Suspended MP Accounts / Username Access Disabled / 3rd Party Security Breach-Dec 2014
#121
Join Date: Mar 2013
Posts: 363
Why is it now that I can't log on to MP accounts
using user names ?
I help book flights for 7/8 members of my family.
How the hell UA expect me to remember all their acct numbers ?
Has this glitch been there or is it something new ?
Thanks
I help book flights for 7/8 members of my family.
How the hell UA expect me to remember all their acct numbers ?
Has this glitch been there or is it something new ?
Thanks
#122
Join Date: Dec 2009
Location: New York, NY
Programs: Hyatt GLOB, Marriott Lifetime PLT, UA 1K 1MM.
Posts: 1,728
the UA and AA customer usernames were compromised a few weeks ago. so they turned it off in response.
http://consumerist.com/2015/01/12/th...rips-upgrades/
seemed reasonable to me.
http://consumerist.com/2015/01/12/th...rips-upgrades/
seemed reasonable to me.
#124
Join Date: Apr 2014
Posts: 409
UA website - remove PIN?
I only recently noticed that one can log in to the UA website with the 4 digit PIN I was forced to create. A 4 digit password is pretty absurd. Is it possible to require the 'full' password that I have on my account for logging into the site?
#126
Join Date: Jan 2013
Location: BOS
Programs: Hyatt Discoverist, Marriott/SPG/Hilton Gold, PreCheck + Clear
Posts: 2,306
On the plus side, the website is designed not to allow brute force guessing, so it's not as if someone could run a simple script to log into your account. Still, I'm with you in hoping PINs are removed from the new site when it launches later this year.
#127
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.997MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,859
#129
Join Date: Jan 2006
Posts: 134
No, both password and PIN are always enabled at present.
On the plus side, the website is designed not to allow brute force guessing, so it's not as if someone could run a simple script to log into your account. Still, I'm with you in hoping PINs are removed from the new site when it launches later this year.
On the plus side, the website is designed not to allow brute force guessing, so it's not as if someone could run a simple script to log into your account. Still, I'm with you in hoping PINs are removed from the new site when it launches later this year.
So while no one is attacking your account with the live United system (and getting locked out), if anyone gets the password tables (even if hashed and salted) pins are trivial to break.
And most companies like to not disclose unauthorized access to these credentials.
Four digit credentials are terrible. Period.
#130
FlyerTalk Evangelist
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,866
Compromised accounts come from brute forcing or password lists against an offline copy of the accounts database usually acquired through some other exploit.
So while no one is attacking your account with the live United system (and getting locked out), if anyone gets the password tables (even if hashed and salted) pins are trivial to break.
And most companies like to not disclose unauthorized access to these credentials.
Four digit credentials are terrible. Period.
So while no one is attacking your account with the live United system (and getting locked out), if anyone gets the password tables (even if hashed and salted) pins are trivial to break.
And most companies like to not disclose unauthorized access to these credentials.
Four digit credentials are terrible. Period.
Since about three failed login attempts locks the account, the hysteria regarding PINs seems a tad overblown.
#131
FlyerTalk Evangelist
Join Date: Oct 2006
Location: SFO/SJC
Programs: UA Silver, Marriott Gold, Hilton Gold
Posts: 14,891
Security experts for years have been telling people not to use the same passwords on multiple sites, but many don't listen because they want something that makes it as easy as possible for the. But this also leads to insecure accounts. I use a simple password manager. It's both an easy and cheap solution that I argue everybody should be using if they value the security of their accounts.
#132
Join Date: Jan 2006
Posts: 134
They get access to the customer database through an exploit. That database has hashed (not plain text) versions of the passwords and/or pins. That's how most companies store credentials. A username associated with a hashed credential.
They can try billions of combinations (quite easily and quite quickly) offline until they match the hash. Then they can go online and get access.
They're not sitting on united.com guessing PINs. When they go to united.com they already have your pin because they did their guessing offline.
It's like someone wants to make a copy of your house key.
If they walk up to your front door and start trying different keys, they'll get caught quickly.
Instead they get a copy of what your lock is like. They can then try every combo of key until one opens the lock.
Then when they come up to the front door they don't attract attention or get locked out.
That's basic password cracking (multiply this out by millions of users). The length and complexity of that password determines how difficult it is to brute force it.
A four digit numeric password (the pin) can be bruteforced in seconds.
#133
FlyerTalk Evangelist
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,866
...They get access to the customer database through an exploit. That database has hashed (not plain text) versions of the passwords and/or pins. That's how most companies store credentials. A username associated with a hashed credential.
They can try billions of combinations (quite easily and quite quickly) offline until they match the hash. Then they can go online and get access.
They're not sitting on united.com guessing PINs. When they go to united.com they already have your pin because they did their guessing offline....
They can try billions of combinations (quite easily and quite quickly) offline until they match the hash. Then they can go online and get access.
They're not sitting on united.com guessing PINs. When they go to united.com they already have your pin because they did their guessing offline....
#134
Join Date: Jan 2006
Posts: 134
Ok, but as it has been pointed out, users don't use their MP# on any other sites. The trouble likely stems from folks having a username/password to access their UA accounts that is the same as the combination that they use on numerous other sites. The MP#/PIN is therefore potentially much safer from hacks on other sites that would yield troves of usernames and passwords.
Users using the same user/password for multiple sites: doesn't impact me, I don't do that.
United using a 4 digit number to allow access to an account: I care, because that directly impacts me. This is my problem with their security.
When (not if) United gets their customer database taken, everybody's accounts will be accessible.
If they used real security (like requiring a real password and disallowing PINs), only people who chose poor passwords would get compromised.
Those that chose properly random string passwords would be unaffected.
There's a reason no online bank lets you login with just your ATM PIN.
#135
Join Date: Jan 2013
Location: BOS
Programs: Hyatt Discoverist, Marriott/SPG/Hilton Gold, PreCheck + Clear
Posts: 2,306
If they used real security (like requiring a real password and disallowing PINs), only people who chose poor passwords would get compromised.
Those that chose properly random string passwords would be unaffected.
There's a reason no online bank lets you login with just your ATM PIN.
Those that chose properly random string passwords would be unaffected.
There's a reason no online bank lets you login with just your ATM PIN.