How Not to Handle Password Security
Recently Hilton’s Hhonors loyalty program asked me to reset my password in their attempt to increase security. Makes sense, after high-profile security breaches at several online websites like Target.com. They dangled a 1000-point reward for early action so of course I hopped over and reset my password.
Today I had need to log in to Hhonors and found that my password (saved via a password assistant, so definitely correct) was not accepted. I requested a password reset email, completed the process properly, and got a failure message. So I had to call customer service.
They informed me that the new passwords have to be exactly eight characters, only one capital letter, only one number, and no special characters. Their new “system” didn’t work with any variations, or longer passwords. Not only that, but the password reset screen is inaccurate; it tells customers that it accepts a much wider (and more secure!) set of password variations, including 8+ characters and special characters.
No One’s Happy
This is a total fail. Hhonors is forcing everyone to choose insecure passwords; eight letters plus one number is an easy password to crack. Customers who use more secure passwords are then locked out of their accounts. Customer service is bogged down with unnecessary calls, having to tell customers about password rules that aren’t even on the password reset page.
So in short: Less security. Unhappy customers. Unhappy customer service. And an inaccurate website that wastes my time.
In my opinion, any public system that doesn’t accept special characters or long passwords is run by an incompetent CTO. Period. In 2015, there is no excuse for forcing your customers into less-secure accounts.