We've already established that when it comes to security, passwords alone are not a very good choice. Sure, they're better than nothing, but with most people picking insecure passwords and companies saving them in unencrypted formats, there are better solutions out there.
American Express takes insecure passwords and makes them even more insecure. When registering your credit card, the site asks a series of questions including username, password, and "special question," but the restrictions they put on the answers is downright baffling.
First, when creating your account, they require the username to have both letters and numbers. Why this is in place isn't especially clear and while it doesn't hurt security, it really doesn't improve it either since usernames are generally fairly public.
Another piece of information that must be provided is a "personal security key." This is a backdoor that can be used in cases when customers forget a password. It's also used as a challenge phrase when you call into customer service. There are only three questions that a user is allowed to select: a purely numeric PIN, the name of the city you were born in, or the name of the first school you attended. While the questions may be relatively normal, the restrictions placed on the answers are puzzling: They do not allow special characters nor do they allow spaces. So if you were born in Los Angeles or went to 50th Street School, you either need to concatinate your answer or come up with an incorrect answer. (We actually recommend NOT answering these questions honestly as it makes it much easier to steal your personal information).
Even stranger is the confirmation email you receive from American Express after signing up. Though "Place of Birth" is public record, the company tells you to keep the answer confidential and to not share it with anyone. Does everyone with an AmEx card have to murder their parents to protect their security?
As if all of these silly requirements were not enough, American Express outdid itself with its password policy. First, the company limits the use of special characters to one of only seven selections. The icing on the cake is the fact that all passwords "will not be case senstive." This reduces the number of available characters from 52 down to only 26. Once you add in numbers and the limited special characters, customers only have 43 characters to choose from. While a secure password can still be created under these rules, American Express is making it more difficult for users who care about security.
We can't figure out why American Express would have such ridiculous password requirements, but it's something that is easy to fix and we hope they address it in the near future.