Bad Password Policies – AmericanExpress.com

I hate bad password policies.

Bad password policies encourage bad passwords, and bad password behavior (writing passwords down, picking simple passwords, etc…).

Signing up for my new Costco American Express Card, I found a new password policy that takes the cake. From AmericanExpress.com:

Your Password:
  • Must be different from your User ID

  • Must contain 8 to 20 characters, including one letter and number

  • May include the following characters: %,&, _, ?, #, =, -

  • Your new password cannot have any spaces and will not be case sensitive.

  • So they enforce a minimum of 8 characters, but I cannot use spaces.
  • I have to be alphanumeric, but I can’t be case sensitive – if I create a case-sensitive password, they’re kind enough to down-case it for me.
  • I can use special characters, but only from the list of 7 they’ve provided me.

What a horrible password policy. This is just the kind of thing that encourages poor passwords that are easily exploitable. Looking out on the interwebs, I’m not the first person to call attention to this, either. The first blog post I encountered had this to say:

The icing on the cake is the fact that all passwords “will not be case senstive[sic].” This reduces the number of available characters from 52 down to only 26. Once you add in numbers and the limited special characters, customers only have 43 characters to choose from.

Ridiculous. And these people are charged with keeping my credit information safe?

Have you seen a major website with a worse password policy?