?

Log in

No account? Create an account
 
 
10 May 2009 @ 07:14 am
Who does JetBlue's web tech?  
Last weekend we tried printing boarding passes from a hotel computer, so I thought it would be a good time to change the password I use on the JetBlue site.  I logged in successfully to my account there and went to the preferences page which, reassuringly enough, asked for my current password before allowing me to change it. 

And it (repeatedly, and in different browsers) rejected the same password I'd used to log into the site.

So I called JetBlue and was passed along to someone at the appropriate desk who said she'd tested my password and it worked.  (I'm used to a system where the admins can't actually see passwords at all, but I do recognize that there are places that work a different way.)  She offered to walk me through the process.  To save her time, I repeated the process myself and told her what I was doing.  And, predictably, the password failed.  So she (reasonably) asked what I was entering.  And I told her.  As it happens, there was a capital letter in the string, and as soon as I said so she stopped me:  "It's all lower case."  Except, of course, that it shouldn't have been, because what I entered included mixed-case letters, and mixed-case let me log into my account on the site.

I would very much like to figure out how to tell someone just how wrongheaded I think this is.  I could even be civil about it.
 
 
 
Jason Parker-Burlinghamnooks on May 11th, 2009 04:24 am (UTC)

Brrr. Passwords in plain-text and silently truncating case are two of the Three Horsemen of Password Apocalypse. The last is what Smith Barney did to me by making the "create your password" field be (say) 8 characters long and the "enter your password to log in" text entry field 10. I like long passwords, so that took a lot of careful typing and counting to resolve.