New Marriott Security Measures
Jul 16, 2015, 7:23 am
#16
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
If I have to do a password update, I'd rather have it be an incidental update after I have gone directly to the marriott.com site on my own instead of being directed there by an emailed link.
The cat and mouse game continues -- in large part because of government and corporate practices, but also because of consumer laziness. This won't put a stop to the cat and mouse games.
I doubt that such an approach would be upheld as legal in all the markets where Marriott operates -- not that Marriott will go to such an anti-consumer extreme as you suggest and let it get to the point of being tested. 
The cat and mouse game continues -- in large part because of government and corporate practices, but also because of consumer laziness. This won't put a stop to the cat and mouse games.
Jul 16, 2015, 8:51 am
#17
A FlyerTalk Posting Legend
Join Date: Aug 2002
Programs: UALifetimePremierGold, Marriott LifetimeTitanium
Posts: 71,103
)Something to consider for the future: Account security is indeed important which is why I'm not going to click on a link in an email asking me to update or verify account info. I was immediately suspicious of the email Marriott sent me because it asked me to click on a link. If Marriott is serious about account security then send me an email asking me to go to the Marriott website on my own and verify/update whatever info is required. Encouraging people to click on links in emails is not indicative of concern regarding security. Just my two cents.
Didn't they already increase the minimum password length a year or so ago? I remember having to go from 6 to 8 characters.
Anyway, by using password alone, Marriott seems light year ahead of IHG Club which still uses only PIN, UA which allows only PIN despite also having passwords, and even Hilton which just dropped PIN only a couple a months ago. An 8-character password (with some rules about how it must be formed) seems light-years ahead of a numeric-only 4-digit PIN!
Anyway, by using password alone, Marriott seems light year ahead of IHG Club which still uses only PIN, UA which allows only PIN despite also having passwords, and even Hilton which just dropped PIN only a couple a months ago. An 8-character password (with some rules about how it must be formed) seems light-years ahead of a numeric-only 4-digit PIN!
Cheers.
Jul 16, 2015, 8:53 am
#18
FlyerTalk Evangelist
Join Date: Mar 2010
Location: DAY
Programs: UA 1K 1MM; Marriott LT Titanium; Amex MR; Chase UR; Hertz PC; Global Entry
Posts: 10,157
So basically Marriott is asking you to provide a phone number and email to get ready for their new authentication. Presumably if you already have that and you'r e happy with it there should be no problem.
Fwiw - I thought Marriott was going to ask for a stronger password. If hackers can already access my account, they'd already have my email and phone number.
Cheers
Fwiw - I thought Marriott was going to ask for a stronger password. If hackers can already access my account, they'd already have my email and phone number.
Cheers
I am quite supportive of enhanced security, but design it to work for everyone.
Jul 16, 2015, 9:01 am
#19
A FlyerTalk Posting Legend
Join Date: Aug 2002
Programs: UALifetimePremierGold, Marriott LifetimeTitanium
Posts: 71,103
Jul 16, 2015, 9:46 am
#20
Join Date: Mar 2003
Location: Los Angeles, CA
Programs: UA 1K 1MMer & LT UC (when flying UA); Hyatt Credit Cardist; HHonors Diamond; Marriott Gold via UA 1K
Posts: 6,956
But at least it makes the transition to Marriott's 2-factor authentication an easy one.
Where it tends to get tricky is when you are using inflight wifi, and can only use one device at a time. If you want to log into Marriott's site through your laptop, and you have no mechanism for receiving a text on your laptop, you are hosed. I had to have our I.T. department set me up with a special token on my iPhone to enable me to get the code in an off-line environment on my phone, so that I could type it into my laptop while it was connected to the inflight wifi.
Jul 16, 2015, 11:31 am
#21
Join Date: Jan 2006
Posts: 134
I don't have a problem with requiring 2FA, depending on how it's implemented.
Whether you use it or not, your UA account has a 4 digit PIN associated to.
All of them do, even if you didn't set it.
That 4 digit number and your MP # are all it takes to get in to your account.
All of them do, even if you didn't set it.
That 4 digit number and your MP # are all it takes to get in to your account.
Jul 16, 2015, 12:17 pm
#22
A FlyerTalk Posting Legend
Join Date: Aug 2002
Programs: UALifetimePremierGold, Marriott LifetimeTitanium
Posts: 71,103
Where it tends to get tricky is when you are using inflight wifi, and can only use one device at a time. If you want to log into Marriott's site through your laptop, and you have no mechanism for receiving a text on your laptop, you are hosed. I had to have our I.T. department set me up with a special token on my iPhone to enable me to get the code in an off-line environment on my phone, so that I could type it into my laptop while it was connected to the inflight wifi.
Cheers.
Jul 16, 2015, 1:10 pm
#23
Join Date: Oct 2001
Programs: LTP, PP
Posts: 8,698
The real issue (and I get this problem with banks often) is that you have to give a phone number to receive an voice or text code in order to proceed. Now the entity has your cell phone number and some how it get passed to marketers and abused, no matter what your "privacy" preferences are. So I only give out a number I don't care about (which causes more problems...)
Jul 16, 2015, 2:09 pm
#24
Join Date: Apr 2011
Location: Treasure Coast, FL
Programs: DL Diamond, Marriott LT Plat, HH Diamond, Avis Preferred Plus, National Executive
Posts: 4,578
Depending on how it is implemented, it can be quite a problem. When my credit union went to enhanced security, they required a phone number to send SMS code...no other option presented. Well for those of us that are global, that is a ridiculous requirement. My phone number changes quite often, depending on where in the world I am and what SIM card(s) are in my phone. They finally relented and allowed the use of an email account instead of a phone number, but it was a pain to get that exception.
I am quite supportive of enhanced security, but design it to work for everyone.
I am quite supportive of enhanced security, but design it to work for everyone.
Also on PayPal you can actually bypass it by answering a couple of security questions (only works once before having to use the code).
Jul 16, 2015, 2:11 pm
#25
Join Date: Apr 2011
Location: Treasure Coast, FL
Programs: DL Diamond, Marriott LT Plat, HH Diamond, Avis Preferred Plus, National Executive
Posts: 4,578
The real issue (and I get this problem with banks often) is that you have to give a phone number to receive an voice or text code in order to proceed. Now the entity has your cell phone number and some how it get passed to marketers and abused, no matter what your "privacy" preferences are. So I only give out a number I don't care about (which causes more problems...)
Jul 16, 2015, 2:20 pm
#26
FlyerTalk Evangelist
Join Date: Feb 2003
Location: Denver, CO, USA
Programs: Sometimes known as [ARG:6 UNDEFINED]
Posts: 26,679
The net result is far less productivity, AND far less security, as people go back to the Post-It method of password "security."
Shame on Marriott and other companies for foisting IT security off on its customers.
Jul 16, 2015, 2:26 pm
#27
Join Date: Aug 2008
Location: Somewhere in Florida
Posts: 2,616
I find part of the e-mail laughable -- When I'm cracking passwords at my job (fun job), uppercase, numbers, and keyboard symbols are already part of the rainbow tables we use and in our brute-force algorithms in the server farm. I've not run a brute-force with only lowercase characters in over 10 years, probably longer than that.
Length, not complexity, is what stops hackers. In my office we now have a 16-character minimum, but we use pass phrases instead of passwords.
My gripe is that most 2-factor auths are done via SMS(Text message for the Yanks). Nice if I'm in my home country, but if I'm abroad I usually have yanked the SIM on my mobile and am using a local SIM instead. Also, depending on what I'm working on, my mobile phone might not be allowed to be carried with me.
Length, not complexity, is what stops hackers. In my office we now have a 16-character minimum, but we use pass phrases instead of passwords.
My gripe is that most 2-factor auths are done via SMS(Text message for the Yanks). Nice if I'm in my home country, but if I'm abroad I usually have yanked the SIM on my mobile and am using a local SIM instead. Also, depending on what I'm working on, my mobile phone might not be allowed to be carried with me.
Jul 16, 2015, 2:28 pm
#28
Join Date: Aug 2008
Location: Somewhere in Florida
Posts: 2,616
THIS is exactly why I encourage everyone to have the longest pass phrase their e-mail system will allow. Once you get into someone's e-mail, you have their entire life. Just start entering their e-mail addy into various sites, click Forgot Password, and get a fresh one e-mailed to you.
Jul 16, 2015, 2:44 pm
#29
Join Date: Oct 2001
Programs: LTP, PP
Posts: 8,698
THIS is exactly why I encourage everyone to have the longest pass phrase their e-mail system will allow. Once you get into someone's e-mail, you have their entire life. Just start entering their e-mail addy into various sites, click Forgot Password, and get a fresh one e-mailed to you.
Jul 17, 2015, 8:02 am
#30
FlyerTalk Evangelist
Join Date: Mar 2010
Location: DAY
Programs: UA 1K 1MM; Marriott LT Titanium; Amex MR; Chase UR; Hertz PC; Global Entry
Posts: 10,157
At the outset, it was a phone number for an SMS...or nothing.
My gripe is that most 2-factor auths are done via SMS(Text message for the Yanks). Nice if I'm in my home country, but if I'm abroad I usually have yanked the SIM on my mobile and am using a local SIM instead. Also, depending on what I'm working on, my mobile phone might not be allowed to be carried with me.