Isn't your password the following:

password

It's supposedly a very common choice.

How does one break into an secured hot spot?

What is a hot "spit". I had one of those in MSY. It came out booth ends at the same time.

Did you mean - spot?

And the French Quarter is not a great place to "spit".

I count the #2 (gotta go) bus and trolly a great salvation to hearing Johnny Cash playing "Ring of Fire".

And that is what it was. Damn, New Orleans can make some strong gumbo. :cool:

Would you prefer the option where agents don't verify who is calling with your account info? Would you up UAs security grade if anyone could call in with your account # and book award flights, make changes, etc?

Now I certainly would agree with an argument that they should probably use an automated system, like some other companies do, to verify your PIN. That way, you don't have to speak it, where anyone within earshot and the agent themselves know what is. Or would get the argument that one should be able to disable their PIN for use on United.com. But personally, I agree with the idea that an agent in some way verifies a PIN before a transaction where they debit miles from my account. Or even verify basic information on the account.

Just make it a one digit number. That makes it easy on both ends. Why complicate this with a four digit password. Easier would be no password. My fingers hurt already (typing this), forget a password. Everyone is happy!

It is HTTPS that provides the security, wifi encryption provides little.

Secure wifi does not secure your information end-to-end, only over the air. If the data is not secure via https, then it can still be gathered once the data is back on the wire.

Even relaying through a VPN does not protect you. It will be decrypted at the other end of the VPN, and is then pubic.

All one does via secure wifi or VPN is move the "eavesdrop" point.

HTTPS is secure. Yes, the HeartBleed bug in openssl did exist, but that was very brief and I do not know of real world attacks via it.

Assuming UA has a valid https login, then the breaches could come through many sources:

. Human engineering (A caller claiming to be UA asking for your PIN)
. Infected computers
. Use of 3rd party computers (NEVER do this for confidential data)
. Internal security breaches.
. brute forces guessing pins.

All of these are vastly more likely than recording wifi data over the air and cracking the https security. UA's reply to JB was sad.
1+

I'd prefer I could do more myself online and wouldn't have to call so often to get simple things accomplished.
There are many ways this can be made more secure ... ever called a bank or credit card company?

I thought, at least in theory, a password use both cap and lower case, numeric value and special character, would be MUCH HARDER for the bruteforce attach than just the 4 digits combo.

Club Carlson just made me to change my existing password to the above format.

You can have a strong password but the PIN is still a available access method. You can not disable PIN access on your MP account. :td:

I did not know that. IIRC, BA made you choose password and once you opted that, there would be no more PIN access.

I think DL has done the same.

as to "brute force" hacking... isn't the account locked after 3 incorrect pin entries?

Yes, and there's virtually no security there that you can't get from digging someone's bill out of the trash can.

Binary!

I don't believe this forum should be a lesson on breaking security. Suffice it to say that it can be done more readily than your phone company would like you to believe. Digital security is an illusion.

I do hope UA emails the original address upon a change, if not this is a HUGE issue because in practice email access can reauthorize almost any account.

People should realize that the email account they use in conjunction with "valuable" accounts needs to be treated as a high security account.

If ALL channels are correctly locked after 3 false attempts, I agree. But given that airline security in general sucks, I would not count on this.

I'm curious about something. I added someone as a traveller on my MP account so I could give them a reward ticket. I got an automated e-mail from United telling me my account had been changed. Didn't the OP get an e-mail when the hacker changed the info in his account?