If you need to log into your JetBlue account, you’d better have your password manager ready. The New York-based airline is now requiring most customers to reset their passwords, and—like a lot of organizations that surprise users by requiring a reset of login credentials—it’s not explaining the situation very well.
“Either your username or password is incorrect,” its site greets visitors who attempt to log in with a password they didn’t create in the last 18 months. “If your password was created before Jul 31 2020 please set a new one by selecting ‘Reset password’ below.”
Doing so yields a second prompt, advising JetBlue customers that their new password can’t involve their their first name, last name, or username. It also must run at least 10 characters and include a lower-case letter, an upper-case letter, a number, and a symbol.
The short notice and unforgiving rules could invite speculation about a data breach or a foolish adherence to password-expiration dogma that experts dumped years ago. But JetBlue said Wednesday that it’s a result of a previous IT migration.
“In 2020, JetBlue updated our cybersecurity account management tools with a more secure log-in provider and, with that, updated to a new password policy for customers creating accounts or resetting passwords,” spokesman Philip Stewart told PCMag. “While the system change that added this new authentication provider was completed in 2020, we phased in forcing password updates in order to limit the impact to traveling customers.”
This new regime doesn’t seem to allow for older passwords that comply with the new rules. A 15-character JetBlue password that predated 2020 but mixed capital and lower-case letters with numbers and a space (rated as “Excellent” by 1Password) required a reset anyway.
But the real problem isn’t the increase in complexity, it’s the lack of explanation—poor electronic etiquette shared by way too many companies that leave their customers to catch up with their infosec updates.
