Security the Amex way

While there are arguments against the effectiveness of PCI-DSS (Payment Card industry Data Security Standards) compliance, it's going nowhere soon.

With that in mind, a recent article caught my eye about how one of the big credit card companies handles it's own Information Security.

Some gems from the Amex response:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack.
This is one I've encountered before where transport-layer security is confused with authentication security. Their website could have 128,000 bit encryption, it won't help them when I guess your password is 123456.
We discourage the use of special characters because hacking softwares can recognize them very easily.
More easily than non-special characters? Wow.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Would that not mean a single character password was even more secure?
Scary. Although a friend did comment "Well at least they have a password policy!"

0 comments:

Post a Comment