Last edit by: davie355
HHonors Sign In (if the link has disappeared)
https://secure3.hilton.com/en/hh/customer/login/index.htm
https://secure3.hilton.com/en/hh/customer/login/index.htm
Consolidated "CAPTCHA for logging in?" thread
#76
In Memoriam
Join Date: Jul 2001
Posts: 35,555
Hi there,
Thanks for your question! At this point, CAPTCHA is a long-term solution and has been implemented as an extra security measure for the safety of our members. I am collecting your feedback each day and passing along to my team so they are looped in on the user experience.
Thanks,
Erin
Thanks for your question! At this point, CAPTCHA is a long-term solution and has been implemented as an extra security measure for the safety of our members. I am collecting your feedback each day and passing along to my team so they are looped in on the user experience.
Thanks,
Erin
I appreciate you are the messenger, but this is one of the dumbest ideas I have ever seen. I use Wells Fargo Chase Citibank and American Express websites on a routine basis and they chose not to take the easy way out with CAPTCHA, they chose to actually address the core of the problem.
#77
Join Date: Dec 2012
Location: Venice, Florida
Programs: Hilton Diamond
Posts: 2,607
I called diamond desk yesterday almost in tears because the captcha had changed from a hotel room number to 2 words i couldnt read or hear--I asked why they couldnt stick with the hotel room number and that as someone who worked with hearing and visually impaired people, this was ridiculous.
Today I logged in and just got the hotel room number. I hope it stays like that!!!
Today I logged in and just got the hotel room number. I hope it stays like that!!!
#78
Join Date: Dec 2012
Location: Philadelphia
Programs: HH Diamond, IHG Plat, SPG & Marriott Gold, CC Silver
Posts: 541
Hi there,
Thanks for your question! At this point, CAPTCHA is a long-term solution and has been implemented as an extra security measure for the safety of our members. I am collecting your feedback each day and passing along to my team so they are looped in on the user experience.
Thanks,
Erin
Thanks for your question! At this point, CAPTCHA is a long-term solution and has been implemented as an extra security measure for the safety of our members. I am collecting your feedback each day and passing along to my team so they are looped in on the user experience.
Thanks,
Erin
#79
Join Date: Apr 2005
Location: Sydney, Australia (from time to time)
Programs: QF-LTS & P, SQ-TPPS, IC-RA, HH-D, *wood G, Others
Posts: 1,729
Hilton seem to be at the bleeding edge of stupid over-the-top security, and IMHO Captcha is painful roadblock.
The other issue with a lot of sites generally now, including Hilton is the short time to expiry from non-use. I again understand why, but sometimes we have to "line up the ducks" with airline, hotel and people reservations and can't be done so quickly!
The other issue with a lot of sites generally now, including Hilton is the short time to expiry from non-use. I again understand why, but sometimes we have to "line up the ducks" with airline, hotel and people reservations and can't be done so quickly!
#81
FlyerTalk Evangelist
Join Date: Jul 2005
Location: Seat 2A
Programs: AA EXP LT GLD 1MM, BA GLD, NH/UA*G, Hyatt Dia, Marr Tit LT PLT, IHG Spire,HH Dia, MGM NOIR,Hertz PC
Posts: 10,571
This is driving me nuts. My device doesn't display the captcha properly for whatever reason and I can't access my account $&*#^@#
#82
Moderator Hilton Honors, Travel News, West, The Suggestion Box, Smoking Lounge & DiningBuzz
Join Date: Jun 2000
Programs: Honors Diamond, Hertz Presidents Circle, National Exec Elite
Posts: 36,027
Could someone wiser to the ways of internet security than I am comment on why Hilton presumably thinks that this is a security enhancement -- IF the problem they are seeking to alleviate is purloined passwords/pins?
I don't know a lot about such things, but it would seem to me that IF that's the presenting problem, a captcha doesn't do anything to ameliorate/address the issue, but just gives a potential thief another layer.
Or is there something else that is the presumed problem that Hilton is responding to where a captcha makes sense as an answer?
Not so much interested in rants about Hilton's IT (I've joined those often enough myself) but informed speculation about a) what the actual problem is they are seeking to solve, and b) where it does so or not.
I don't know a lot about such things, but it would seem to me that IF that's the presenting problem, a captcha doesn't do anything to ameliorate/address the issue, but just gives a potential thief another layer.
Or is there something else that is the presumed problem that Hilton is responding to where a captcha makes sense as an answer?
Not so much interested in rants about Hilton's IT (I've joined those often enough myself) but informed speculation about a) what the actual problem is they are seeking to solve, and b) where it does so or not.
#83
FlyerTalk Evangelist
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others
Posts: 12,159
If the information is stolen, capcha doesn't do much. But if there's a bulk attack (e.g. feed the PIN 4321 to 1,000,000 different accounts, and expect to succeed with at least 100 of them) capcha will stop it or at least slow it down greatly.
#85
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
I haven't see this answered in this thread yet (sorry if I missed it), but why can't Hilton just use the same security that all the other hotel sites use? Or airlines? Or a million other sites that have security that works? What is their excuse for not taking the very simple action of copying successful sites?
#86
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,361
I haven't see this answered in this thread yet (sorry if I missed it), but why can't Hilton just use the same security that all the other hotel sites use? Or airlines? Or a million other sites that have security that works? What is their excuse for not taking the very simple action of copying successful sites?
I don't think the travel industry is the place to look for best practices here. How many people had Air China reservations booked with United miles cancelled by hackers? IHG has all sorts of hacked accounts.
Even security in the financial industry is pathetic. How many banks rely on wish-it-was-two-factor security questions (US Bank) or short PINs instead of passwords (Capital One 360)? Vanguard used to have laughable password policies but those have fortunately changed.
Honestly, I feel more secure about my Amazon and Netflix accounts than anything else. At least Amazon (Web Services) and Google allow true two-factor authentication.
#87
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
(Not defending Hilton)
I don't think the travel industry is the place to look for best practices here. How many people had Air China reservations booked with United miles cancelled by hackers? IHG has all sorts of hacked accounts.
Even security in the financial industry is pathetic. How many banks rely on wish-it-was-two-factor security questions (US Bank) or short PINs instead of passwords (Capital One 360)? Vanguard used to have laughable password policies but those have fortunately changed.
Honestly, I feel more secure about my Amazon and Netflix accounts than anything else. At least Amazon (Web Services) and Google allow true two-factor authentication.
I don't think the travel industry is the place to look for best practices here. How many people had Air China reservations booked with United miles cancelled by hackers? IHG has all sorts of hacked accounts.
Even security in the financial industry is pathetic. How many banks rely on wish-it-was-two-factor security questions (US Bank) or short PINs instead of passwords (Capital One 360)? Vanguard used to have laughable password policies but those have fortunately changed.
Honestly, I feel more secure about my Amazon and Netflix accounts than anything else. At least Amazon (Web Services) and Google allow true two-factor authentication.
#88
Join Date: Feb 2003
Location: New York City
Programs: BA Gold Guest List; HH Diamond; Hyatt Diamond; SPG Gold
Posts: 2,833
The putative purpose of a Captcha is to verify that it's a human being on the other end; i.e. to limit the rate at which an advanced attacker can attempt his attack through automation.
If an attacker already has (through some means) the password for a given account, it serves no purpose. The attacker can just log in and do the Captcha like you or me.
Captcha does nothing to defend against attack vectors like phishing. The purpose is just to stop/slow down brute force/dictionary attacks. The same could be achieved by:
... but all of those would - while being much more user-friendly - require more engineering effort than simply adding an additional Captcha verification callback to the existing login page.
If an attacker already has (through some means) the password for a given account, it serves no purpose. The attacker can just log in and do the Captcha like you or me.
Captcha does nothing to defend against attack vectors like phishing. The purpose is just to stop/slow down brute force/dictionary attacks. The same could be achieved by:
- locking the account after several incorrect login attempts, with an email sent with an unlock link
- use of a one-off Captcha when a given (username, IP address) pair logs in for the first time, or the first time per day (e.g.)
- removal of account number / PINs for login, instead requiring email address plus a higher-security password selection rule
... but all of those would - while being much more user-friendly - require more engineering effort than simply adding an additional Captcha verification callback to the existing login page.
#89
Join Date: Mar 2001
Location: New York / Hawaii
Programs: UA Global Services, HH Diamond
Posts: 5,178
At least the numbers are up instead of the scribbled unreadable text.
#90
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,361
Maybe you are referring to hacks other than ones that brute force the login? I have accounts on every major hotel chain and most all of the major airlines (none in China though!) and have never experienced an attack or even heard of anything serious that I could have prevented with a stronger password. Ditto for banks, credit cards, and dozens of other sites.