Epic Fail: AC makes me change password; Still accepts old one
Sep 5, 2018, 2:53 pm
#1
Original Poster
Join Date: Jul 2013
Location: MLL / AC Cafe
Programs: It's hard to get status when the website won't let me book flights.
Posts: 5,706
Epic Fail: AC makes me change password; Still accepts old one
So I'm actually amazed at the level of fail on the IT side here, and as such I wanted to share with everyone what I found with the recent password changes that were forced. As end users I feel it's only fair that people are made aware.
1) AC let me use the same old password that they forced me to change - this completely eliminates the effect of forcing me to change my password.
2) When logged in now after I changed to a new password, AC let's me use BOTH my OLD and NEW password to login. Yes, that's right! My old password and my new password both work when logging into my account with AC now.
1) AC let me use the same old password that they forced me to change - this completely eliminates the effect of forcing me to change my password.
2) When logged in now after I changed to a new password, AC let's me use BOTH my OLD and NEW password to login. Yes, that's right! My old password and my new password both work when logging into my account with AC now.
- This is amazing because the old one they forced me to change still works
- This is amazing because I can log into my account using 2 different passwords
- This is amazing because I might have changed my password for a reason (maybe it's been compromised) and this means me, as the user, even if I know my password is compromised, I cannot stop it from working.
Sep 5, 2018, 3:26 pm
#3
Original Poster
Join Date: Jul 2013
Location: MLL / AC Cafe
Programs: It's hard to get status when the website won't let me book flights.
Posts: 5,706
Sep 5, 2018, 3:33 pm
#4
A FlyerTalk Posting Legend
Join Date: Sep 2012
Location: SFO
Programs: AC SE MM, BA Gold, SQ Silver, Bonvoy Tit LTG, Hyatt Glob, HH Diamond
Posts: 44,331
Is this Mobile+ or your Aeroplan number login?
Mobile+ is not accepting my old password, and I wasn't forced to change my Aeroplan password.
Mobile+ is not accepting my old password, and I wasn't forced to change my Aeroplan password.
Sep 5, 2018, 5:25 pm
#5
Original Poster
Join Date: Jul 2013
Location: MLL / AC Cafe
Programs: It's hard to get status when the website won't let me book flights.
Posts: 5,706
mobile+. If the Aeroplan login was accepting the new password I just made up the other week for mobile+ that would be a whole new cluster F
Sep 5, 2018, 6:00 pm
#8
Original Poster
Join Date: Jul 2013
Location: MLL / AC Cafe
Programs: It's hard to get status when the website won't let me book flights.
Posts: 5,706
but - what I will say is the difference between the 2 passwords ( since so many are trying to relicate) is that my new one has an extra special character ($) on the end.
Sep 5, 2018, 8:19 pm
#9
Join Date: Feb 2005
Location: CLE, DCA, and 30k feet
Programs: Honors LT Diamond; United 1K; Hertz PC
Posts: 4,164
How long was your old password?
I have no experience with AC systems but I've seen some services that will allow you to enter a password of any length but will only use the first X (where X is commonly 8, 10, 12, or 16) characters for validation.
Some will also drop/ignore non-alphanuneric characters but thats less common in my experience.
I have no experience with AC systems but I've seen some services that will allow you to enter a password of any length but will only use the first X (where X is commonly 8, 10, 12, or 16) characters for validation.
Some will also drop/ignore non-alphanuneric characters but thats less common in my experience.
Sep 6, 2018, 6:35 am
#11
Join Date: Jan 2016
Location: YYZ
Programs: FOTSG Tangerine Ex E35k (AC)
Posts: 5,612
I think them removing special chars/only comparing the first 8 chars is more likely. And of course doing a lowercase check.
I wonder if they do these hacks before or after encrypting it. Or perhaps they’re just not encrypting the passwords in their database, because why should they do that.
Sep 6, 2018, 7:56 am
#12
Join Date: Apr 2016
Location: YYZ
Programs: TK *G
Posts: 3,099
It is likely that AC uses a hash algorithm that only hashes the first 8 or so digits of the password, this is very likely as the new password is just one extra character comparing to the old one. Try change that special character to something else, or add more characters. If the problem still exists, this is likely the cause.
On the other hand, if this is an example of birthday attack, whatever AC person looking at this better change the hash algorithm and/or salt ASAP.
On the other hand, if this is an example of birthday attack, whatever AC person looking at this better change the hash algorithm and/or salt ASAP.
Sep 6, 2018, 9:40 am
#13
Join Date: Feb 2004
Location: USA
Programs: AC SE100K, F9 100k, NK Gold, UA *S, Hyatt Glob, Bonvoy Titanium
Posts: 5,195
The more I think of this, the more I can see the situation happening.
Take for example Aeroplan. I think can only take 10 characters and no special characters. Now as bad as they are at least they tell the end user this. If there is a regulatory requirement or scope of work policy for strong passwords then they blatantly (but publically) fail.
Flip side, imagine programmers of an ancient/relic IT system (ahem--AC) want to disguise the real database problem or limitation without properly fixing things to bring it to Y2K standards.... Just ACCEPT as strong of a password the user inputs. Heck, even REQUIRE a strong password and pat yourself on the back. Ask your boss for raise since you enabled strong passwords in record time and within budget. Or so it seemed. What you really may have done was have the input script blow any hint of security by stripping out all the extra characters before it is saved or authenticated as a password to the database. (Why stop there? Why not convert input to all lowercase, strip out half the characters, remove any numbers, or just save the vowels.)
Maybe OP should be scolded for trying to hack the system by doing something as appalling as using a '$' in his password. The nerve of some people.
//time to rethink computer passwords. There are 3 possible responses. Valid password, invalid password, or "meh, close enough"
Last edited by expert7700; Sep 6, 2018 at 9:59 am
Sep 6, 2018, 11:19 am
#14
A FlyerTalk Posting Legend
Join Date: Sep 2012
Location: SFO
Programs: AC SE MM, BA Gold, SQ Silver, Bonvoy Tit LTG, Hyatt Glob, HH Diamond
Posts: 44,331
Sep 6, 2018, 11:32 am
#15
Join Date: Sep 2009
Location: YYZ
Programs: AC SE MM, Bonvoy Plat, Hilton G,Nexus, Amex MR Plat,IHG Plat
Posts: 4,426
If so everyone at AC needs to be fired in such a spectacular way that the entire internet makes a laughing stock of them.
The more I think of this, the more I can see the situation happening.
Take for example Aeroplan. I think can only take 10 characters and no special characters. Now as bad as they are at least they tell the end user this. If there is a regulatory requirement or scope of work policy for strong passwords then they blatantly (but publically) fail.
Flip side, imagine programmers of an ancient/relic IT system (ahem--AC) want to disguise the real database problem or limitation without properly fixing things to bring it to Y2K standards.... Just ACCEPT as strong of a password the user inputs. Heck, even REQUIRE a strong password and pat yourself on the back. Ask your boss for raise since you enabled strong passwords in record time and within budget. Or so it seemed. What you really may have done was have the input script blow any hint of security by stripping out all the extra characters before it is saved or authenticated as a password to the database. (Why stop there? Why not convert input to all lowercase, strip out half the characters, remove any numbers, or just save the vowels.)
Maybe OP should be scolded for trying to hack the system by doing something as appalling as using a '$' in his password. The nerve of some people.
//time to rethink computer passwords. There are 3 possible responses. Valid password, invalid password, or "meh, close enough"
The more I think of this, the more I can see the situation happening.
Take for example Aeroplan. I think can only take 10 characters and no special characters. Now as bad as they are at least they tell the end user this. If there is a regulatory requirement or scope of work policy for strong passwords then they blatantly (but publically) fail.
Flip side, imagine programmers of an ancient/relic IT system (ahem--AC) want to disguise the real database problem or limitation without properly fixing things to bring it to Y2K standards.... Just ACCEPT as strong of a password the user inputs. Heck, even REQUIRE a strong password and pat yourself on the back. Ask your boss for raise since you enabled strong passwords in record time and within budget. Or so it seemed. What you really may have done was have the input script blow any hint of security by stripping out all the extra characters before it is saved or authenticated as a password to the database. (Why stop there? Why not convert input to all lowercase, strip out half the characters, remove any numbers, or just save the vowels.)
Maybe OP should be scolded for trying to hack the system by doing something as appalling as using a '$' in his password. The nerve of some people.
//time to rethink computer passwords. There are 3 possible responses. Valid password, invalid password, or "meh, close enough"