They’re telling members to change passwords, thinking that they don’t want the password used on their site to be the same as passwords used else in case someone else’s data gets breached. (Good luck with that. Many suggest Lastpass, though if you use Lastpass make sure to change that password as Lastpass was hacked.)
There are some basic best practices, a thought that occurred to me as I read this email a reader forwarded from United.
The reset pin link in the email, while convenient as a direct link to the password change page without any other request to authenticate, hardly seems like one of those. I guess it’s ok for United members to click on those links as long as the email actually comes from United, and isn’t an email made to look like it’s come from United, right?
The fact that they don’t ask for your current pin helps give you confidence it’s real, they only want a new pin. That’s enough to be comforting here, right?
And do you think that forwarding United their own email would be good for a million miles?
(HT: Joel G.)