Here’s an e-mail I sent to Bruce Schneier regarding the
American Express web site password requirements:
> Hi Bruce.
>
> I'm in the process of changing my online passwords to strong
> passwords that include upper and lower case characters, numbers and
> symbols. When I tried to change my password for American Express, I
> was limited to only 6-8 characters excluding symbols. Why would a
> web site run by one of the largest financial institutions in the
> world have intentionally weak password requirements?
>
> Are they completely missing the boat here, or is there something
> ingenious in their simplicity?
No. It's dumb.
Click here for a screenshot of the Amex password requirements.