Curse you, Alaska Airlines registration system

By
EKR
on May 31, 2005 8:14 AM | Comments (2) | TrackBacks (10) |
People forget their website passwords constantly, and having them talk to some customer support type is very expensive. As an aid to automatic password recovery, web sites have taken to recording "personal questions" that are semi-private but that you presumably already know the answer to (e.g., where did you go to school). Then, they can ask these questions when you ask for a password reset, which still doesn't require a human. Now, anyone who does much research about me knows that I attended the University of Lagos, but it (at least in theory) raises the bar for a casual attacker.

I recently had occasion to register for an Alaska Airlines online frequent-flyer account and was confronted with a form that demanded four personal questions. Aside from the obvious pain in the ass for users (you've just doubled the time it takes to fill in the form), there's an obvious privacy risk. If you actually fill in each of these questions truthfully, Alaska has a bunch of information about you they wouldn't otherwise have. Indeed, some of their questions (which come from a drop-down list so you can't input your own) include mother's maiden name, father's birthday, etc. You can, of course, lie, but this obviates the point of the personal questions since now you have to remember your lies (or write them down on the same post-it you wrote down the password).

To make matters worse, it potentially turns Alaska's security problems into your security problems. I might trust Alaska's privacy policies, but if someone breaks into their system and steals my questions and answers1, that's not a good thing, especially if people are stupid enough to actually give Alaska their mother's maiden name, which I'm sure they are.

And of course all of this is used to secure access to your frequent flyer account.

1. Yes, Alaska could hash the responses, but that makes it hard to deal with minor variations in case, punctuation, etc., so I doubt they do.

10 TrackBacks

Listed below are links to blogs that reference this entry: Curse you, Alaska Airlines registration system.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/280

free geocities hosting web from dadula.slife.com on July 24, 2005 10:24 PM

portal hosting offshore web hosting web hosting front page internet web site hosting services professional web hosting free web hosting companies free web hosting sites like geocities web hosting ranking quality web site hosting game hosting free photo... Read More

atlantic city casinos from atlantic city casinos on September 26, 2005 4:46 PM

atlantic city casinos Of fellow-dalesman, ladies things may happen to a non-manifestation than to be vigorously p Read More

forex trading from forex trading on October 10, 2005 5:06 PM

forex trading became more an twenty-case belief and a small-talk organization than a vital thing upsurging life and conduct. It Read More

drug test pass from drug test pass on December 4, 2005 1:29 AM

drug test pass Read More

poker 954 from poker 954 on December 10, 2005 7:28 AM

poker 954 Read More

Porno free to watch online from Free xxx porn granny slut videos free free on December 14, 2005 5:31 AM

Sexy mumbai School girls stories Man woman mpeg Free sick porn videos clips Snuff ... Read More

Payday Loans from Payday Loans on January 18, 2006 9:10 PM

Payday Loans is a niceblog. Read More

Free Ringtones from Free Ringtones on January 22, 2006 1:35 AM

Free Ringtones Read More

2 Comments

By Steve Purpura on May 31, 2005 11:15 AM

I'm with you on the criticism of Alaska, but I think they need to be shown a better way.

I'm a frequent Alaska Air user, and the username/password that you speak of controls more than my frequent flyer account. It allows me to cancel flights, check-in for flights, request ticket refunds, change seating, and print boarding passes. The username/password deserves more security than my Hotmail account.

By Dan Simon on May 31, 2005 1:27 PM

If you have a reasonable password-derivation tool, then you don't really have to worry about forgetting your password, so you can just use garbage (or additional derived passwords) as answers to their personal questions. Even better, some Websites allow you to specify the question as well as the answer--thus, you can put the site's current URL in as the question, so that if they ever change their URL, you can still get the old one back (when they ask you the question) and feed it into your password-derivation tool to recover the password.

Leave a comment