Adventures in Password Security: AirAsia

When I created a user account at AirAsia’s website a little while ago, I was surprised to be told to choose a password with a minimum length of 16 characters*. I suspect that the average user’s password doesn’t approach that length (perhaps it would be better if it did). In any case, I duly typed in my combination of letters and numbers and went about my business, happy to believe that such an onerous requirement said something about AirAsia’s commitment to security.

A month down the track, I went back to the website only to find I’d forgotten which password I had chosen – for whatever reason, my browser had not saved my credentials. After a few guesses, I gave up clicked the ‘Forgot Password’ link (making sure nobody was looking; I must not be the only one embarrassed to have to have to rely on that feature). I typed in my email address and received a message shortly afterwards.

Lo and behold, there was my 17-character password in plain text, staring right at me.

Oh, well – if someone happens to steal their database, at least it won’t be any of my usual passwords that they find – those are shorter than 16 characters 🙂

(*I see that the requirement is now for only 8 characters.)