Monday, September 24, 2012

Hall of Shame: Virgin America

While logging in with the correct password, I get the error message you see here.   If you are like me, you are wondering by now...

  • What happened?
  • Who decided that I need to change my password?  
  • Why is that date important?

Anybody who has ever worked into a major corporation for more that a few months, know that this is not the way one makes users change their password.
In the real world, forced password resets depend on the time that the user last changed their password, and do not use the password reset process.    Normally, you get a simple form which asks for the old password and the new password twice, and you are on your way.

The fact that one need to do password recovery via email most likely means: Somehow, Virgin's password database got compromised to the point that they can no longer trust authentication with a password set before April 26th 2012.  There is no other good explanation.