American Express found itself under scrutiny as users raised eyebrows over their seemingly weak password policies. The requirements, limiting passwords to 6 to 8 characters with a narrow scope of allowed characters, have sparked concerns about the vulnerability of user accounts. This has ignited a broader conversation about the importance of robust password practices and the need for companies to adapt to advancing cybersecurity standards.
Upon investigation, it was discovered that a user who raised the issue received a response from American Express, defending their policy. The email claimed that the website employs 128-bit encryption, making passwords composed solely of letters and numbers more secure. The rationale behind avoiding special characters was explained as a measure to thwart hacking software, which supposedly recognizes them easily.
However, security experts argue that this explanation is flawed. The concept of password “entropy,” representing the variety of possible values, is critical in assessing the strength of a password. American Express’s limitations on character types result in low password entropy, potentially compromising user accounts. The assertion that hackers can easily identify non-alphabetic characters is debunked by cybersecurity experts who emphasise that allowing special characters and longer passwords enhances security.
Moreover, the email defended the 8-character limit by claiming it reduces keyboard contact, purportedly preventing hacking software from deciphering passwords based on common key presses. However,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.