Oh, so what; you’re not going to tell me?

It should be fine for me to ask, Priceline does…

I’ve seen references to a ‘popular travel site’ using this question from years ago, but I certainly never expected to see this in 2009. When you log in to the Priceline.com site, it asks for your email address and your security question (or as they call it, your sign in question). I was shocked when I used Priceline to book recent travel to the West Coast and had to set my login preferences.

One of the options under personal information is to set your security question to “What is your preferred internet password?”. I’d have to say that’s irresponsible AT BEST.

Well, at least it’s a secure https page, right? ;)

 

# # #

jj

Author, speaker, and recognized authority on network and wireless security architectures, Jennifer (JJ) Minella helps organizations solve technical problems and align teams.

View all posts

4 comments

  • […] Often this identity is all you need to carry out that password reset; gain control of an email address or account and you have instant access to a mind-boggling array of personal accounts and information. Often the ‘forgotten password’ link simply asks you for your address, sometimes you may be prompted for more information – ‘mothers maiden name,’ ‘place of birth,’ ‘month of birth’ etc – social media anyone. Some sites even ask you for ludicrous validators like “your preferred internet password.” […]

  • Rev,
    I have no clue how they’re storing the data (intact or hashed). I’d assume it’s hashed just as a password would be. The sign in page is an https, so the entry should be sent across the wire encrypted (if all is in order). You’d be surprised how many log-in pages are NOT encrypted.

    Either way, that’s a ridiculous question to ask since the vast majority of the public re-use passwords for everything from email to Myspace and bank accounts.

    -jj

  • I would hope that they are encrypting the responses to those questions…. But what do you think the likelihood of that actually is? Even if they are encrypting the responses, you are absolutely correct in pointing this out. We all know that users tend to reuse the same passwords over and over again. In specifically asking for their “Preferred” password… should that table ever be subjected to compromise….