AA Passwords

 

AA has very strict password rules. Unfortunately, as many of us know, strict password rules do not translate into better security - in fact, in most cases they create a less secure environment. It is called “security theater” - that is, having the appearance of high security (does the TSA come to mind?). One rather bothersome rule that AA has forced upon us is the "90 day expiration" rule. Every 90 days your AA password will expire, and you cannot change your password to the same password – you must chose a completely different one. Security theater.

 

The National Institute of Standard and Technology (NIST) Special Publication 800-63-3, documents new Digital Identity Guidelines, including rules on how to keep passwords secure. Companies like AA get it all wrong when they require password changes even if the server hasn’t been broken into. NIST says that requiring capital letters, digits, special characters, or impose other “composition” requirements do not actually make a site more secure if the result is that users can’t easily remember their password.

 

Oh well...

 

Because a password is required for check-in, you must, must, must always keep your password in mind when scheduling Advance Check-In (ACI). ACI only knows your AA password at the time you schedule it (by the way, it is not stored anywhere online, nor does not save it after a check-in). If you schedule an ACI, and then later change your AA password to a different password you must cancel your ACI and reschedule it. Always.

 

An important thing to also keep in mind when changing your AA password: You may be tempted to use special characters because it makes it easier to remember, but don't. Even though AA says you can use special keyboard characters like !, %, $, &, /, \, etc., what they don't tell you is that some of their authentication protocols don't like them. Plus, anything done through a web browser is subject to web browser rules and anything transmitted through a web browser should be letters and numbers only.

 

Recycle Password

 

But there is a better way: the Recycle Password gofer. All our apps have a Recycle Password feature. What Recycle Password essentially does is this:

• Logs on to AA
• Changes your password multiple times to negate the “it can’t be the same password” rule
• Changes your password back to the original password

Of course, if you use Recycle Password every couple of months, that means you can keep the same password indefinitely. The caveat to Recycle Password: you must have a current, working AA password to recycle it. I cannot have expired, or "expiring in ___ days."

 

When Recycle Password is used, it displays a password expiration date in e.Halo/e.Halo Gofers/Halo so you can keep track of when you need to recycle your password again.

 

If you change your password manually, outside of e.Halo/e.Halo Gofers/Halo, then you may want to clear that password expiration message. That can be done in Preferences with the Clear AA Password Expiration button.

 

AA Password Tips

• Your password should never included special characters such as "#", "?" "+", "/", "&", or "\" – if it does, you must change your AA password to something without those characters in order to use Advance Check-In. Remember, the National Institute of Standard and Technology says that special characters do not make a password more secure. It is a myth that says using a exotic keyboard character makes your password more secure. Simply comply with AA's composition rules: at least seven characters, at least one upper case, at least one lower case, and at least one numeric number.Nothing more.
• Use Recycle Password every month or so
• If you chose to change your password to something different, you must cancel all scheduled ACIs, change your password in e.Halo/e.Halo Gofers/Halo and then reschedule ACIs again