I recently got a mailing implying (but not actually saying) that some of my frequent flight miles on Delta were about to expire, so I thought I should check my status online. Very surprisingly, I didn’t have an online account associated with my frequent flight account, so I got exposure to another registration process.
I eventually got to a page where I could reset my password (I guess there aren’t enough people in my situation to have a separate “set your password” page:
These days, a 6-character password is far too short, and it’s uncommon not to permit special characters at all. The minimum should be at least 8-10 characters. The bright spot is in the fourth bullet where they imply that they are checking submitted passwords against a corpus of common passwords. This is an excellent practice if, in fact, this is what they are doing. I didn’t try any common passwords to check.
Naturally, this was followed by a requirement to answer a couple of security questions:
The best I can say is that there weren’t any particularly ridiculous questions (besides the perennial “first pet”), and about half the questions were a little unusual and travel themed. They shared many of the problems of more usual questions (you might be able to figure out the coolest landmark I have visited from my travel blog, so I didn’t use that one), but at least they are less likely to be shared by many other sites one registers with.
By the way, my miles weren’t expiring; the mail I received just wanted to have me use some of them to buy magazines.