My wife was signing up for an airline’s frequent flyer programme this morning. I was watching over her shoulder when the password field threw a validation error: “Password should not exceed 8 characters.” Not a minimum. A maximum!

Then she tried to paste from her password manager. Blocked. She tried typing a special character. Filtered out at the keystroke level, before it even reached the field. The only multi-factor option was an email one-time code.

When you work in security long enough, you learn to read a login page like a mechanic listens to an engine. Every constraint on a signup form is a clue about the architecture behind it, and this page was telling me a lot.

What the signup page requires

  1. The password must be exactly eight characters long.
  2. Only alphanumeric characters (a-z, A-Z, 0-9) are accepted.
  3. Special characters are blocked at input level. Someone wrote frontend code to reject these keystrokes in real time.
  4. Paste is disabled on the password field. You cannot paste from a password manager through normal interaction.
  5. The sole MFA mechanism is a one-time code sent to the user’s registered email address. No TOTP (authenticator) apps, no FIDO2/passkey support.

What the eight-character limit tells you

As a quick refresher on how modern password storage works: a properly built system never stores your actual password. It runs the password through a one-way hashing algorithm (bcrypt, scrypt, Argon2) that produces a fixed-length output, and stores that hash. The process is designed to be irreversible, or at least computationally impractical to reverse. When you log in, the system hashes the password you submit and compares the result to the stored hash. If they match, you’re in. The system never needs to know (and should never be able to recover) the original password. A good implementation also adds a unique random salt to each password before hashing, so that two users with the same password end up with different hashes. Without salting, attackers can use rainbow tables: massive precomputed lookup tables that map hashes back to their plaintext inputs. Projects like CrackStation and RainbowCrack maintain freely available tables covering billions of unsalted MD5 and SHA-1 hashes. If your passwords are unsalted, an attacker with the hash database can look up plaintext values almost instantly.

The point is: these algorithms accept arbitrary-length input and always produce a fixed-length output. There is no cryptographic reason to cap a password at eight characters. A 50-character password produces the same length hash as an 8-character one!

Yes, some airline backends run on legacy platforms like TPF (Transaction Processing Facility) that have inherent field-length constraints. But the presence of a legacy core does not excuse the password policy decisions built on top of it. When you see that cap, you are most likely looking at plaintext storage: a CHAR(8) or VARCHAR(8) column in a legacy database holding the actual password. A hashed value is always the same fixed length regardless of input, so a system that stores hashes would have no reason to care whether you typed 8 characters or 80. The fact that input length matters downstream is one of the strongest signals that the raw password is what gets written to the database.

What the character filter tells you

Banning special characters tells you the application cannot safely handle them. In a properly built system, user input is parameterised or escaped before it touches a database or backend process. When an organisation restricts the character set instead of fixing the handling code, you are likely looking at an application vulnerable to injection attacks, with the character restriction functioning as a band-aid over the vulnerability rather than a fix.

What disabled paste tells you

Disabling paste on password fields tells you the development team is either unaware of, or has chosen to ignore, published security guidance. The NCSC (UK) and NIST (US, SP 800-63B) have both advised against disabling paste on password fields. This guidance has been published and reaffirmed for close to a decade.

Disabling paste directly undermines the most effective tool ordinary users have for maintaining strong, unique credentials: their password manager. The original justifications (“users should know their password”, “prevents brute force”) do not hold up to scrutiny.

When you also see active keystroke filtering of special characters, you know this goes beyond misconfiguration. Someone wrote code to degrade password strength. That is a deliberate engineering decision.

What email-only MFA tells you

Email OTP is the weakest commonly deployed form of multi-factor authentication. Email is frequently unencrypted in transit, email account compromise is one of the most common attack vectors, and email OTP is fully vulnerable to real-time adversary-in-the-middle phishing frameworks (Evilginx, Modlishka) that relay credentials and OTP codes simultaneously.

When you see email as the sole second factor in 2026, with no TOTP or FIDO2/WebAuthn option, you are looking at either a team that has not revisited their MFA implementation since it was first built, or one that considered the alternatives and deprioritised them. Phishing-resistant alternatives like FIDO2/WebAuthn passkeys have been production-ready for years.

What the maths tells you

Eight characters drawn from a 62-character alphabet (a-z, A-Z, 0-9) yields:

  • 62^8 = approximately 218 trillion possible combinations
  • Roughly 47.6 bits of entropy

47.6 bits might sound adequate until you see what modern hardware does to it. A single NVIDIA RTX 4090 running Hashcat computes around 50.6 billion SHA-1 hashes per second. That means one consumer GPU can exhaust the entire 62^8 keyspace in about 72 minutes. An eight-card rig (around $16,000 USD in hardware) does it in under 10 minutes.

Against MD5, it is even faster. A single RTX 4090 hits roughly 164 billion MD5 hashes per second, which puts full keyspace exhaustion at about 22 minutes. Eight cards bring that down to around 3 minutes.

And those are brute force times for the entire keyspace. In practice, dictionary and rule-based attacks would crack the majority of real user passwords in seconds, because most people do not generate truly random 8-character strings.

If the passwords are stored as plaintext (which, given the other signals, is the most likely scenario), none of this even matters. An attacker with database access reads them directly.

For comparison, a 16-character password from the full printable ASCII set provides roughly 105 bits of entropy. That is the difference between “crackable on a lunch break” and “not crackable before the heat death of the universe.”

What is actually at risk

A frequent flyer profile holds some of the most sensitive personal data outside of a medical record:

  • Full legal name (as it appears on travel documents)
  • Passport or government ID number
  • Date of birth
  • Residential address
  • Email address and phone number
  • Saved payment card details
  • Complete travel history (dates, routes, companions)
  • Upcoming itineraries
  • Loyalty points balance (which functions as a convertible currency)

Compromised frequent flyer accounts are actively traded. Loyalty points get laundered, sold, or used to book flights for third parties. Travel history and upcoming itineraries are valuable for social engineering and stalking. In documented cases, compromised travel data has been used to facilitate human trafficking logistics.

How this gets exploited

Credential stuffing (partially mitigated). The email OTP does block automated credential stuffing from breached password databases. This is the one thing keeping the lights on. Without the OTP, this system would be trivially compromised at scale given the password constraints.

Phishing with real-time relay. An attacker sends a convincing email (“Your points are about to expire, verify your account”). The victim clicks through to a proxy site that mirrors the real login. They enter their eight-character password. The proxy relays it. The site sends an OTP to the victim’s email. The victim enters it into the proxy. The attacker captures the session token. The email OTP provides zero protection here because the attacker is operating in real time between the victim and the legitimate site.

Email account compromise. If the attacker has access to the victim’s email (via a prior breach, weak email password, or session hijack), the email OTP becomes a formality. They already control the delivery channel for the second factor.

Brute force against leaked hashes. If the password database is ever exfiltrated (and airlines are not immune to breaches), the restricted keyspace means offline cracking will be fast. Every account in the database is at risk, not just the ones with weak passwords, because the policy has made it impossible for anyone to have a strong password.

What should exist instead

None of this is exotic or expensive technology in 2026.

  • No maximum password length (or a generous one, like 128 characters). Let the hashing algorithm do its job.
  • Full character set support. If your backend breaks on a semicolon, fix the backend.
  • Paste enabled. Let password managers work.
  • Passwords hashed with bcrypt, scrypt, or Argon2id with appropriate work factors. Not MD5. Not SHA-1. Not plaintext.
  • Phishing-resistant MFA. FIDO2/WebAuthn passkeys as the primary option. TOTP apps as a fallback. Email OTP only as a last resort, not the sole option.
  • Rate limiting and account lockout with progressive delays on failed authentication attempts.
  • Credential breach monitoring. Check new and existing passwords against known breach databases (the Have I Been Pwned Pwned Passwords API makes this straightforward).

Reading the full picture

Every one of these antipatterns has been called out in published guidance from NIST, the NCSC, OWASP, and the ACSC for years. This is settled, consensus, baseline-level hygiene.

When you see ALL FIVE of these signals together in one system, you are reading the symptoms of a systemic failure of security governance. Either no one with security authority has reviewed this system in a long time, or someone has, raised the risk, and been told the remediation was not a priority. It’s a red flag indicating that cyber security and customer privacy are not a priority.

The email OTP is doing an enormous amount of heavy lifting as the single control standing between this system and large-scale account compromise. If that control ever fails, or if a phishing campaign targets the user base with a real-time relay kit, the fallback position is an eight-character alphanumeric password hashed with who-knows-what, sitting in a database built on architecture that apparently cannot handle a question mark or apostrophe.

It is, in every sense, a deadbolt on a screen door.

What you can do about it

You can’t fix the airline’s backend, but you can limit your exposure:

  • Use a unique password. Generate a random 8-character alphanumeric string in your password manager and use it nowhere else. Yes, the system forces a weak password. That is exactly why it must be unique. If this database leaks (plaintext or otherwise), a unique password means the blast radius stops here. Reuse the same password you use for your email and you have handed over both factors in one breach.

  • Provide the minimum information required. Most frequent flyer signups ask for passport details, payment cards, and a residential address. Not all of these fields are mandatory. Fill in what the system requires to function and leave the rest blank. You can add passport details when you actually book a flight, through a booking system that may (hopefully) have better security controls. There is no reason a loyalty programme needs your passport number at enrolment.

  • Ask whether the points are actually worth the data you are handing over. Airline loyalty programmes are, at this point, financial instruments that happen to be attached to airlines. During the COVID-19 pandemic, United valued its MileagePlus programme at $22 billion USD, more than the airline’s own market cap at the time. Delta’s SkyMiles was appraised at $26 billion against a company valued at $25.4 billion. American Airlines borrowed $10 billion using AAdvantage as collateral, after appraising it at up to $31.5 billion.

Closer to home, Qantas Loyalty reported a record A$556 million underlying EBIT in FY2025, roughly one dollar in five of the entire Qantas Group’s earnings. The programme has 17 million members in a country of 27 million people. During COVID, when both the domestic and international flying divisions were deep in the red, Loyalty was the single largest positive contributor to Group earnings. Analysts estimate a standalone valuation of A$6.5-8.5 billion, which would make it one of the larger companies on the ASX in its own right.

The bulk of that value comes from selling points to credit card companies and banking partners at 2-3 cents per point, having created them for under half a cent. In 2024, the three major US carriers collected a combined $16.4 billion in co-brand credit card revenue. Without that income stream, none of them were profitable.

Meanwhile, the value of a point to you keeps shrinking. Airlines have moved from fixed award charts to dynamic pricing, with redemption costs rising roughly 15% per year. Qantas increased Classic Flight Reward redemption costs by 10-20% in August 2025, the same month it reported record loyalty profits. Between 10% and 40% of earned miles are never redeemed at all, depending on the programme, and that unredeemed balance is pure profit for the airline.

So the deal on offer is: hand over your full legal name, passport number, date of birth, residential address, payment details, and a complete record of everywhere you travel, to a system that cannot safely store a password. In return, you get points that the airline will systematically devalue, in a programme designed primarily to generate revenue from credit card partnerships rather than to reward you for flying.

For most infrequent travellers, a better strategy is to book the cheapest fare, pay with a general-purpose credit card that earns cashback (which cannot be devalued), and keep your passport number out of systems that treat security as an afterthought.