Originally Posted by
Eric Westby
No, both password and PIN are always enabled at present.
On the plus side, the website is designed not to allow brute force guessing, so it's not as if someone could run a simple script to log into your account. Still, I'm with you in hoping PINs are removed from the new site when it launches later this year.
Compromised accounts come from brute forcing or password lists against an offline copy of the accounts database usually acquired through some other exploit.
So while no one is attacking your account with the live United system (and getting locked out), if anyone gets the password tables (even if hashed and salted) pins are trivial to break.
And most companies like to not disclose unauthorized access to these credentials.
Four digit credentials are terrible. Period.