OK, I did a search on "password" before posting this. Another amazing enhancement brought to us by the idiots at Marriott.

My password was changed from a mix of lower and upper case to all upper case (and numbers). I have been using this password for a few months, logging in numerous times each week, so it's not like I forgot it. Today I was unable to log in. Had them email me my password and it was identical to my password, but all in upper case.

Just a heads up for rest of you.

It must be something special for you, because mine is fine.

That seems rather bizarre. Any chance you have been taken in by phishing or other type of scam?

I would browse securely and directly to the Marriott site and change my password if I were in your shoes. Also, keep an eye on account activity, balances and the like.

Good luck.

Mine is fine too, that seems odd. When sites force you to change a password, they normally lock you out until you select another of your choosing.

Definitely sum ting wong...

Actually, I remember hitting something like this not too long ago. It turns out Marriott passwords are CASE INSENSITIVE! I get so frustrated by sites coming up with password rules that you must write passwords down to be able to remember them if you don't use them everyday.

I just tried three possibilities for my password, as entered, all upper-case, and all lower-case. Even mixed case worked! They all allowed me into my account.

I guess that goes along with their process of flagging my account because my email user name is Marriott. I was told I can't use that... ummmm

Marriott has more than two Rewards members.

Anyways, mine is fine, too.

Couple of months back they had somehow activated my old password even if I had changed it several months earlier and used many times.

Did they really e-mail you your password?

Reason for all being upper case is probably because their database where passwords are stored is case-insensitive, ie when they pull up your data, it's all in upper-case and when you log in the case doesn't seem to matter at all. Any case seems to be ok as long as you enter right characters.

E: RogerD408 actually told all this already but still, I think it's a breach of security to not store, and use, passwords with case-sensitivity.

Mine hasn't changed, either.

However, about a year ago I was prompted to change mine, from all letters to something that was either a minimum length or that had at least one non-letter. I forget the exact details but I was able to change it from (for example) "freak" to "freak12". It was definitely after I had logged in under my old password.

How did they email you your password? There should be no way they can see your password. And if they emailed it, which is completely against IT best practices, I would change it to something completely different.

If they can view your email in plain text that's a huge security issue.

I just tried the same thing. Case sensitivity isn't a huge security issue but I'd be curious if they are stored in plain text, which is.

You can click on forgot password and there is an option for them to send you your password. I copied ad pasted the password from their email in order to log on.

Marriott not requiring passwords to be case sensitive is totally against IT best practices. It explains why my password appeared in upper case in their email. But why couldn't I log in, 3 attempts, with it in mixed case? That's a rhetorical question. Yes, caps lock was off on all 3 attempts.

As others have noted, emailing password is is also against IT best practices.

I work in the IT field, and yes I have changed my password to something completely different.

FWIW, the first thing I checked was mileage balances, reservations, etc and all were fine. As far as phishing, I NEVER click on any links in email, so little chance of me be phished.

Perhaps this is just an isolated case of their security being down for a breif period when I was attempting to log in. Anyway, thought I should mention it to the forum just in case it wasn't.

At least it did alert us to their shoddy security practices. Of course as many of use old timers are aware that doesn't come as a surprise with the inept Marriott Marketing, oops I mean IT department. Even though their web site comes up lacking from a functional and user friendly perspective, at least it looks good and requires lots of scrolling down and extra mouse clicks, and we all know that is all that matters to Marriott.

Case-insensitive passwords aren't a huge problem. (It's about the same as a password one letter shorter.) American Express does the same thing. (IHG doesn't even do passwords, just four-digit PIN numbers, with the obvious result.)

Yes, this is the really stupid part.

That's probably the main concern. If they did a standard password reset (where the old password stops working immediately) then customers without access to their email account (while traveling in a foreign country) would be up the creek if anyone reset their password.

I remember having to pick a new password with at least eight characters, but symbols weren't allowed.