ph-ndr

I discovered that recently QR and other airlines are starting to make changes to their web pages. There's extensive use of captchas for browsers that deny them extensive tracking and finger printing, and now I had to reset my password and disocvered QR has really done something outright stupid. The process to reset your password is now this:

1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR resets your password and mails you a temporary password.

In case this obvious, that means someone can perform a nice DoS on the whole customer base by simply requesting resets done for random users.

The right way is this:
1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR website says "if you exists in our systems you will now get a link by email that will authenticate you and take you to a web page to deal with the password recovery"
4. Said link arrives by email
5. You click it and you input your new password.

Now... if it had only been limited to this stupidity. Next up, once you go to input your password they have gone to extensive lengths to disable pasting of passwords. This means if you use a password manager and want to paste in your 24 character unique password, it can't be done. It has to be keyed in by hand. Twice. Guess what 99% of people do? Hint: it involes typing in bad passwords that shouldn't be used.

Bad QR!

Meh,
A