As Jeff Atwood pointed out on his blog, security on the web is generally a hard problem and passwords are the Achilles heel of such security. Companies should generally encourage customers to use strong passwords. What really irks me though is when a company like American Express, who should be taking this with the utmost seriousness tends to limit password complexity.

I am pretty sure that a few months ago, the password length could only be a maximum of 8 characters, that seems to have changed. But they still only allow a limited a set of special chars and here’s the kicker, the password is not case sensitive ! Is it just me or does this scream out home grown Crypto or some sort of direct pass through authentication to a legacy system? Bravo Amex, Braaavooo … *slow clap*