IHG Finally Ditches PINs In Favor Of Passwords

IHG Finally Ditches PINs In Favor Of Passwords

14

I’m far from a web security expert, though one thing that has been incredibly puzzling to me is IHG Rewards Club’s horrible account security.

IHG Rewards Club Has Used Four Digit PINs

Historically IHG Rewards Club has only allowed members to use four digit PINs to secure their accounts, and not longer passwords. It’s one thing to give people the option of choosing four digit PINs (which is bad enough), but to not give people any other options is mind-boggling.

IHG Rewards Club has had huge issues with account hacking, which shouldn’t come as a surprise given their PIN security system. For example, Andrew wrote about how his IHG account was hacked.

I’m not sure what exactly IHG’s motivation was for not allowing passwords for so long. We’re talking about a loyalty program with tens of millions of members, and presumably the company was out of pocket in cases where accounts were hacked and already redeemed, and they had to restore points? So why hasn’t this been a priority?

Well, there’s some good news on that front…

IHG Rewards Club Now Lets You Select Password

Going forward, IHG Rewards Club will require all accounts to have passwords rather than PINs.

Passwords must be at least eight characters, and include three of the following:

  • Capital letters
  • Lower case letters
  • Numbers
  • Special characters

Signing Up For A New IHG Account

If you’re signing up for a new IHG Rewards Club account, you’ll see that you’re asked to create a password during the sign-up process, so that’s easy enough.

Adding A Password To An Existing IHG Account

If you’re an existing IHG Rewards Club member you won’t be forced to change from a PIN to a password, but you have the option of doing so. You have two easy ways you can go about this.

The first is to go to the log-in page for your account, and click the “reset password” link, which will force you to select a password rather than a PIN.

Alternatively you can log into your IHG account, go to the “personal information” tab, and then in the “account information” section you’ll see an option to edit your password. You’ll be asked to enter your current PIN, and then you can select a password that adheres to the new requirements.

Bottom Line

It’s nice to see IHG Rewards Club finally adding the functionality to select a password. I still can’t wrap my head around why it took them long. Maybe people who know more about web security than I do can chime in on that…

(Tip of the hat to JT Genter)

Conversations (14)
The comments on this page have not been provided, reviewed, approved or otherwise endorsed by any advertiser, and it is not an advertiser's responsibility to ensure posts and/or questions are answered.
Type your response here.

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Anyone can comment, and your email address will not be published. Register to save your unique username and earn special OMAAT reputation perks!

  1. Marco Guest

    The new IHG app on Android no longer allows me to log in, from my PC at home everything works. Has anyone else had the same problem?

  2. Sung Diamond

    pin and password are not much different these days. keyloggers and account data breaches make using pin and password pointless. Some level of 2FA is required these days, be it sms or authenticator or physical U2F keys (sms being the worst)

  3. MDA Diamond

    You know Qantas still use pins??? To change it you get the following message ;Your new PIN must be four numbers only, not letters, and all four numbers cannot be the same (e.g. 1111). To be fair if you try to update your profile they do have 2FA. I would love to be proven wrong on the PIN but can not see an option to put in a decent password

  4. Alex Member

    That’s good news. I have passwords across hundreds of accounts for various things. This was literally the only one my password manager yelled at me about. Immediately changed it to a random 20 character password.

  5. AD Diamond

    The most basic thing that will make a password more secure is length. The longer it is, the harder to crack. Four digits is child's play. Remember, this is the same company that used to ask you for your SSN to sign up and used it as your member number. I gave them a fake number but many people, I'm sure, handed over the real thing in the '90s.

    Apparently they are slowly learning....

    The most basic thing that will make a password more secure is length. The longer it is, the harder to crack. Four digits is child's play. Remember, this is the same company that used to ask you for your SSN to sign up and used it as your member number. I gave them a fake number but many people, I'm sure, handed over the real thing in the '90s.

    Apparently they are slowly learning. However to @fortytwo's point, the requirements are stupid. Long, memorable but not easily guessable and not in the dictionary. That's what you need. Forget all the other BS. And 2FA is better. There are exploits that hackers can use, but it's harder than not using it. And it's better if you get the second factor from an app than to have it sent to your phone.

  6. Luke Vader Diamond

    The fact IHG has kept 4-digit PINs until now makes me wonder what other parts of their IT systems are old and/or weak.

  7. E Schwers Guest

    I totally appreciated the ease of IHG login. Here again we've lost because simpletons lost their way.

  8. Tim Diamond

    I love the PIN. Not changing unless forced.

  9. Andrew B Guest

    I had mine hacked a few years ago. Honestly didn’t mind it. They wiped out 100k plus miles, but it was a quick phone call and about 1 week to restore (granted, I didn’t have any travel scheduled for that time). The upside was that since I had the Chase card, I ended up getting the 10% bonus from their fraudulent redemption.

  10. speedski Guest

    @Max 2FA is exploited too. So that wouldn't fix it either.

  11. Steve L. Guest

    Made the switch...thanks for the heads up.

  12. Max Guest

    Still no 2FA, so it is still unsecure...

  13. FortyTwo New Member

    Good riddance, those PINs. Although passwords are better, these requirements are absolute BS - mostly security theatre. As always, xkcd explains it best: https://xkcd.com/936/

  14. Uri Guest

    Great, I'm changing my PIN to a password right now.
    Wait... I need my PIN for that, and I don't remember it. Need to find it in my mail. Never mind.

Featured Comments Most helpful comments ( as chosen by the OMAAT community ).

The comments on this page have not been provided, reviewed, approved or otherwise endorsed by any advertiser, and it is not an advertiser's responsibility to ensure posts and/or questions are answered.

Marco Guest

The new IHG app on Android no longer allows me to log in, from my PC at home everything works. Has anyone else had the same problem?

0
Sung Diamond

pin and password are not much different these days. keyloggers and account data breaches make using pin and password pointless. Some level of 2FA is required these days, be it sms or authenticator or physical U2F keys (sms being the worst)

0
MDA Diamond

You know Qantas still use pins??? To change it you get the following message ;Your new PIN must be four numbers only, not letters, and all four numbers cannot be the same (e.g. 1111). To be fair if you try to update your profile they do have 2FA. I would love to be proven wrong on the PIN but can not see an option to put in a decent password

0
Meet Ben Schlappig, OMAAT Founder
5,163,247 Miles Traveled

32,614,600 Words Written

35,045 Posts Published

Keep Exploring OMAAT