Grade

36/100

F

Grade Breakdown

Username and Password Limitations

Southwest users log in with their custom username or "account number" (which is the Rapid Rewards number), and password. Southwest has the following password requirements:

• Between 8 and 16 characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number
• Certain special characters are allowed: ! @ # $ % ^ * ( ) < > ; : /  \

Minus 2 points for the short maximum password length (16 characters).

3/5

Multi-factor Authentication

Southwest has no way to configure login MFA.

0/5

"Forgot Login" Flows

Southwest has flows to recover the username, change the email address, and reset the password without logging in. If used in tandem, they are ripe for abuse.

The "Forgot login?" flow asks for the user's full name name and either their email address or account number. It then presents their 2 security questions (configured when setting up the account).

Correctly answering the security questions displays both the username and account number, whether the user entered their email address or account number on the first page.

The "Forgot login?" page also has a flow for updating the email address. This flow asks for the user's full name and account number.

It then asks for the old email address and provides an obscured version of it as a hint. So if an attacker knew the user's account number but not their current email address, they could potentially glean the email address here.

If the full "old" email address is entered correctly, the 2 security questions are presented. Answering these correctly leads to an email reset page.

See where this is going...?

Finally, the "Forgot password?" flow is pretty much the same as "Forgot login?": the user needs to enter their full name, email address, or account number, and then answer their security questions. A password reset link is then sent via email. An extra quirk is that the account is locked and the password needs to be changed as soon as this password reset link is sent, even if the process is not completed.

If you have been reading closely, you can connect the dots and see how these 3 flows could be used together maliciously. In summary, an attacker could break into a Southwest account like this:

1. Starting point: know the user's full name and security question answers, and either of the following:
   1. User's email address
   2. User's account number
2. Use the "Forgot Login?" or "Has your email address changed?" flow to figure the unknown piece of information from step 1
3. Use the "Has your email address changed?" to change the account's email address
4. Use the "Forgot password?" flow to send a reset link to the new email address and set a new password

...and boom, vacation is ruined. The good news is that at least the user will get notified that there were changes with their account and can take action quickly.

What all of this means is that the security of a Southwest account hinges almost entirely on the answers to 2 security questions. It can be assumed that a determined attacker will know a user's full name and email address, so if they also know the security question answers, it's game over. Security-savvy users will know to make their answers complicated and non-guessable, but most people do not treat security questions this way and have answers that are easy to figure out.

Minus 2 points for the numerous ways to view and change account information while logged out, creating lots of potential for abuse. Minus 1 point for the inconvenience of locking the account as soon as a password reset is initiated.

2/5

Account Change Notification

Southwest sends a notification of what changed to the old and new email address.

5/5