Originally Posted by
ffsim
Right... by not designing their websites to accept complex passwords, they're shouting "we don't care about security"
Uhm, so, as much as I really don't think too highly of the general state of IT affairs at AC and AP, this is one area I'm willing to cut them a little (albeit extremely little) slack on.
I don't think it's really an issue of the website vs the issue of some back-end systems that aren't capable of processing a password that use characters other than the 7-bit ASCII character set. You'd be surprised how many systems that are still in use today that are not capable of processing username/password that are made of
UTF-8 characters.
Keep in mind that the Aeroplan number and password are used to control access to many different systems within both AC and AP besides just website access.
Originally Posted by
24left
After Hilton got hacked, they added CAPTCHA and offered members 1,000 HHonors points for updating their passwords. Maybe it is an improvement, who really knows.
CAPTCHA is pretty much useless when it comes to thwarting a machine, there are massive botnets dedicated to thwarting (quite successfully) CAPTCHA. CAPTCHA provides nothing more than a warm and fuzzy feeling of a false sense of security for the naive and ignorant and is a real annoyance to the rest of us.
Originally Posted by
superangrypenguin
They need to move to two factor authentication as much as I hate it.
I kinda like where 2-factor has gone with the likes of google, twitter, facebook, etc. You use a 2nd code to login once and then as long as the same pc/browser is used, no follow-up 2-factor authentication is asked for.
I routinely get notices of rogue access attempts from various places around the of my various accounts every month. I don't really think much of it, since I'll get notified if a new browser is used to login to my account, and this is something AC/AP could implement with little pain and effort compared to having to upgrade the legacy systems in the background.