I’m far from a web security expert, though one thing that has been incredibly puzzling to me is IHG Rewards Club’s horrible account security.
In this post:
IHG Rewards Club Has Used Four Digit PINs
Historically IHG Rewards Club has only allowed members to use four digit PINs to secure their accounts, and not longer passwords. It’s one thing to give people the option of choosing four digit PINs (which is bad enough), but to not give people any other options is mind-boggling.
IHG Rewards Club has had huge issues with account hacking, which shouldn’t come as a surprise given their PIN security system. For example, Andrew wrote about how his IHG account was hacked.
I’m not sure what exactly IHG’s motivation was for not allowing passwords for so long. We’re talking about a loyalty program with tens of millions of members, and presumably the company was out of pocket in cases where accounts were hacked and already redeemed, and they had to restore points? So why hasn’t this been a priority?
Well, there’s some good news on that front…
IHG Rewards Club Now Lets You Select Password
Going forward, IHG Rewards Club will require all accounts to have passwords rather than PINs.
Passwords must be at least eight characters, and include three of the following:
- Capital letters
- Lower case letters
- Numbers
- Special characters
Signing Up For A New IHG Account
If you’re signing up for a new IHG Rewards Club account, you’ll see that you’re asked to create a password during the sign-up process, so that’s easy enough.
Adding A Password To An Existing IHG Account
If you’re an existing IHG Rewards Club member you won’t be forced to change from a PIN to a password, but you have the option of doing so. You have two easy ways you can go about this.
The first is to go to the log-in page for your account, and click the “reset password” link, which will force you to select a password rather than a PIN.
Alternatively you can log into your IHG account, go to the “personal information” tab, and then in the “account information” section you’ll see an option to edit your password. You’ll be asked to enter your current PIN, and then you can select a password that adheres to the new requirements.
Bottom Line
It’s nice to see IHG Rewards Club finally adding the functionality to select a password. I still can’t wrap my head around why it took them long. Maybe people who know more about web security than I do can chime in on that…
(Tip of the hat to JT Genter)
The new IHG app on Android no longer allows me to log in, from my PC at home everything works. Has anyone else had the same problem?
pin and password are not much different these days. keyloggers and account data breaches make using pin and password pointless. Some level of 2FA is required these days, be it sms or authenticator or physical U2F keys (sms being the worst)
You know Qantas still use pins??? To change it you get the following message ;Your new PIN must be four numbers only, not letters, and all four numbers cannot be the same (e.g. 1111). To be fair if you try to update your profile they do have 2FA. I would love to be proven wrong on the PIN but can not see an option to put in a decent password
That’s good news. I have passwords across hundreds of accounts for various things. This was literally the only one my password manager yelled at me about. Immediately changed it to a random 20 character password.
The most basic thing that will make a password more secure is length. The longer it is, the harder to crack. Four digits is child's play. Remember, this is the same company that used to ask you for your SSN to sign up and used it as your member number. I gave them a fake number but many people, I'm sure, handed over the real thing in the '90s.
Apparently they are slowly learning....
The most basic thing that will make a password more secure is length. The longer it is, the harder to crack. Four digits is child's play. Remember, this is the same company that used to ask you for your SSN to sign up and used it as your member number. I gave them a fake number but many people, I'm sure, handed over the real thing in the '90s.
Apparently they are slowly learning. However to @fortytwo's point, the requirements are stupid. Long, memorable but not easily guessable and not in the dictionary. That's what you need. Forget all the other BS. And 2FA is better. There are exploits that hackers can use, but it's harder than not using it. And it's better if you get the second factor from an app than to have it sent to your phone.
The fact IHG has kept 4-digit PINs until now makes me wonder what other parts of their IT systems are old and/or weak.
I totally appreciated the ease of IHG login. Here again we've lost because simpletons lost their way.
I love the PIN. Not changing unless forced.
I had mine hacked a few years ago. Honestly didn’t mind it. They wiped out 100k plus miles, but it was a quick phone call and about 1 week to restore (granted, I didn’t have any travel scheduled for that time). The upside was that since I had the Chase card, I ended up getting the 10% bonus from their fraudulent redemption.
@Max 2FA is exploited too. So that wouldn't fix it either.
Made the switch...thanks for the heads up.
Still no 2FA, so it is still unsecure...
Good riddance, those PINs. Although passwords are better, these requirements are absolute BS - mostly security theatre. As always, xkcd explains it best: https://xkcd.com/936/
Great, I'm changing my PIN to a password right now.
Wait... I need my PIN for that, and I don't remember it. Need to find it in my mail. Never mind.