raehl311

Nope, you don't. Answer the two questions right and you can pick a new password right there in the browser.

It's that bad.

fivevsone

I just went to the site, always log on with MP# and password, which does nothing and returns to the home screen.

fricking amateur hour.

anyone figure out the solution?


I just chose 'forgot' password, and reset and i am in now.

raehl311

They do appear to lock your account after ONE failed password reset attempt.

Which while mitigating the obscene stupidity of the whole thing, just means when you forget what your "favorite kind of movie" was 5 years ago you have to call in to reset your password.

On top of that, they don't just lock your account against changing passwords, they LOCK YOUR ACCOUNT ENTIRELY. Can't log in AT ALL unless you call them.

So if someone else tries to reset your password, you can't log into your account at all until you call them.



This all is so phenomonally stupid that whoever was in charge of this really, really, really needs to be fired.

raehl311

After checking what happens when you put in a wrong answer to the security questions, I got an email saying my account was locked from any logins at all until I call 1-800-421-4655.

So those of you who can't get into your account might try calling that number.

Has to be between 7 AM and Midnight central.

Dub

You are kidding! I have to call them??? This is insane!

fivevsone

Upon logging out and trying to log back in with my new password, I am back to being stuck on the home page.

Glad i dont need to actually buy a ticket or something...

so incredibly STUPID

FlytheTail

After the repeated loop of answering 2 "security" questions in Firefox, I tried IE and was able to answer a 3rd security question and then enter a new password. Looks like some compatibility issues with Firefox.

UAGLOBAL

Also cannot log in. Needed to book a ticket. Good thing AA flies the same route and I can log into my AA account!

What a joke this is. Get your act together UA IT. When was the last time you saw a reputable online business like Amazon mess up like this? Trick question: never!

SuperFlyBoy

*And* to top it off, my javascript blocking one or more of their tracking websites:

doubleclick.net

ensighten.com

maxymiser.net

google-analytics.com

googleadservices.com

Makes my Firefox browser unusable when trying to price out itineraries while logged in now.

So, United is apparently datamining and wishes to track our personal browsers...

zitsky

I work in IT and I agree. I think this change wasn't sufficiently tested. Some VP or Project Manager needs to be taken out to the woodshed.

Howste

Or the cowshed?

raehl311

Testing isn't the (only) problem.

The problem is the design is horrible, period. Even if they rolled it out and it worked exactly as it's been designed to, the following things would still be true:

- You have a 1 in 100 chance of gaining access to any Mileage Plus account you know the name and number to.
- To reset your password, you have to answer "security questions" with answers you had to select from drop-down lists, many of which are questions about your tastes. Like I'm going to remember 5 years from now what movie genre I thought I liked the most...
- If you fail your password reset ONCE, or if ANY OTHER PERSON tries to hack your account and fails, it doesn't just prevent your password from being changed, it LOCKS OUT YOUR ACCOUNT ENTIRELY until you call.


These are just plain bad design decisions. These bad decisions were made before any of the software was written. Someone had to come up with them and someone had to sign off on them.


The fact that that happened indicates absolute complete incompetence on the part of the parties responsible.

transportprof

For the IT experts out there, I have two questions:

How likely is it that the design decisions on this cluster of a security enhancement were all signed off on during the Smisek regime?

How long and how much effort is needed to fix this mess?

raehl311

Likely, but also not something that would have risen up to Smisek level review. This is really something that the IT department should make "just work" for the company, and your CTO (or United equivalent) is the person whose head should roll.

Now that they've made it live, a lot more effort. Even if they did it "right" and could just roll back the changes tomorrow, they still have to deal with a bunch of customers who now think they have passwords and security questions, which means whatever they do to fix it now has to have a migration path from both the original system and this "middle" system.

What they should do immediately is stop asking people to choose passwords and security questions. Then fire whoever was responsible for this. Then find whoever when this was first being discussed said it was a poor design and make them in charge and go back to the drawing board.

If they have competent in-house people who have just been being overruled by incompetent people, at least 6 months. If they need to go hire some people who are competent, a year.

jsk1973

This is probably the busiest travel site on the internet and the thread is only four pages long, which suggests the problem is mostly isolated to a small percentage of users.