it's harden enough ....

My workplace uses them for which I have a corporate card. Every time I've had to ring them they only verify the card number, DoB and mothers maiden name. That's it! It really is poor, so much I've given them a fake maiden name.

Not to mention AMEX while having an unlimited credit limit has no doubt the poorest support outside of America of all the big players. I went to Manilla on a business trip recently and it was next to useless. Had to use my personal MasterCard for everything.

My workplace uses them for which I have a corporate card. Every time I've had to ring them they only verify the card number, DoB and mothers maiden name. That's it! It really is poor, so much I've given them a fake maiden name.

Not to mention AMEX while having an unlimited credit limit has no doubt the poorest support outside of America of all the big players. I went to Manilla on a business trip recently and it was next to useless. Had to use my personal MasterCard for everything.

All of the banks over here in the UK have a much more secure way of signing in, all using Pin machines as Meph mentioned.

The only bank i know that doesnt use any secondary login systems is Halifax. Their online services is just a username / password

Shikaka said,
All of the banks over here in the UK have a much more secure way of signing in, all using Pin machines as Meph mentioned.

The only bank i know that doesnt use any secondary login systems is Halifax. Their online services is just a username / password

I use Halifax, and I don't know what you are on about. When you log in, it prompts you for 3 random characters from your memorable answer, witch can be anything you like. The only thing with Halifax that I'm a bit annoyed with is the fact that you can't use special characters in your password.

Ad Man Gamer said,

I use Halifax, and I don't know what you are on about. When you log in, it prompts you for 3 random characters from your memorable answer, witch can be anything you like. The only thing with Halifax that I'm a bit annoyed with is the fact that you can't use special characters in your password.

Oh.... when i login it just asks me for a username / password and im straight in? maybe they have a basic login and im using that?

Santander has a weird one they inherited from Abbey: card number, pass code (numeric, minimum 6 numbers) and "personal" pass code (again numeric, minimum 5 numbers).

Verified by Visa uses the same stupid crap as Halifax.I usually have to reset my "password" each time I use it simply because I forgot which dumbed down system I used last time to generate it.

I don't use sites that have VbV anymore...

HSBC got rid of passwords and we have to use a calcuator-thing that's always on our possession to sign in.

My bank has a horrible password policy in place. Passwords *must* be alphanumeric and - really really hate this one - must be 5-8 characters. At least they're case sensitive, but c'mon - only up to 8 characters?

There's a second factor layer, in that you can come up with five of your own questions and answers. It prompts you for the questions when you're logging onto a new location or computer (?). But not when you're using your or someone else's phone!

As a developer, I am always baffled when I find sites that limit passwords. Honestly, if you run a website and you are not hashing the passwords--and more than once, like 1000 times, to make it computationally expensive--then you are doing something wrong.

If you ever visit a site that limits your password scope like the above, or even scarier, allows you to retrieve (not _replace_) your password via any mechanism, then you should consider not using that site. In the former case, it likely means that they are storing your password directly, and thus they needed to limit the characters to some range that they decided they could reasonably store based on a character set, and in the ladder case, that means that your password is either completely plaintext or it can easily be made into plaintext via anyone with access to the database.

As for telling you to keep your Place of Birth confidential: I'm not sure I really ding them on that. It's a stupid fallback question because it's so easy to find people's birthplace these days, as well as the school's that they went too, but suggesting that someone think twice before giving away details that makes it easier to steal their identity is wise to me.

RE: retrieveing your password - two sites that scare me with this... MSDNAA (sends it to me in an email every semester...) and dish.com.
The latter, if you go into the settings or preferences or whatever, there will be your password in plain text. WTF.

pickypg said,
As a developer, I am always baffled when I find sites that limit passwords. Honestly, if you run a website and you are not hashing the passwords--and more than once, like 1000 times, to make it computationally expensive--then you are doing something wrong.

If you ever visit a site that limits your password scope like the above, or even scarier, allows you to retrieve (not _replace_) your password via any mechanism, then you should consider not using that site. In the former case, it likely means that they are storing your password directly, and thus they needed to limit the characters to some range that they decided they could reasonably store based on a character set, and in the ladder case, that means that your password is either completely plaintext or it can easily be made into plaintext via anyone with access to the database.

As for telling you to keep your Place of Birth confidential: I'm not sure I really ding them on that. It's a stupid fallback question because it's so easy to find people's birthplace these days, as well as the school's that they went too, but suggesting that someone think twice before giving away details that makes it easier to steal their identity is wise to me.

It basically means this system existed before Facebook was created. They need to update their security.

dagamer34 said,
It basically means this system existed before Facebook was created. They need to update their security.
Even before sites like Facebook existed, it was a stupid question to ask.

Where did you go to High School? The 300 people that graduated with me know that, and the other classmates in different years that knew me. Anything related to your birthplace or schooling is really off limits, or at least it should be.

pickypg said,
As a developer, I am always baffled when I find sites that limit passwords. Honestly, if you run a website and you are not hashing the passwords--and more than once, like 1000 times, to make it computationally expensive--then you are doing something wrong.

If you ever visit a site that limits your password scope like the above, or even scarier, allows you to retrieve (not _replace_) your password via any mechanism, then you should consider not using that site. In the former case, it likely means that they are storing your password directly, and thus they needed to limit the characters to some range that they decided they could reasonably store based on a character set, and in the ladder case, that means that your password is either completely plaintext or it can easily be made into plaintext via anyone with access to the database.

As for telling you to keep your Place of Birth confidential: I'm not sure I really ding them on that. It's a stupid fallback question because it's so easy to find people's birthplace these days, as well as the school's that they went too, but suggesting that someone think twice before giving away details that makes it easier to steal their identity is wise to me.

Agree 100%. Places that put limits on passwords are fundamentally insecure, since it means that the data is usually being stored in plain text, or the developer is being stupid.

Hashing (and salting) passwords has been a recommended practice for years and years, and I really find it shocking that developers still store passwords in plain text after all these years. Especially after all the database breaches in the last year or so. 10 years ago this might have been forgiveable, but today it smacks of amateurism.

The thing that really grinds me is why developers insist on putting stupid password restrictions in place, when in reality it's EASIER to simply just hash whatever input the user provides and stick it in a database field.

If you're looking for something to make you red-faced and angry, check out the list of offending sites: http://plaintextoffenders.com/

pickypg said,
Even before sites like Facebook existed, it was a stupid question to ask.

Where did you go to High School? The 300 people that graduated with me know that, and the other classmates in different years that knew me. Anything related to your birthplace or schooling is really off limits, or at least it should be.


I absolutely agree. That's why I never answer these questions truthfully. Lol

Majesticmerc said,

Agree 100%. Places that put limits on passwords are fundamentally insecure, since it means that the data is usually being stored in plain text, or the developer is being stupid.

Hashing (and salting) passwords has been a recommended practice for years and years, and I really find it shocking that developers still store passwords in plain text after all these years. Especially after all the database breaches in the last year or so. 10 years ago this might have been forgiveable, but today it smacks of amateurism.

The thing that really grinds me is why developers insist on putting stupid password restrictions in place, when in reality it's EASIER to simply just hash whatever input the user provides and stick it in a database field.

If you're looking for something to make you red-faced and angry, check out the list of offending sites: http://plaintextoffenders.com/


Wow. Just. Wow...

They are too busy creating stupid "IMPOSSIBLE" type ads, much like Comm Bank's "CAN'T" ads.

No idea what they are trying to tell their customers, I know there is no way one of their staff is going to personally bring me out a new card if mine gets lost.