UA initiates Account Security Update (Security Q&A authentication added 2016)
Feb 19, 16, 4:55 pm
#242
Join Date: Jan 2016
Location: Ex-MSP
Programs: UA: Plat, Marriott: Annual Ambassador, Lifetime Grandfather
Posts: 293
Unfortunately, that's not really the case. My password is secure (30+ characters, multiple numbers, letters of both case, and special characters) and I'm still getting prompted to change my password every time I login. I'm currently delaying that for the second round of live-beta-testing to happen.
Feb 19, 16, 4:56 pm
#243
Join Date: Jan 2011
Location: HKG • Ex SFO, NYC
Programs: UA 1K, AA EXP; Marriott Amb; Hyatt Globalist; Shangri-la Diamond; IHG SpireAmb; Hilton D; Accor G
Posts: 3,313
I know next to nothing about password web stuff, but I think the point was United was able to look at an EXISTING (stored) password and know if it met the "strong" criteria. If so, they were not forcing the user to enter a new password.
It was not referencing anything about transmitting the new password.
It was not referencing anything about transmitting the new password.
When you log in, you send UA your current password. UA can at this time test it and determine whether it needs to be updated, without ever storing a cleartext or decryptable version of it.
This functionality does not require there to be a way for UA to look at stored passwords at all.
Feb 19, 16, 6:24 pm
#244
Join Date: Feb 2013
Location: ANC
Programs: AS; Hyatt; Bonvoy
Posts: 1,718
"Why can't I type my own answer?"
-We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.
-Not all customers are asked the same questions, and not all customers receive the same potential answers to each question. This randomization is on purpose and designed for your safety and security.
So not everyone gets a security question about their favorite breed of dog with a list of answers that includes - I'm not making this up - "Kuvasz," "Vizsla," and "Xoloitzcuintli" among others?
Seriously, were the people who came up with the questions and answers high on crack?
Feb 19, 16, 6:30 pm
#245
Join Date: Mar 2010
Location: DAY
Programs: UA 1K 1MM; Marriott LT Titanium; Amex MR; Chase UR; Hertz PC; Global Entry
Posts: 9,400
My point was precisely that that doesn't have to be the case.
When you log in, you send UA your current password. UA can at this time test it and determine whether it needs to be updated, without ever storing a cleartext or decryptable version of it.
This functionality does not require there to be a way for UA to look at stored passwords at all.
When you log in, you send UA your current password. UA can at this time test it and determine whether it needs to be updated, without ever storing a cleartext or decryptable version of it.
This functionality does not require there to be a way for UA to look at stored passwords at all.
), but I believe that there is no point at which you are required to submit your existing password to United for them to make that determination.As I understand the flow, you can log in with PIN and establish your security questions/answers. At that point, United will either ask you to establish a new password (if you don't have one or if it determines your existing password is "weak")...or will simply bypass the password part if your existing password is "strong" (already meets new criteria).
I am sure that if I am misunderstanding this, someone will be along shortly to correct me. As I mentioned, this is not at all my area of expertise. I just found it interesting as a curiosity since United Insider provided the detail that they evaluate existing passwords somehow.
It is comfortingly consistent for United to roll out this whole thing with all the glitches and warts, but at least we are getting rid of the PIN for on-line access to our accounts. Baby Steps...with some trips and falls...but progress.
Feb 19, 16, 9:58 pm
#246
Moderator: Budget Travel forum & Credit Card Programs, FlyerTalk Evangelist
Join Date: Aug 2002
Location: YYJ/YVR but currently stuck in Texas
Programs: UA lifetime MM / *A Gold
Posts: 14,177
As I understand the flow, you can log in with PIN and establish your security questions/answers. At that point, United will either ask you to establish a new password (if you don't have one or if it determines your existing password is "weak")...or will simply bypass the password part if your existing password is "strong" (already meets new criteria).
Established 5 stupid questions and answers, but at no time was I asked to update my (what most websites report as ) WEAKpassword
Feb 19, 16, 10:26 pm
#247
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.034MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 51,470
Feb 20, 16, 3:38 am
#248
Join Date: Feb 2003
Programs: UA1K, *G & Wife of UA1K MM
Posts: 3,346
For what it's worth....I just got through the process for both myself and my son without issue on the website (ipad). The system asked me for passwords after the security questions. I was able to log out and log back in again with the new passwords.
Feb 20, 16, 5:43 am
#249
Join Date: Oct 2004
Location: Anywhere but home
Programs: UA 1K/MM, DL SM/MM, AA Gold, HH Dia, PC Plat, ALL Gold, MR Gold
Posts: 4,500
Likely related to this "enhanced" security - can log into my account but log in doesn't stick when trying to search for fares. Can't select the option to search for SWU-able fares nor will it show fare class inventory. 
Feb 20, 16, 3:39 pm
#250
Join Date: Mar 2011
Location: Texas
Programs: AA Gold, Starwood Gold
Posts: 125
The website forced me to update so I did (and I had not been using a PIN, but a password). So, now I can log on, but every time I try to check my reservation or do a search for a trip it "forgets" that I am logged on and I have to do it again. So, my new username and password work, sort of. Does not matter what browser I use, the same situation happens (Win 8).
Feb 20, 16, 9:42 pm
#251
Join Date: Oct 2007
Location: BOS
Programs: UA MM
Posts: 1,538
It is simply astounding to me that a company that so much wants us to use online systems (so they can employ fewer humans of course) to the extent that we are charged $$ to reserve by phone, can botch up their online system so much. I'm going to hold off doing this as long as possible. My time is too valuable.
Feb 21, 16, 9:22 pm
#252
Join Date: Sep 1999
Location: SF Bay Area
Programs: UA 1K MM, Accor Plat, Htz PC, Natl ExEm, other random status
Posts: 2,875
So not everyone gets a security question about their favorite breed of dog with a list of answers that includes - I'm not making this up - "Kuvasz," "Vizsla," and "Xoloitzcuintli" among others?
Seriously, were the people who came up with the questions and answers high on crack?
Seriously, were the people who came up with the questions and answers high on crack?
I seriously don't know the answers to some of the questions (including what month my wife and I met - I know when we first started dating, but not when we met), and the answer lists to some of the questions don't include the correct answer (e.g., the make of my first car).
I understand the rationale for not wanting people to type the answer, but there weren't actually 5 questions to which I can reliably remember the answers, so I'm going to have to write them down and leave copies in places where I can find them.
Which sort of defeats the purpose, huh?
Greg
Feb 21, 16, 10:56 pm
#253
Join Date: May 2010
Location: AVP & PEK
Programs: UA 1K 1.7MM, AVIS PC
Posts: 5,163
Exactly! The answers to the posed questions were simply impossible for me to determine, especially with the limited answer selection. I simply chose the first option to each question. My favourite fruit was APPLES growing up and my LEAST favourite fruit was also APPLES.
Oy vey!
Oy vey!
Feb 25, 16, 2:57 pm
#254
Join Date: Jul 2007
Location: Berlin
Programs: BA Silver; Accor Plat; IHG Diamond; Meliá & HH & Marriott Gold
Posts: 5,230
You're not alone. Also, many people just won't have answers to some questions (I never wanted to be anything when I grew up, for instance).
For now, I've changed passwords without adding 'security' questions. Let's see what happens next.
For now, I've changed passwords without adding 'security' questions. Let's see what happens next.
Feb 26, 16, 4:09 pm
#255
Join Date: Dec 2011
Location: DSM
Programs: UA 1K, AA EP, DL PL, HH Dia, Marriott Gld, National Exp
Posts: 714
I updated my account login info last week without incident (so far). Today I called in to ask for ORC and the agent asked me for my "PIN or password."
I was surprised she added the "or password" since I thought with all the new security changes the PIN was gonna be exactly for when call in so password would stay confidential.
I was surprised she added the "or password" since I thought with all the new security changes the PIN was gonna be exactly for when call in so password would stay confidential.
