Starbucks forced PW change today

  • Hi Guest, welcome to the help forum. You can get fast answers to your customer service questions here. We have a dedicated team of advocates who are ready to help. Just go to the section that matches your question and ask us!
  • If you've posted a question or issue for our advocates to assist with, please be sure to check back frequently for responses and requests for clarification.
  • Did you know you can get email notifications when something new posts to your favorite forum? It's easy. Just click the "watch" link right next to the "post new thread" button at the top of your favorite forum. The rest is easy. Now you'll never miss another conversation.
  • Want to become an expert user? Drop by the How to use this forum section and all will be revealed. We'll show you how to make the most of your experience.
Status
Not open for further replies.

mmb

Verified Member
Jan 20, 2015
837
915
93
#1
Today I was unable to sign onto my online Starbucks account either on my iPad or Laptop.
The site insisted that my sign in information was wrong, either my email address or my password.
I KNEW that Inhad everything correct.
After several attempts and verifying the info (stored PW on iPad) I was forced to ask for a PW change.
OMG - what a surprise! NOT. Now SB wants my PW to have uppercase letter, lowercase letter, a number and a symbol.
I HATE THESE SHENANIGINS.
When they force me to to this, now I have to write it down somewhere (secure, of course.)
I do have a system for doing this, but I resent all this babysitting and forced change to PWs.
Any GOV website that is used for financial transactions of any sort requires a NEW PW EVERY 90 days.
Yeah, I know I’m shouting but all this just makes my life more difficult.
All of my devices all have very excellent PW protection, so the chances of anyone breaking in to them is almost nonexistent.
Additionally, anyone who uses autofill to store users names and PW has just defeated the whole purpose of forced change.
Why are they torturing us like this?
 
Sep 19, 2015
2,751
3,954
113
48
#2
Starbucks is late coming into this.

It is not babysitting it is mitigating liability if they are hacked and people suffer losses or even emotional distress. Class action lawyers file suits over these types of things.
 

mmb

Verified Member
Jan 20, 2015
837
915
93
#3
Sorry, I don’t understand.
If they get hacked, they get my PW no matter how many letters, numbers or symbols.
They can either get my old PW or my new one.
What changes ?
 

mmb

Verified Member
Jan 20, 2015
837
915
93
#5
No. You get a card and then can load money onto it to pay.
Then you earn points which convert to rewards which are redeemable in stores for food/drinks.
If you get enough points in any one year you get GOLD status and they send you a gold card.
Gives you free item on your BD and free refills on your coffe purchase (during any one visit, of course.)
You can even spend $100 and get a gold metal ‘card!’ I just stick with the gold plastic one. :)
I’m sure I have probably left something out.
I buy the beans and grind at home and get points from those packages too.
Actually - you earns * stars*.
 
Last edited:
Sep 19, 2015
2,751
3,954
113
48
#6
Sorry, I don’t understand.
If they get hacked, they get my PW no matter how many letters, numbers or symbols.
They can either get my old PW or my new one.
What changes ?
It is a question of ease of allowing hackers in -- adding symbols, numbers and capital letters (especially symbols) makes it harder for password guessing software to break into an online account. If a company is lax on security by industry standards then they can be accused of negligence. And negligence leads to lawsuits.

There was a hack of adobe software in 2013. Class action lawsuit came, Here are excerpts from an article:

https://www.theregister.co.uk/2015/08/17/adobe_settles_claims_for_data_breach/

Adobe has paid an undisclosed amount to settle customer claims and faces US$1.2 million in legal fees after its 2013 data breach which compromised the details of 38 million users.

The creative content king was served a November 2013 class action lawsuit filed in California in which it is claimed "shoddy" security practices lead to the breach.


So they were sued for having poor security and had to pay millions. This is why companies are forcing these changes. Soon passwords will be as long as War and Peace -- with symbols, capital letters, and numbers....
 
Likes: krisseye

jsn55

Verified Member
Dec 26, 2014
6,992
6,857
113
San Francisco
#8
Today I was unable to sign onto my online Starbucks account either on my iPad or Laptop.
The site insisted that my sign in information was wrong, either my email address or my password.
I KNEW that Inhad everything correct.
After several attempts and verifying the info (stored PW on iPad) I was forced to ask for a PW change.
OMG - what a surprise! NOT. Now SB wants my PW to have uppercase letter, lowercase letter, a number and a symbol.
I HATE THESE SHENANIGINS.
When they force me to to this, now I have to write it down somewhere (secure, of course.)
I do have a system for doing this, but I resent all this babysitting and forced change to PWs.
Any GOV website that is used for financial transactions of any sort requires a NEW PW EVERY 90 days.
Yeah, I know I’m shouting but all this just makes my life more difficult.
All of my devices all have very excellent PW protection, so the chances of anyone breaking in to them is almost nonexistent.
Additionally, anyone who uses autofill to store users names and PW has just defeated the whole purpose of forced change.
Why are they torturing us like this?
mmb, you are SOOOOOOOOOOO RIGHT! It's maddening. And they don't care that we have to keep lists of our passwords, for cryin' out loud. All they care about is their corporate liability. Since there's absolutely no way to isolate anything online from a determined hacker, it's all a game of trying to stay ahead of the bad guys. Instead of grinding my teeth, I think about the lovely efficiency of the internet and creating a password per their instructions is the price I pay for that enjoyment. I'm in the financial field, and I remember barking at my home office IT department years ago; we are required to change the password every three months. I queried the point of that, since I had to write them down and keep them close to my computer. The techie responded "Well, I can remember all my passwords". Well, la-de-dah! This is kind of mentality we're dealing with. He may be able to remember them all, but he has no other life but his computer. I have 150 passwords, he probably has a dozen. There, I feel better now.
 
Likes: mmb
Mar 14, 2018
97
124
33
53
#9
mmb, you are SOOOOOOOOOOO RIGHT! It's maddening. And they don't care that we have to keep lists of our passwords, for cryin' out loud. All they care about is their corporate liability. Since there's absolutely no way to isolate anything online from a determined hacker, it's all a game of trying to stay ahead of the bad guys. Instead of grinding my teeth, I think about the lovely efficiency of the internet and creating a password per their instructions is the price I pay for that enjoyment. I'm in the financial field, and I remember barking at my home office IT department years ago; we are required to change the password every three months. I queried the point of that, since I had to write them down and keep them close to my computer. The techie responded "Well, I can remember all my passwords". Well, la-de-dah! This is kind of mentality we're dealing with. He may be able to remember them all, but he has no other life but his computer. I have 150 passwords, he probably has a dozen. There, I feel better now.

I'm sure Starbucks would be happy to let people use the passwords they want as long as those people didn't come crying to Starbucks (or Elliott!) when their account is drained by hackers. But if we expect Starbucks to be responsible for losses, it's only fair to allow them to put in place basic protection.

You're right that it's extremely difficult to stop a determined hacker, just as it's very difficult to stop a determined burglar from breaking into a house. But we still lock our doors to stop the non-determined ones...

Everyone should be using a password manager like LastPass or similar these days. The password manager will take care of generating and remembering the complex passwords for each site. You only need to remember one complex password (and use two factor authentication) to protect the password manager account.
 

johnbaker

Verified Member
Oct 2, 2014
888
1,453
93
45
#10
@mmb Here's the basic math behind why they do it... A seven digit password with just lower case letters a hack using brute force would need up to
8,031,810,176 attempts to guess the password. Once you add in a capital, a number and a special character you end up with 1.003 x 10^13 attempts or about 1248 times more.

Now if you were willing to accept 100% liability for anything that happens with your password, I'm sure they'd let you have any password you'd want. Of course, no one is willing to accept that liability.

Be happy, I had a DOD account at one point for some volunteer work I was doing... 15 digits, changed every 3 months and had to contain multiple lower case, upper case, special characters and numbers. One of the reasons I "un-volunteered."


Edit: 1024 times longer can be hard to grasp so here's some examples...

If the first example takes a minute to break... 1024 times longer is 20 hours
If the first example takes a hour to break... 1024 times longer is 52 days
If the first example takes a day to break... 1024 times longer is just under 3 1/2 years
 
Last edited:

jsn55

Verified Member
Dec 26, 2014
6,992
6,857
113
San Francisco
#11
I'm sure Starbucks would be happy to let people use the passwords they want as long as those people didn't come crying to Starbucks (or Elliott!) when their account is drained by hackers. But if we expect Starbucks to be responsible for losses, it's only fair to allow them to put in place basic protection.

You're right that it's extremely difficult to stop a determined hacker, just as it's very difficult to stop a determined burglar from breaking into a house. But we still lock our doors to stop the non-determined ones...

Everyone should be using a password manager like LastPass or similar these days. The password manager will take care of generating and remembering the complex passwords for each site. You only need to remember one complex password (and use two factor authentication) to protect the password manager account.
I'm sorry, but putting your passwords into something on the internet so they're "safe"??? This ranks right up there with opening your hotel door with your phone. It's only a matter of time, boys and girls.
 
Mar 14, 2018
97
124
33
53
#12
I'm sorry, but putting your passwords into something on the internet so they're "safe"??? This ranks right up there with opening your hotel door with your phone. It's only a matter of time, boys and girls.
They're considered a best practice by almost all IT security experts. Please don't scare people away from using them.
 

Barry Graham

Administrator
Staff Member
Director
Jan 7, 2015
882
793
93
#13
They're considered a best practice by almost all IT security experts. Please don't scare people away from using them.
Another best practice is using multi-factor authentication. One specialist I know said (and I agree with him) that with such a system in place, all these rules about changing passwords and having lots of different character types would be unnecessary. Requiring people to change their passwords frequently, etc is just a cop-out to justify them continuing to not have adequate security in place, placing their responsibility on us to make ourselves safe instead. Even changing your personal and having harder-to-guess passwords can't match a system that refuses to allow you to log in (even with the correct password) unless it knows it's really you.
 
Likes: mmb

mmb

Verified Member
Jan 20, 2015
837
915
93
#14
Still trying to understand the hacking aspect of this.
Are y’all saying that someone can hack into the Starbucks server by guessing my PW?
I am under the impression that someone hacks into a website and obtains all of our information, not the other way around.
Believe me, I know how to devise good PWs. My son showed me the math on this stuff years ago. Having a symbol really doesn’t factor into it, especially if someone knows that the vendor requires a symbol.
 

johnbaker

Verified Member
Oct 2, 2014
888
1,453
93
45
#15
@mmb the "easiest" way to hack a system is called the "brute force" method. Basically, guess your password over and over again until they guess right. Its time consuming but in the days of short passwords you could crack an account in a day or two (at worst ... my IT cracked a password in an hour once). As passwords have gotten more sophisticated, hackers have had to move to "social engineering" to obtain password (phising, spearphising, spam are all versions of this). The holy grail is to find a flaw that gives them multiple passwords for the site. These are resold on the dark web. Hackers will buy these lists and then try the same login / password combinations on other websites because lets face it most of us are lazy and use the same combination in multiple places...
 
Jul 27, 2016
1,031
1,230
113
#16
@mmb Hackers will buy these lists and then try the same login / password combinations on other websites because lets face it most of us are lazy and use the same combination in multiple places...
This is the biggest thing you can do to ensure security - don't use the same userid/password on multiple sites.
 
Oct 11, 2018
1
2
3
44
#17
They're considered a best practice by almost all IT security experts. Please don't scare people away from using them.

With respect, I don't know of too many people who recommend that. I'm in IT. I also try to scare people away from using them because if someone gains access to it, they have all the keys to the kingdom. That's insane.

Lastpass has been hacked and will be again. It is inevitable. Numerous studies have also shown that making people change their passwords makes them use simple ones they can remember. I see it myself every day. Two factor is good, but the new trend is to port out your number which is easy given the plethora of information that has been leaked already. With enough info, they can port your number right out from under you.

Nothing is perfect, just use best practices. Different passwords for each site are a must. Give as little information as possible. I also never leave accurate security questions. I know what I put for what site, but it's all bogus. Write it down at home if you must. I assure you, your desk at home is far more secure than Lastpass.
 
Likes: mmb and jsn55
Status
Not open for further replies.