Originally Posted by
corporate-wage-slave
From what I've understood, the main cause is people using the same password on BA.com as in some other application, be it LinkedIn, an email account, Amazon or some other travel application. The latter is particularly easy if people leave their PNRs and/or BAEC numbers lying around. It's not really brute force any more, and there are now various blockers on that. I very much doubt people who have a dedicated password for BA, changed regularly, involving at least 12 characters (ideally more), upper and lower case, numbers and symbols, are the issue here.
Edit: BA don't unfortunately allow symbols/non alphabetic/numeric characters, but they do allow uppercase/lowercase.
The point being made was that BA cannot ensure that people protect their accounts. Some things that could be done:
1. Allow extended characters in passwords.
2. Force passwords to be changed on a regular basis.
3. Increase the minimum and maximum length of passwords.
4. Use two factor authentication.
5. Periodically send a access code during the login process.
Just off the top of my head.