Spirit Airlines

spirit.com

Last update: May 2024

 

Grade

22/100

F

 

Grade Breakdown

Username and Password Limitations

Spirit Airlines users log in with their email address or "Free Spirit" number, and password. Spirit Airlines has the following password requirements:

  • Between 8 and 16 characters
  • 1 upper-case letter
  • 1 lower-case letter
  • 1 number
  • 1 special character

Minus 1 point for no custom username. Minus 2 points for the 16-character maximum, which pushes the limit of easiness to crack.

2/5

 

Multi-factor Authentication

Spirit Airlines has no way to configure login MFA.

0/5

 

"Forgot Login" Flows

Spirit Airlines has one flow for forgotten password. It should be noted that this flow would receive a good score based on security if it worked as intended, but functionally it is more or less broken.

The flow asks for the email address or Free Spirit number associated with the account. If that is entered correctly, the user receives an email containing a temporary password. Upon logging in with that password, the user is forced to set a permanent password. The messaging is the same whether or not the user enters correct information, meaning that this flow cannot be used to "look up" if a certain email address is associated with an account.

There are two major functional issues with this flow. The first is that the password reset email can take much longer than 30 minutes to arrive, if it ever arrives at all. The temporary password expires after an unspecified time period, meaning that when you finally receive and enter the password, it might not even work.

The second problem is that the account is locked as soon as a password reset is requested, even if the process is not completed. Therefore, just trying to reset your password can send you to a state of literal "Spirit-ual" purgatory where you are unable to log in with your old password or set a new one. It seems that this has been a known problem for years:

Why does my login never work? : r/spiritair (reddit.com)

2/5

 

Account Change Notification

Spirit Airlines sends email notifications when certain pieces of account information are changed. However, the password is not one of them. Additionally, if the account's email address is changed, a notification only goes to the new address. Therefore, if an attacker gets access to a user's Spirit password, they can take over the account without the user knowing at all.

The email above only went to my new address, meaning that I wouldn't know if someone maliciously changed it.

1/5

 

View Login History and Remote Logout

Spirit Airlines does not have a login history or remote logout feature.

0/5