IHG Finally Ditches PINs In Favor Of Passwords

Filed Under: IHG Rewards

I’m far from a web security expert, though one thing that has been incredibly puzzling to me is IHG Rewards Club’s horrible account security.

IHG Rewards Club Has Used Four Digit PINs

Historically IHG Rewards Club has only allowed members to use four digit PINs to secure their accounts, and not longer passwords. It’s one thing to give people the option of choosing four digit PINs (which is bad enough), but to not give people any other options is mind-boggling.

IHG Rewards Club has had huge issues with account hacking, which shouldn’t come as a surprise given their PIN security system. For example, Andrew wrote about how his IHG account was hacked.

I’m not sure what exactly IHG’s motivation was for not allowing passwords for so long. We’re talking about a loyalty program with tens of millions of members, and presumably the company was out of pocket in cases where accounts were hacked and already redeemed, and they had to restore points? So why hasn’t this been a priority?

Well, there’s some good news on that front…

IHG Rewards Club Now Lets You Select Password

Going forward, IHG Rewards Club will require all accounts to have passwords rather than PINs.

Passwords must be at least eight characters, and include three of the following:

  • Capital letters
  • Lower case letters
  • Numbers
  • Special characters

Signing Up For A New IHG Account

If you’re signing up for a new IHG Rewards Club account, you’ll see that you’re asked to create a password during the sign-up process, so that’s easy enough.

Adding A Password To An Existing IHG Account

If you’re an existing IHG Rewards Club member you won’t be forced to change from a PIN to a password, but you have the option of doing so. You have two easy ways you can go about this.

The first is to go to the log-in page for your account, and click the “reset password” link, which will force you to select a password rather than a PIN.

Alternatively you can log into your IHG account, go to the “personal information” tab, and then in the “account information” section you’ll see an option to edit your password. You’ll be asked to enter your current PIN, and then you can select a password that adheres to the new requirements.

Bottom Line

It’s nice to see IHG Rewards Club finally adding the functionality to select a password. I still can’t wrap my head around why it took them long. Maybe people who know more about web security than I do can chime in on that…

(Tip of the hat to JT Genter)

  1. Great, I’m changing my PIN to a password right now.
    Wait… I need my PIN for that, and I don’t remember it. Need to find it in my mail. Never mind.

  2. I had mine hacked a few years ago. Honestly didn’t mind it. They wiped out 100k plus miles, but it was a quick phone call and about 1 week to restore (granted, I didn’t have any travel scheduled for that time). The upside was that since I had the Chase card, I ended up getting the 10% bonus from their fraudulent redemption.

  3. I totally appreciated the ease of IHG login. Here again we’ve lost because simpletons lost their way.

  4. The fact IHG has kept 4-digit PINs until now makes me wonder what other parts of their IT systems are old and/or weak.

  5. The most basic thing that will make a password more secure is length. The longer it is, the harder to crack. Four digits is child’s play. Remember, this is the same company that used to ask you for your SSN to sign up and used it as your member number. I gave them a fake number but many people, I’m sure, handed over the real thing in the ’90s.

    Apparently they are slowly learning. However to @fortytwo’s point, the requirements are stupid. Long, memorable but not easily guessable and not in the dictionary. That’s what you need. Forget all the other BS. And 2FA is better. There are exploits that hackers can use, but it’s harder than not using it. And it’s better if you get the second factor from an app than to have it sent to your phone.

  6. That’s good news. I have passwords across hundreds of accounts for various things. This was literally the only one my password manager yelled at me about. Immediately changed it to a random 20 character password.

  7. You know Qantas still use pins??? To change it you get the following message ;Your new PIN must be four numbers only, not letters, and all four numbers cannot be the same (e.g. 1111). To be fair if you try to update your profile they do have 2FA. I would love to be proven wrong on the PIN but can not see an option to put in a decent password

  8. pin and password are not much different these days. keyloggers and account data breaches make using pin and password pointless. Some level of 2FA is required these days, be it sms or authenticator or physical U2F keys (sms being the worst)

Leave a Reply

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Your email address will not be published. Required fields are marked *