Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

Consolidated "CAPTCHA for logging in?" thread

Old Oct 22, 2014, 4:27 pm
FlyerTalk Forums Expert How-Tos and Guides
Last edit by: davie355
HHonors Sign In (if the link has disappeared)

https://secure3.hilton.com/en/hh/customer/login/index.htm
Print Wikipost

Consolidated "CAPTCHA for logging in?" thread

Old Oct 10, 2014, 5:49 pm
  #46  
Suspended
 
Join Date: Feb 2003
Posts: 8,135
Originally Posted by txflyer77
Absolutely, it's a real threat. I run a public-facing website that holds significant personal information on our users and we see all sorts of bots trying to brute force their way in. And we're no where near the size of HHonors.

Besides spending points on merchandise, there's also the potential for targeted attacks against specific people in order to figure out where they're staying.

That said, the captcha isn't the solution. Passwords are the solution (plus various tricks to slow down bots).
Like rate-limiting, presumably, which gets you the locked-out-user problem.
beltway is offline  
Old Oct 10, 2014, 9:33 pm
  #47  
FlyerTalk Evangelist
 
Join Date: Mar 2008
Location: body: A stone's throw from SFO, mind: SE Asia
Programs: Some of this 'n some of that
Posts: 17,263
Initially I was getting the 2 words, one of which was impossible to decipher. More recently they image has almost consistently been a number.
dsquared37 is offline  
Old Oct 11, 2014, 6:04 am
  #48  
 
Join Date: Apr 2003
Location: Ontario, Canada
Posts: 972
Why is the resident HH rep not explaining this nonsense on this thread? Why does a corporation of Hilton's size have such a useless website that is constantly throwing obstacles at its customers?

I have none of these problems with my airline sites or their FF sites. It is truly frustrating in the extreme to constantly go through this nonsense while trying to act as frequent and loyal Hilton customer.

What is the point of a password if you have to go thru this CAPTCHA idiocy every time you log in?
jimmac is offline  
Old Oct 11, 2014, 9:08 am
  #49  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,714
Originally Posted by txflyer77
Passwords are the solution (plus various tricks to slow down bots).
Originally Posted by jimmac
What is the point of a password if you have to go thru this CAPTCHA idiocy every time you log in?
Passwords are actually obsolete and an ineffectual security solution. Most people use obvious ones or never change them. The big cyber security thinkers are nudging the world toward some kind of dual-factor authentication, mixing a biometric factor and a data factor, but it's hard to come up with a solution that's less user-onerous in practice than a login/password.

CAPTCHA roadblocks are crude and primitive and not a long-term answer, but until something user-friendly on the dual-factor front is figured out they help keep hacker bots at bay.

The mega-question here, of course, is why the Hilton and HHonors websites are such perpetual train wrecks. People have been noting serious bugs and failures and whatnot in this forum for literally 15 years, and they are never addressed. All they do is window-dressing -- slap a bigger (and functionally useless) image on the front page, etc.
BearX220 is offline  
Old Oct 11, 2014, 9:39 am
  #50  
 
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,361
Originally Posted by BearX220
Passwords are actually obsolete and an ineffectual security solution. Most people use obvious ones or never change them. The big cyber security thinkers are nudging the world toward some kind of dual-factor authentication, mixing a biometric factor and a data factor, but it's hard to come up with a solution that's less user-onerous in practice than a login/password.

CAPTCHA roadblocks are crude and primitive and not a long-term answer, but until something user-friendly on the dual-factor front is figured out they help keep hacker bots at bay.

The mega-question here, of course, is why the Hilton and HHonors websites are such perpetual train wrecks. People have been noting serious bugs and failures and whatnot in this forum for literally 15 years, and they are never addressed. All they do is window-dressing -- slap a bigger (and functionally useless) image on the front page, etc.
I agree totally. My point was that passwords are better than PINs, not that they are better than 2FA. Unfortunately, if people are this made about CAPTCHAs, I don't see them being any happier about two-factor. Nor do I see HHonors implementing it correctly.

That's how you end up with this: http://thedaily....com/Articles/Secu..._Oblivity.aspx
txflyer77 is offline  
Old Oct 11, 2014, 10:43 am
  #51  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,714
Originally Posted by txflyer77
Unfortunately, if people are this made about CAPTCHAs, I don't see them being any happier about two-factor.
Yes, the 2FA theorists forget that if people won't adopt a new protocol voluntarily, it will fail, regardless of its technological brilliance. (See Windows 8.) And as the people behind HHonors.com have been unable to make the "Remember Me" button work since 1998, I share your lack of faith that they can possibly succeed here anyway.
BearX220 is offline  
Old Oct 11, 2014, 5:11 pm
  #52  
 
Join Date: Oct 2014
Posts: 1
Captcha is being missused by Hilton

reCaptcha is a "BOT" defense to be used on user sign-up pages to keep "BOTS" from signing up to spam the site. The use of reCaptcha on a LOGIN page will only slightly slow the hacker down. Getting rid of all pins and using passwords will not put a major disturbance in the customers experience on the HHonors site. As for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week. If the Hilton IT team thinks that reCaptcha stops hackers then my credit card info is in the wrong hands.
jtuttle is offline  
Old Oct 11, 2014, 9:32 pm
  #53  
Hilton Contributor Badge
 
Join Date: Jan 2009
Location: Singapore
Programs: HHonors Diamond; A3 *Nothing ; BA Exec. Club Gold
Posts: 1,687
Originally Posted by jtuttle
reCaptcha is a "BOT" defense to be used on user sign-up pages to keep "BOTS" from signing up to spam the site. The use of reCaptcha on a LOGIN page will only slightly slow the hacker down. Getting rid of all pins and using passwords will not put a major disturbance in the customers experience on the HHonors site. As for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week. If the Hilton IT team thinks that reCaptcha stops hackers then my credit card info is in the wrong hands.
The Hyperbole is strong in this one,

A significant number of accounts were hacked and huge numbers of points and data was taken. I am happy that HH acted relatively quick and added as what I assume is a temporary security step.

A key 3rd step is to block accounts for an hour is 3 false attempts were made to login and to trigger am automatic email to the account owner. This will make sure that besides bots also the sweatshop kids wont be able to try 9999 times to get access.

Going forward the membership number with pin login type should be abandoned. At least a user name with password is a lot less structured and a simple systematic trying of 4 numbers wont work. Still keep the notification when password failures occur.

Globalist
Globalist is offline  
Old Oct 11, 2014, 9:59 pm
  #54  
 
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,361
Another step HHonors could take to prevent points from being stolen is to require email validation of any redemptions besides stays (since those can be easily fixed and aren't what hackers go for anyways).

User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.

Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.

Originally Posted by BearX220
Yes, the 2FA theorists forget that if people won't adopt a new protocol voluntarily, it will fail, regardless of its technological brilliance. (See Windows 8.) And as the people behind HHonors.com have been unable to make the "Remember Me" button work since 1998, I share your lack of faith that they can possibly succeed here anyway.
I'm hoping for this: https://www.grc.com/sqrl/sqrl.htm
txflyer77 is offline  
Old Oct 12, 2014, 4:07 am
  #55  
 
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
Worst IT department in the in the Industry by far. They can't even figure out how to save AAA numbers but his recent thing is a real mess. I was unable to log in and they told me no such email existed etc etc etc.

I call the Diamond Desk and they have wrong address, wrong email etc etc etc and they have no idea what is going on. I had to call them from Thailand on my dime and they are totally incompetent.

This captcha thing may be a good idea but how about making it big enough so these 69 year old eyes can read it. 1/2 the size of any other company I have seen it used. And of course the website again.

In 5 years with Marriott , I have never found the website down or any of these other ridiculous short comings.

You are the biggest Hilton, why don't you hire someone in the IT department that knows what they are doing.

Oh and by the way 3 days later I still have no email from the Diamond Desk as promised .

Hilton Joke Company

Last edited by kapkap46; Oct 12, 2014 at 4:17 am
kapkap46 is offline  
Old Oct 12, 2014, 9:13 am
  #56  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,714
Originally Posted by jtuttle
rAs for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week.
Seems like a pretty trivial motive to divert 270 days of business elsewhere -- especially as CAPTCHA, while crude and momentarily annoying, is there to protect you.

How do you feel about airport security? I assume you've also switched to 100% checkpoint-free Greyhound.
BearX220 is offline  
Old Oct 12, 2014, 11:01 am
  #57  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Location: Ewa Beach, Hawaii
Posts: 10,899
Originally Posted by txflyer77
Another step HHonors could take to prevent points from being stolen is to require email validation of any redemptions besides stays (since those can be easily fixed and aren't what hackers go for anyways).

User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.

Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.



I'm hoping for this: https://www.grc.com/sqrl/sqrl.htm
What is to stop the hacker from changing the email address to some free non-traceable one once hacked in? Get the confirmation email, confirm the spend then change it to some random email address. They need to make it so no profile info can change without confirmation from the current email/sms# on file and if doesn't exist anymore you call in and they ask identifying questions before they will make any changes.
Baze is offline  
Old Oct 12, 2014, 1:56 pm
  #58  
In Memoriam
 
Join Date: Jul 2001
Posts: 35,555
Originally Posted by kapkap46
Worst IT department in the in the Industry by far....
BS.. try IHG for a week. @:-)
underpressure is offline  
Old Oct 13, 2014, 3:09 pm
  #59  
FlyerTalk Evangelist
 
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others
Posts: 12,159
Originally Posted by jtuttle
reCaptcha is a "BOT" defense to be used on user sign-up pages to keep "BOTS" from signing up to spam the site. The use of reCaptcha on a LOGIN page will only slightly slow the hacker down. Getting rid of all pins and using passwords will not put a major disturbance in the customers experience on the HHonors site. As for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week. If the Hilton IT team thinks that reCaptcha stops hackers then my credit card info is in the wrong hands.
Simple solution that provides more security: once getting too many attempts that fail (for an account, from an IP, whatever), then start requiring Captcha. (Yes, this won't stop a concerted distributed attack, unless they can discern other characteristics to compare. They can, many exist, but it's better not to mention them publicly.)
sethb is offline  
Old Oct 14, 2014, 9:15 am
  #60  
Company Representative - Honors by Hilton
 
Join Date: Aug 2009
Programs: Hilton Honors
Posts: 1,516
Hi everyone,

We did recently update our website to include a CAPTCHA system, a protective measure that will help authenticate your Hilton HHonors account.

This is a commonly used security measure across many industries and is meant to serve as an extra step to further secure your HHonors account.

Thanks!
Erin
Hilton Honors Ambassador is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.