American Airlines

Name: American Airlines Password Policy Grade
Item: American Airlines
Rating: 6
Author: PassFail.wtf Community

other⚠ Unverified⚠ Needs re-verificationLast tested 2mo ago

71/110

65%

71/110

0 verifications

Category Breakdown

Category 1

Password Length Policy

8/20

8–16 char max — low ceiling for an account that holds credit card info

Category 2

Character & Composition Rules

20/20

Category 3

Multi-Factor Authentication

8/25

SMS 2FA available

Category 4

Anti-Pattern Penalties

20/20

Category 5

Password Manager Compatibility

15/15

Category 6

Breach Response & Credential Hygiene

0/10

✗

Password length restrictions are too tight

Allow minimum 8 chars, support up to at least 64 characters (preferably unlimited)

Reference: NIST SP 800-63B §5.1.1

✗

Weak or missing MFA support

Implement TOTP (authenticator apps) and FIDO2/WebAuthn hardware keys. Work toward passkeys as a passwordless option

Reference: NIST SP 800-63B §4.3.1

✗

No breach detection

Check new passwords against known-breached lists (e.g. HaveIBeenPwned API). Notify users of relevant breaches

Reference: NIST SP 800-63B §5.1.1.2

Help the community by testing this policy yourself. Earn +5 karma for each verification.

No comments yet. Be the first to share your experience.