KLM.com moving from FB Pin/existing password to new password for log-in
 

As many other airlines/websites have done in the past, KLM.com is now inviting users to create passwords for login, rather than just the Flying Blue pin.

It's a bit odd to have an "old password" field when you get this screen immediately after you logged in and typed in your password.
Also no "match/verify" new password, I wonder how many people will mistype their new password only to have to recover it later...

So they introduce a new authentication mechanism...and do not include two-factor authentication? Missed opportunity imho.

They still occasionally require you to prove that you are not a robot, though :D :D :D

A good first step, but 2-factor auth is a must these days.

Are there other airlines that provide 2FA?

None that I'm aware of, but it's kind of a security standard these days (even if even PayPal doesn't offer it).

PayPal does offer it, at least in NL
It does become more and more common yes, I would hardly say it is standard, I'm not aware of any single retailer using it, it seems limited mostly to either banking/finance or tech savvy companies.

Ah, I see that PayPal does indeed support 2FA, but they're using SMS, which isn't always practical. An authenticator app would be more useful, at least to me.

Is there any evidence that passwords meeting KLM's criteria are more secure than any other combination of 8 - 12 characters?

Restricting options this way just invites people to pick Qwerty1234 or similar easy to remember variations on that theme which I encounter a lot.

Johan

Yes, it does limit indeed, especially since the OTP can only be sent to a Dutch mobile number, it's also not the most secure thing in the world, there have been frauds/scams in ZA which included "duplicating" one SIM card to get the bank OTP which is SMS based.

It is no doubt more secure than just a 4-digit PIN code, which could have been only 1234 ;)

As IT professional and security enthusiast I've complained to KLM before that I wasn't happy with the four digit pin. But with this change, I don't think it actually got any better. The password requirements are ludicrous:

• 8 to 12 characters
• At least 1 numeric character (0-9)
• At least 1 uppercase character (A-Z) and 1 lowercase character (a-z)
• In addition, the following characters are allowed: @ $ & + - / # _ ? !

First of all, why a maximum length password? I understand a minimum, but why the max? Secondly, if I want a password sentence, something like ialwaysflywithklmbecausetheyreblue is easily memorable and is harder to crack than with the current requirements. I use a password vault with password generator and i usually have passwords of over 50 digits with all types of symbols available and if companies restrict me in how complicated I my passwords want, I don't think they take their security serious. Unless the KLM IT department still lives in 1999.

And to people who ask for two factor authentication: if you need that, your passwords are probably bad. Use a long password and a different password for every account you create. And if possible, even a different email address per account.

And then store all of them in the same software/app is not making it any more secure.
2FA is by definition more secure, and comes to address cases where someone got hold of your passwords, not necessarily by brute-forcing them.

+1

For people travelling and switching between various phone numbers it is painful to change sim cards just to get 2FA on the right phone.

It is not like KL day to day business was to deal with travellers after all :rolleyes: