Last edit by: davie355
HHonors Sign In (if the link has disappeared)
https://secure3.hilton.com/en/hh/customer/login/index.htm
https://secure3.hilton.com/en/hh/customer/login/index.htm
Consolidated "CAPTCHA for logging in?" thread
#46
Suspended
Join Date: Feb 2003
Posts: 8,135
Absolutely, it's a real threat. I run a public-facing website that holds significant personal information on our users and we see all sorts of bots trying to brute force their way in. And we're no where near the size of HHonors.
Besides spending points on merchandise, there's also the potential for targeted attacks against specific people in order to figure out where they're staying.
That said, the captcha isn't the solution. Passwords are the solution (plus various tricks to slow down bots).
Besides spending points on merchandise, there's also the potential for targeted attacks against specific people in order to figure out where they're staying.
That said, the captcha isn't the solution. Passwords are the solution (plus various tricks to slow down bots).
#47
FlyerTalk Evangelist
Join Date: Mar 2008
Location: body: A stone's throw from SFO, mind: SE Asia
Programs: Some of this 'n some of that
Posts: 17,263
Initially I was getting the 2 words, one of which was impossible to decipher. More recently they image has almost consistently been a number.
#48
Join Date: Apr 2003
Location: Ontario, Canada
Posts: 972
Why is the resident HH rep not explaining this nonsense on this thread? Why does a corporation of Hilton's size have such a useless website that is constantly throwing obstacles at its customers?
I have none of these problems with my airline sites or their FF sites. It is truly frustrating in the extreme to constantly go through this nonsense while trying to act as frequent and loyal Hilton customer.
What is the point of a password if you have to go thru this CAPTCHA idiocy every time you log in?
I have none of these problems with my airline sites or their FF sites. It is truly frustrating in the extreme to constantly go through this nonsense while trying to act as frequent and loyal Hilton customer.
What is the point of a password if you have to go thru this CAPTCHA idiocy every time you log in?
#49
FlyerTalk Evangelist
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,714
CAPTCHA roadblocks are crude and primitive and not a long-term answer, but until something user-friendly on the dual-factor front is figured out they help keep hacker bots at bay.
The mega-question here, of course, is why the Hilton and HHonors websites are such perpetual train wrecks. People have been noting serious bugs and failures and whatnot in this forum for literally 15 years, and they are never addressed. All they do is window-dressing -- slap a bigger (and functionally useless) image on the front page, etc.
#50
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,361
Passwords are actually obsolete and an ineffectual security solution. Most people use obvious ones or never change them. The big cyber security thinkers are nudging the world toward some kind of dual-factor authentication, mixing a biometric factor and a data factor, but it's hard to come up with a solution that's less user-onerous in practice than a login/password.
CAPTCHA roadblocks are crude and primitive and not a long-term answer, but until something user-friendly on the dual-factor front is figured out they help keep hacker bots at bay.
The mega-question here, of course, is why the Hilton and HHonors websites are such perpetual train wrecks. People have been noting serious bugs and failures and whatnot in this forum for literally 15 years, and they are never addressed. All they do is window-dressing -- slap a bigger (and functionally useless) image on the front page, etc.
CAPTCHA roadblocks are crude and primitive and not a long-term answer, but until something user-friendly on the dual-factor front is figured out they help keep hacker bots at bay.
The mega-question here, of course, is why the Hilton and HHonors websites are such perpetual train wrecks. People have been noting serious bugs and failures and whatnot in this forum for literally 15 years, and they are never addressed. All they do is window-dressing -- slap a bigger (and functionally useless) image on the front page, etc.
That's how you end up with this: http://thedaily....com/Articles/Secu..._Oblivity.aspx
#51
FlyerTalk Evangelist
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,714
Yes, the 2FA theorists forget that if people won't adopt a new protocol voluntarily, it will fail, regardless of its technological brilliance. (See Windows 8.) And as the people behind HHonors.com have been unable to make the "Remember Me" button work since 1998, I share your lack of faith that they can possibly succeed here anyway.
#52
Join Date: Oct 2014
Posts: 1
Captcha is being missused by Hilton
reCaptcha is a "BOT" defense to be used on user sign-up pages to keep "BOTS" from signing up to spam the site. The use of reCaptcha on a LOGIN page will only slightly slow the hacker down. Getting rid of all pins and using passwords will not put a major disturbance in the customers experience on the HHonors site. As for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week. If the Hilton IT team thinks that reCaptcha stops hackers then my credit card info is in the wrong hands.
#53
Join Date: Jan 2009
Location: Singapore
Programs: HHonors Diamond; A3 *Nothing ; BA Exec. Club Gold
Posts: 1,687
reCaptcha is a "BOT" defense to be used on user sign-up pages to keep "BOTS" from signing up to spam the site. The use of reCaptcha on a LOGIN page will only slightly slow the hacker down. Getting rid of all pins and using passwords will not put a major disturbance in the customers experience on the HHonors site. As for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week. If the Hilton IT team thinks that reCaptcha stops hackers then my credit card info is in the wrong hands.
A significant number of accounts were hacked and huge numbers of points and data was taken. I am happy that HH acted relatively quick and added as what I assume is a temporary security step.
A key 3rd step is to block accounts for an hour is 3 false attempts were made to login and to trigger am automatic email to the account owner. This will make sure that besides bots also the sweatshop kids wont be able to try 9999 times to get access.
Going forward the membership number with pin login type should be abandoned. At least a user name with password is a lot less structured and a simple systematic trying of 4 numbers wont work. Still keep the notification when password failures occur.
Globalist
#54
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,361
Another step HHonors could take to prevent points from being stolen is to require email validation of any redemptions besides stays (since those can be easily fixed and aren't what hackers go for anyways).
User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.
Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.
I'm hoping for this: https://www.grc.com/sqrl/sqrl.htm
User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.
Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.
Yes, the 2FA theorists forget that if people won't adopt a new protocol voluntarily, it will fail, regardless of its technological brilliance. (See Windows 8.) And as the people behind HHonors.com have been unable to make the "Remember Me" button work since 1998, I share your lack of faith that they can possibly succeed here anyway.
#55
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
Worst IT department in the in the Industry by far. They can't even figure out how to save AAA numbers but his recent thing is a real mess. I was unable to log in and they told me no such email existed etc etc etc.
I call the Diamond Desk and they have wrong address, wrong email etc etc etc and they have no idea what is going on. I had to call them from Thailand on my dime and they are totally incompetent.
This captcha thing may be a good idea but how about making it big enough so these 69 year old eyes can read it. 1/2 the size of any other company I have seen it used. And of course the website again.
In 5 years with Marriott , I have never found the website down or any of these other ridiculous short comings.
You are the biggest Hilton, why don't you hire someone in the IT department that knows what they are doing.
Oh and by the way 3 days later I still have no email from the Diamond Desk as promised .
Hilton Joke Company
I call the Diamond Desk and they have wrong address, wrong email etc etc etc and they have no idea what is going on. I had to call them from Thailand on my dime and they are totally incompetent.
This captcha thing may be a good idea but how about making it big enough so these 69 year old eyes can read it. 1/2 the size of any other company I have seen it used. And of course the website again.
In 5 years with Marriott , I have never found the website down or any of these other ridiculous short comings.
You are the biggest Hilton, why don't you hire someone in the IT department that knows what they are doing.
Oh and by the way 3 days later I still have no email from the Diamond Desk as promised .
Hilton Joke Company
Last edited by kapkap46; Oct 12, 2014 at 4:17 am
#56
FlyerTalk Evangelist
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,714
How do you feel about airport security? I assume you've also switched to 100% checkpoint-free Greyhound.
#57
FlyerTalk Evangelist
Join Date: Jul 1999
Location: Ewa Beach, Hawaii
Posts: 10,899
Another step HHonors could take to prevent points from being stolen is to require email validation of any redemptions besides stays (since those can be easily fixed and aren't what hackers go for anyways).
User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.
Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.
I'm hoping for this: https://www.grc.com/sqrl/sqrl.htm
User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.
Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.
I'm hoping for this: https://www.grc.com/sqrl/sqrl.htm
#59
FlyerTalk Evangelist
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others
Posts: 12,159
reCaptcha is a "BOT" defense to be used on user sign-up pages to keep "BOTS" from signing up to spam the site. The use of reCaptcha on a LOGIN page will only slightly slow the hacker down. Getting rid of all pins and using passwords will not put a major disturbance in the customers experience on the HHonors site. As for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week. If the Hilton IT team thinks that reCaptcha stops hackers then my credit card info is in the wrong hands.
#60
Company Representative - Honors by Hilton
Join Date: Aug 2009
Programs: Hilton Honors
Posts: 1,516
Hi everyone,
We did recently update our website to include a CAPTCHA system, a protective measure that will help authenticate your Hilton HHonors account.
This is a commonly used security measure across many industries and is meant to serve as an extra step to further secure your HHonors account.
Thanks!
Erin
We did recently update our website to include a CAPTCHA system, a protective measure that will help authenticate your Hilton HHonors account.
This is a commonly used security measure across many industries and is meant to serve as an extra step to further secure your HHonors account.
Thanks!
Erin