American Express Wants You To Use Lame Passwords

We’re no longer indignant about Amex’s weirdly lax security policies anymore, we’re just confused. Why would a major credit card company cold call new customers and insist they give up bank and address info over the phone, or email sensitive data to strangers? Or, we just learned, demand that you use a lame password that isn’t case sensitive, is only 6 to 8 characters long, and can’t contain special characters?

Peter writes:

So I’m contemplating dropping my American Express Blue card, not because of the recent APR increases, but because of their website’s password policy.

According to their website:

Your Password should:

  • Contain 6 to 8 characters – at least one letter and one number (not case sensitive)
  • Contain no spaces or special characters (e.g., &, >, *, $, @)
  • Be different from your User ID and your last Password

That last one makes obvious sense, but to restrict a password to between 6-8 characters, and not allow special characters? That is HIGHLY insecure. I know I did my best to make as secure a password as possible with these limitations, but what about people who common, easily remembered, and highly guessable words as passwords? The limitation of 6-8 characters alone makes brute force a much more simple prospect. This complete disregard for security is quite bothersome

I’ve contacted a customer service rep about this in the past, but they of course had no acceptable answer. Any suggestions on how to bump this one up the chain?

Peter, you can try calling or writing using this American Express executive customer service contact info (it worked for another reader as recently as May 2009), but you might just want to look for another card provider altogether. You know, one that will let you create a decent password to protect your account.

(Photo: subcircle)

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.