While I’m by no means a tech security expert, there are some travel companies that have mind-numbingly bad security practices. For example, IHG continues to use four digit PINs. IHG accounts get hacked all the time.
Can anyone — anyone — help me understanding how in 2019 they still do this? Accounts get hacked all the time, and when they do IHG typically makes people whole and gives them back their points. So how is it that they still think that’s the best system?
Singapore KrisFlyer Isn’t Much Better
Singapore Airlines’ KrisFlyer program is annoying in two ways when it comes to logging into your account and security:
- You can only log into your account online using your KrisFlyer number, and not your email address or a username; this means I always have to look up my KrisFlyer number before logging into my account (I use LastPass for most things, but since I manage many KrisFlyer accounts, I don’t add that to my LastPass)
- KrisFlyer requires you to have a six digit PIN, rather than a password
Well, there are some positive updates on both of those fronts.
How KrisFlyer Is Improving Account Security
It has been announced that Singapore KrisFlyer will be making two changes to how you log into your account as of September 24, 2019:
- You’ll be able to log into your KrisFlyer account using the email address you have registered on your account, in addition to the current option of logging in with your 10-digit KrisFlyer number
- Your six digit KrisFlyer PIN will be replaced by a password
You’ll automatically be able to log in with your email address as of September 24, and as of that date you’ll also be prompted to come up with a password (you can’t decide on your password prior to that).
Your password must contain eight to 16 alphanumeric characters, and can include a combination of:
- Numbers (0-9)
- Uppercase and lowercase letters (A-Z and a-z)
- Special characters ([email protected]#$%^&*())
These seem like some pretty common sense changes for KrisFlyer to be making. Personally I’m excited to be able to log in with my email address. Beyond that, it seems pretty logical that they’d introduce “real” passwords, rather than the current PINs they use.