Last week, I wrote about the email that I had received from Marriott Regarding my Marriott Rewards account with a suggestion that I should change my password (you can read the article here). Today, when I was trying to log into my account, I was presented with the screen below.
Marriott was forcing me to change the password that I had on file with them. The text below makes no sense at all. To ensure more “secure” passwords, Marriott doesn’t allow any special characters such as *, &, %, _, – etc.
Actually, using these characters would make the passwords safer rather than unsafe. Not sure what Marriott is thinking here.
When you change your password, you need to confirm you last name and the postal code associated with your account.
@Marriott @MarriottIntl Has the Marriott Rewards account database with passwords been breached? pic.twitter.com/nWGoaOCHra
— LoyaltyLobby (@LoyaltyLobby) August 9, 2013
I tweeted Marriott and asked if their Marriott Rewards database has been breached. The requirement of changing password with this urgency normally indicates a database breach, where someone has had access to the account info and maybe even salted/hashed password. You can read more about securing online accounts and passwords here.
Conclusion
Not sure what is going on with the account “security” with many of the US companies. I don’t think that Marriott has come clean with their current account security problems.