Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > EL AL | Matmid
Reload this Page >

New Matmid Acct Password Requirements

New Matmid Acct Password Requirements

Old Nov 9, 09, 2:14 am
  #1  
Moderator, El Al and Marriott Bonvoy, FlyerTalk Evangelist
Original Poster
Hyatt Contributor BadgeMarriott Contributor Badge
 
Join Date: Feb 2005
Location: SIN
Programs: TG*G, Mar LTBT, Hyatt Glb, AA PLT-LTG, LY, HH, IC, BA, DL, UA SLV
Posts: 11,841
Angry New Matmid Acct Password Requirements

I really don't like websites that make me change passwords on a regular basis. It seems to me that it is my responsibility to change them when I determine it important to change rather than when they deem it important.

Today I logged into my Matmid account to find that I need to change the password again. Fine. But now they've made it more complex and less convenient for me. The password now needs to have two parts. The first part needs to be a combination of letters and numbers with at least two letters. The second part must be four numbers which you can also then use as your password for Matmid services by phone. I was quite happy with the two passwords being totally seperate. I was quite happy with my online passwords being a mixture of 8 letters and numbers of my own choosing. Why don't they, and all the other companies with online services, focus on great functionality instead of getting so worked up about how I choose my personal password?
yosithezet is offline  
Old Nov 9, 09, 3:01 am
  #2  
 
Join Date: Feb 2005
Programs: EL AL Matmid, BA Executive Club GGL/CCR, Hilton Diamond, Avis President's Club
Posts: 1,918
The worst part of this supposed improvement in security is that people will end up writing down their passwords because they can't keep track of so many constantly changing passwords. They will also think of patterns which they can easily remember (like an incrementing counter) which also defeats the purpose of the whole thing. The result of course is a downgrading of the security.

EL AL are not alone here. My bank does it as well, although I have never encountered it anywhere outside Israel.
mikebg is offline  
Old Nov 9, 09, 6:19 am
  #3  
 
Join Date: Mar 2002
Location: 30,000 Feet
Programs: LY Top Platinum, AA Platinum, Hertz Five Star Gold
Posts: 857
I find this password change thing to be one of the most annoying and problematic elements of Israeli websites. I holler at El Al for it every 3 months, when they make me change it.

You are correct that it is unique to Israel. That emanates from a Bank of Israel requirement of all Israeli banks and credit companies to force user passwords to change every 3 months. The flaw is, like mentioned above, that people will simply record their passwords in unsecured locations since they can't remember them anymore. Its really asinine.
LatusElAl is offline  
Old Nov 9, 09, 7:53 am
  #4  
 
Join Date: Dec 2007
Location: Israel
Programs: AA EP, DL DM, FB PL, LY PL, BA Bronze, HH Diamond, PC Royal Ambassador, BW Platinum
Posts: 983
Off Topic, Sorry that's in hebrew...
זה מעצבן זה?
מעצבן שהדיילת באה ושואלת אותך עם תרצה עוף, פסטה או דג לארוחה
וכשאתה מבקש עוף היא אומרת שנגמר ואז אתה מבקש פסטה והיא אומרת שנגמר
זה מעצבן!

לכל צופי מועדון לילה

(Shortly in English, There is a late night show in israel, Where on one of
the parts they talk about annoying things name "This annoy you?"
So the hebrew text says:
"This Annoy you?" What really annoy is that the FA ask you what you want
for meal "Chicken, Pasta or Fish" and when you ask for Chicken she said
"Sorry, No more chicken" and then When you go for the Pasta there is no
Pasta as well! That's Annoying!
(From now i sit in 10C! let the other guy in the end be out of chicken or pasta!)


And i totally agree on the password thing!
ebzed is offline  
Old Nov 9, 09, 10:20 am
  #5  
 
Join Date: Jan 2009
Location: London uk
Programs: *A Gold, BA Silver, Avis President, Hertz President circle
Posts: 2,797
Originally Posted by yosithezet View Post
I really don't like websites that make me change passwords on a regular basis. It seems to me that it is my responsibility to change them when I determine it important to change rather than when they deem it important.

Today I logged into my Matmid account to find that I need to change the password again. Fine. But now they've made it more complex and less convenient for me. The password now needs to have two parts. The first part needs to be a combination of letters and numbers with at least two letters. The second part must be four numbers which you can also then use as your password for Matmid services by phone. I was quite happy with the two passwords being totally seperate. I was quite happy with my online passwords being a mixture of 8 letters and numbers of my own choosing. Why don't they, and all the other companies with online services, focus on great functionality instead of getting so worked up about how I choose my personal password?
Looks like they want to boast that not only has their airline got the best security, but also their airline has

Thats why most times I log in I have to use the "forgot my password" option (I'm extremly glad my bank hasn't got this rule).
ELAL is offline  
Old Nov 9, 09, 11:02 am
  #6  
 
Join Date: Dec 2007
Location: Israel
Programs: AA EP, DL DM, FB PL, LY PL, BA Bronze, HH Diamond, PC Royal Ambassador, BW Platinum
Posts: 983
Originally Posted by ELAL View Post
Looks like they want to boast that not only has their airline got the best security, but also their airline has

Thats why most times I log in I have to use the "forgot my password" option (I'm extremly glad my bank hasn't got this rule).

Best Security?
If i would be a hacker, Knowing first 2 chars are letters, the 2 others are
letters or digits, and the last 4 ones are digits, I would say that a brute
force attack on the web site would make it much easier!
ebzed is offline  
Old Nov 9, 09, 11:18 am
  #7  
 
Join Date: May 2006
Location: New York
Programs: SPG Platinum, AA 2.0 MM, DL Plat, Hertz Plat, LY Gold
Posts: 1,602
Its a royal pain! What I've been doing is keeping the same password and adding one number to the end....
damaxer91 is offline  
Old Nov 10, 09, 12:12 am
  #8  
 
Join Date: Aug 2008
Programs: LH SEN, LY, UA/CO, AF/KL, QF
Posts: 512
Annoying yet important

Yes, I know it's annoying (really annoying, especially as on Linux+firefox the website for matmid still have some quirks).

But it's important. Seriously. You may ask yourselves, what the problem? what can happen (btw, a hacker which will try all combinations will just get locked out, because modern systems which identify excessive number of tries just lock the account)?

Well, your account may be hacked, a ticket award issued, and you will not know about it before checking your next statement in a few months. Yep, most people do not bother checking their account every second day (let's face reality here), and LY will have some liability to fix the problem (consider the bad PR they will suffer if someone used your points for a F flight to LA. and LY will refuse your request for getting the points back 'coz your password has been hacked).

And remember - this is not an airline, this is Israel!
mkilmo is offline  
Old Nov 10, 09, 1:29 am
  #9  
 
Join Date: Feb 2005
Programs: EL AL Matmid, BA Executive Club GGL/CCR, Hilton Diamond, Avis President's Club
Posts: 1,918
Originally Posted by mkilmo View Post
But it's important. Seriously. You may ask yourselves, what the problem? what can happen (btw, a hacker which will try all combinations will just get locked out, because modern systems which identify excessive number of tries just lock the account)?
I realise that, and am as concerned as anyone else about computer security. However, forcing a password change every 3 months results in LESS secure systems, not more secure systems, for the reasons explained above.
mikebg is offline  
Old Nov 10, 09, 1:51 am
  #10  
Moderator, El Al and Marriott Bonvoy, FlyerTalk Evangelist
Original Poster
Hyatt Contributor BadgeMarriott Contributor Badge
 
Join Date: Feb 2005
Location: SIN
Programs: TG*G, Mar LTBT, Hyatt Glb, AA PLT-LTG, LY, HH, IC, BA, DL, UA SLV
Posts: 11,841
Originally Posted by mkilmo View Post
But it's important. Seriously. You may ask yourselves, what the problem? what can happen (btw, a hacker which will try all combinations will just get locked out, because modern systems which identify excessive number of tries just lock the account)?
I know exactly what can happen. However by making it too complex to choose a password the opposite is what happens in practice. As mentioned already, people need to eventually start to write down their passwords because this website requires this format and that one requires another format. I know more about Kerberos than how it is spelled and this is over the top.
yosithezet is offline  
Old Nov 10, 09, 5:53 am
  #11  
 
Join Date: Dec 2007
Location: Israel
Programs: AA EP, DL DM, FB PL, LY PL, BA Bronze, HH Diamond, PC Royal Ambassador, BW Platinum
Posts: 983
Knowing the site, On the web gui there is no locking or restrictions on the amount of times (max tried so far is 25)...
If someone will want hack the system it wont be probably thru the GUI...

Google/Microsoft/Visa and Many banks in the US failed on this,
Its all about the will and the "targil".

Dont forget that the database hold credit cards (for whoever put them on the site) and some other personal details - And there are the bored kids which
will do it just for fun and cause a chaos.

I started there...
Ebzed (a.k.a Mephistopheles (at the 90s...) 8-))
ebzed is offline  
Old Nov 10, 09, 9:25 am
  #12  
 
Join Date: Aug 2008
Programs: LH SEN, LY, UA/CO, AF/KL, QF
Posts: 512
Originally Posted by ebzed View Post
Ebzed (a.k.a Mephistopheles (at the 90s...) 8-))
It was you!!!!!!!!!!!!!


Now seriously, we all know that when you have a complex password you write it down on a piece of paper, but then there is a paper trail (literally), as usually this piece of paper is in your office/home. So the only way for someone to actually see it is to come to your home/office.

I guess that your physical access control is slightly better then the open door methodology.

And please, let's not confuse the web (in)security with the fact that a good password is a good idea.
mkilmo is offline  

Thread Tools
Search this Thread