Dear Radisson. We need to talk.
Your account security is terrible.
I just love how every single website and application reinvents the wheel when it comes to how people log in.
For instance, Radisson Rewards is now forcing me to reset my password for "Suspicious activity" on my account. For my security and privacy, you say.
What was my old password?
gantlet3SCAM!biology
Which is weird cause normally my password would be longer than that... OK, fine, let's reset it.
Go through the password reset flow, I ask my trusted 1Password to generate a new one. What's the new password?
auburn5spin4greeting_pasteup8COIF
OK, that's more like it. But what's this, password not accepted??
Password must contain the following: Between 8 - 20 characters
My new password is rejected for being TOO LONG.
What, please, I beg you, do you do with my password that it can't be more than 20 characters? Do you perhaps store it in plain text, instead of hashed in a modern way? 🤦♂️
And since you care so much for my security, do you offer any modern authentication methods? No, of course not. No mention of 2FA, not even by SMS. Passkeys? HA!
YOU are the reason YOU had to lock down my account and force me to go through password reset. YOU are storing passwords in plain text and not allowing me to further secure my account. The passwords they tried on your site for my account didn't come from me, they came from you and other similarly terrible websites. And the shorter and less secure password I had set before was because of your restrictions.
Honestly, if you're gonna do such a shitty job at account security I'd rather you just outsource the problem and allow log in with Google and Facebook.
Account security grade 2/10, and the only reason it's not a 1 is that you seem to be doing the bare minimum definition of "something" about brute force attacks.
Shame on you, Radisson Hotels. 💩
I bet you feel much better now 😃 I enjoyed the article btw.