As a PMUA 1K for many years, I'm very surprised the new web site allows a 4 digit numeric PIN for web login passwords. I've found no way to disable PIN passwords for login, and I haven't found a way to make the PIN longer than 4 digits or make it non-numeric. I guess other airlines (CO, AA etc) do it this way.

According to the online help pages, web logins are disabled for 4 hours after 5 unsuccessful attempts. So you can make 4 attempts every 4 hours, or 24 per day, without anyone noticing. 5000 attempts takes about 7 months (average time to break into an account) and 10,000 attempts takes 14 months.

Unless I'm missing something, it would be quite trivial to set up a set of computers to break into every ual.com MP account in 14 months by simply trying every PIN on a large set of randomly generated account numbers. Perhaps the account numbers themselves are sparse, so that might provide some benefit to security (ie: if you randomly generate a long list of MP account numbers, how many of them will be valid?).

I sent an email to 1kvoice several weeks ago but of course there hasn't been a reply.

Does anyone know a solution (eg: disable PIN logins)?

- perlcoder