You know, I have always been bothered by the Amercian Express website password limitations but, I admittedly never ran this one to ground. Well, someone ran with it. The password has always been limited to an 8 character maximum and no special characters.
I never imagined something quite this daft.
From Twice Refried News:
Thank you for your email regarding your online password.
I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.
The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressedâ€.
Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.
*facepalm*
For the full email response, read on.
(Imaged used under CC from fireflythegreat Flickr feed)
Holy. Fricken. Moly.
@JJT You know, I want to say I’m surprised. But, I see this sort of nonsense more often than I care to admit.
I’m thinking we suggest Amex to take their theory to the ultimate end and truly minimize the keyboard contact:
Back the password requirement off to 1 character, integers only, but transmit using 4096-bit SSL.
Yeah, now that’ll do it.