Olaf 'Rhialto' Seibert (rhialto) wrote,
Olaf 'Rhialto' Seibert
rhialto

Extremely weak "passwords" on klm.com website

Executive Summary: 6-digit PIN codes do not offer a sufficient protection for personal information on a web site!

Recently I became a KLM Flying Blue "frequent flyer". For that one can of course login on klm.com with a password. Well... password... a "PIN". Just digits. The default length is 4, and the maximum is 6! Obviously this is ridiculously unsafe! There is a lot of personal information "protected" by that PIN, such as passport numbers...
 
I tried to tell this to the customer service, but (also of course) they didn't even understand what I was talking about.
 
To make things confusing, there are apparently two different logins. If you just book a flight, you can access that information later on, and for that there is an actual password of sufficient strength possible. That is called a "KLM account".
 
Things got confusing when I first only had a booked flight and hence a "KLM account", but later added the "Flying Blue account". You log in for both through the same login form.
 
https://www.klm.com/home/nl/nl#g_np_mya-overlay=1&mya-np=0
And apparently, once you have the "Flying Blue account" it doesn't accept the password for the "KLM account" any more (if both have the same email address used for logging in).
 
If it *had* accepted the password there, I would probably not even have noticed that you can also login with the weak PIN.
 
My main worry is the incredible stupidity of digit-only PIN codes that are also at most 6 digits long (and the default is 4, for instance when you reset it). What to do to get the appropriate people to look at it and get that strengthened?

And if you want to double-check it for yourself... if you click "inschrijven" (or "register" maybe) you'll see you can register for 2 different kinds of accounts, and the Flying Blue one wants a PIN while the other one wants a password...
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments