Grade

78/100

C+

Grade Breakdown

Username and Password Limitations

JetBlue users log in with their email address and password. JetBlue has the following password requirements:

• 10 or more characters
• A combination of 3 or more of:
  • Upper-case letters
  • Lower-case letter
  • Numbers
  • Special characters

Minus 1 point for no custom username. Brownie points for a 10-character minimum length, which is better than most.

4/5

Multi-factor Authentication

JetBlue supports email or SMS for login MFA. The SMS option can be disabled, which is good because that is a weak form of authentication.

4/5

"Forgot Login" Flows

JetBlue has one flow for forgotten password. It is a straightforward email-based flow: the user enters an email address and receives a link to reset their password. The messaging is the same whether or not the email address is valid.

An attacker would have to have access to a user's email in order to leverage this flow to access their account, and the flow cannot be used to "look up" if a certain email address is associated with a JetBlue account.

5/5

Account Change Notification

JetBlue sends an email notification if the email address or password is changed, including to the old email address if that is what changed.

5/5