Originally Posted by
aaupgrade
Marriott not requiring passwords to be case sensitive is totally against IT best practices.
Case-insensitive passwords aren't a huge problem. (It's about the same as a password one letter shorter.) American Express does the same thing. (IHG doesn't even do passwords, just four-digit PIN numbers, with the
obvious result.)
As others have noted, emailing password is is also against IT best practices.
Yes, this is the really stupid part.
Originally Posted by
joshua362
When sites force you to change a password, they normally lock you out until you select another of your choosing.
That's probably the main concern. If they did a standard password reset (where the old password stops working immediately) then customers without access to their email account (while traveling in a foreign country) would be up the creek if anyone reset their password.