[stephengillie]

When I saw the Sabre password requirements, I couldn't help but imagine that passwords are stored entirely numerically - "badpass" would be entered (hashed?) as "2237277", as in dialing a phone. So the password "abesass" would collide with "badpass" and grant access.

Has Sabre at least upgraded their storage mechanism, or do (did?) they reduce entropy on passwords?

[8_hours_ago]

I was also curious about this and decided to test it. I created a new account with the password "badpassbadpass" (minimum password length of 8!), but I was unable to log in with "abesassabesass". There was also no error when I tried to put a 'q' and a 'z' in my password, so I'm guessing that they've updated their system since the documentation was written.

[squeaky-clean]

I just tried it with 'abcabcabc' as my password. It claims passwords are case sensitive, but both 'abcabcabc' and 'ABCABCABC' work and any variation ('ABCabcaBc' works). Variations based on a phone pad don't seem to work. '123123123' or 'bacbacbac' don't work. I also tried only changing one letter.

>Must contain one letter and one number

Also not true.

>Cannot contain three repeating character

Also not true. I changed my password to 'qqq123123' and could login just fine. Something like 'zzz123123' does not work.

I put way too much effort into this.

[mentat]

So for all those saying that we should just "trust the engineers know what they're doing" this is a pretty damning refutation as far as I'm concerned.

[taejo]

It's possible they store both the original password, for use on the web, and the numeric version, for phones.