Ouch, I didn't know about it. I'm mainly using their iPhone app, and definitely not saving passwords in their database.

Sure it would - you'd just login in to AW, and have it log in to the loyalty account. To do that, you just click on the name of the travel company.

AwardWallet has a feature that logs into your site accounts for you automatically. Very handy. I use it often when I don't want to fuss with all the clicking.

The plaintext passwords are ordinarily masked. AwardWallet asks for your AW password as a double confirmation before showing them. Of course, if the user password is weak, then the double confirmation doesn't make it any more secure.

I think their major mistake was in allowing members to use weak passwords, but I wouldn't blame them on the system design or displaying plaintext password. Both of which appears to be secure, had the user chosen a reasonably strong password.

Bottomline - no system in the world is be safe if the user choses a weak password.

Hmm. I was just able to log in and disable two-factor, without needing my two-factor code.

Kinda defeats the purpose.

I wasn't one of the 250+ who got the email. Should I change all my passwords too? Or just my AW password?

for me I didnt had a weak Password and username.

change all passwords and cancell your membership, better to be on the save side than maybe lossing all your hard earned miles.

dont forget the massive Iberia and BA Accounts (mine of course too
hacked , back in March this year.
Which a lot of people think that Award Wallet was the source and got hacked .
Think twice before giving away your valuable passwords to a company we dont really know. I myself have learned my lession.

Interesting. Did you, by chance, have or had a password for AwardWallet that may have been shared with some other sites? Maybe one that you shared with BA?

easy Answer is NO , and I had different Passwords for all of my 73 Accounts stored with them.

If you were already logged in (via remembered cookies) then you wouldn't be prompted for the two-factor code. The two-factor code is used when you log in on that browser initially.

The best solution would be if AW requires another prompt for a two-factor password in order to display a clear-text loyalty password. This way even if a user did something dumb like leave their account logged in on a public computer, the clear text password wouldn't be displayed without another two-factor confirmation.

Also keep in mind that just because the loyalty passwords are being shown to you clear-text, doesn't mean they are stored that way. They have to be readable so AW can use them to check your points balance, so they can't be hashed, but I'll bet they are stored encrypted in their DB.

Maybe, but most two-factor situations (certainly Google) require you to re-authenticate when doing things like lessening security, or changing passwords.

This is pretty insecure.

I would say that a failure to require users to set complex passwords is a clear system weakness.

Further comments have highlighted the lack of password re-entry requirement for the display of saved passwords - sounds to me like another system weakness.


I agree that AW can be incredibly useful. Maybe they should only operate on the "locally saved" password basis. Thankfully I set-up my AW account like that from the start

Agreed. While in some ways it is the users' responsibility to set a strong and unique password, knowing how many people don't observe proper password practice, AW should still make it a requirement to do so.

Just to clarify though, AW does force you to re-enter the master password before displaying your saved account password, so that part is secure.

If you use the same password on AW as elsewhere, and your password is stolen elsewhere, how is AW supposed to prevent/reassure you?

But allowing a password to equal your id is simply unacceptable - for both the user and the vendor.