While I’m by no means a tech security expert, there are some travel companies that have mind-numbingly bad security practices. For example, IHG continues to use four digit PINs. IHG accounts get hacked all the time.
Can anyone — anyone — help me understanding how in 2019 they still do this? Accounts get hacked all the time, and when they do IHG typically makes people whole and gives them back their points. So how is it that they still think that’s the best system?
Singapore KrisFlyer Isn’t Much Better
Singapore Airlines’ KrisFlyer program is annoying in two ways when it comes to logging into your account and security:
- You can only log into your account online using your KrisFlyer number, and not your email address or a username; this means I always have to look up my KrisFlyer number before logging into my account (I use LastPass for most things, but since I manage many KrisFlyer accounts, I don’t add that to my LastPass)
- KrisFlyer requires you to have a six digit PIN, rather than a password
Well, there are some positive updates on both of those fronts.
How KrisFlyer Is Improving Account Security
It has been announced that Singapore KrisFlyer will be making two changes to how you log into your account as of September 24, 2019:
- You’ll be able to log into your KrisFlyer account using the email address you have registered on your account, in addition to the current option of logging in with your 10-digit KrisFlyer number
- Your six digit KrisFlyer PIN will be replaced by a password
You’ll automatically be able to log in with your email address as of September 24, and as of that date you’ll also be prompted to come up with a password (you can’t decide on your password prior to that).
Your password must contain eight to 16 alphanumeric characters, and can include a combination of:
- Numbers (0-9)
- Uppercase and lowercase letters (A-Z and a-z)
- Special characters (!@#$%^&*())
Bottom Line
These seem like some pretty common sense changes for KrisFlyer to be making. Personally I’m excited to be able to log in with my email address. Beyond that, it seems pretty logical that they’d introduce “real” passwords, rather than the current PINs they use.
I haven't used a password with Microsoft, Google or Yahoo in ages. All 2 factor auth. I don't understand why more organizations don't make the switch.
Not a cyber security expert, but I've heard 16 characters of mixed type would take several years to brute-force hack. Good enough for me.
IHG doesn't pay their hotels much for stays, so I guess it's cheaper to put points back into accounts than fix the software?
@michaelr A pin on Windows is safer than a password, as it is tied to the specific device and not stored by Microsoft. Most issues come from remote attackers, which is not possible even with a simple pin.
Why did Windows 10 re-introduce the 4 digit PIN?
@Lucky - LastPass lets you easily have multiple logins for each site, and then you just pick the one you want.
Re: Why limit the number of characters in a password? And similarly why limit the special characters you can use?
Because they've hired some cheap enterprise developers who can only build things with copy and paste code and their program managers don't know a anything about security.
@Max Qantas FF uses/forces 2FA. It’s actually a little annoying when you are traveling and they force SMS confirmation and are using a different SIM/number.
But I get the point - too many of these programs use 4-6 digit pins which are ludicrously easy to hack. This is a small step forward for Singapore Airlines and the rest still using PINs should hurry up and follow suit.
As said above this is still ridiculously lax.
Why limit the upper number of characters that you can use? It's not like the extra storage costs are noticeable.
Also, two factor authentication needs to be implemented.
Wake me up when there is a loyalty program that offers 2-Factor-Authentication for login and transactions. Imho the security of these programs should be regulated the same way as for online banking accounts.
Ridiculous to have an upper limit... Sounds like they're possibly not even encrypting them
what I don't understand is why they limit it to 16? Why not 50 or 100?
it is really pathetic. 8 character passwords are pretty easy to crack. Personally they should require at least 12 but preferably 16 characters with numbers and special characters.
I once complained to a stock brokerage and their response was "some people don't want longer passwords". Of course in the states we can't get most people to use the chip in ccs and still swipe them in many/most locations. And most non-fast food restaurants can't...
it is really pathetic. 8 character passwords are pretty easy to crack. Personally they should require at least 12 but preferably 16 characters with numbers and special characters.
I once complained to a stock brokerage and their response was "some people don't want longer passwords". Of course in the states we can't get most people to use the chip in ccs and still swipe them in many/most locations. And most non-fast food restaurants can't handle Apple Pay (or other phone payment methods).
Wasn't BA and Hilton both bad for a while? (Regarding a short pin.)