Maximizing loyalty applications and bank card rewards have taken me to greater than 60 international locations in my lifetime, and I’ve tried nearly each tip on the market — utilizing transfer bonuses, snagging playing cards with limited-time welcome offers, double- or triple-dipping, and even mattress and mileage working.
However one among my methods is nowhere close to as thrilling — although it is arguably extra vital than all of these issues put collectively.
And it’s…drumroll…a password supervisor.
Here is why try to be utilizing one among these instruments to guard your hard-earned rewards.
What’s a password supervisor, and why do you have to use one?
In essence, password managers function a safe repository to save lots of your login credentials throughout numerous web sites and cellular apps. As well as, they will help generate new passwords whenever you’re organising a brand new account — or updating an present one. This helps guarantee you could have a novel, hard-to-guess password for every of your accounts.
A few of you could have a “favourite” password that is straightforward so that you can bear in mind, and due to that, you employ it throughout all your accounts (no judgment — I used to be there as soon as). Sadly, this makes you extremely weak to a hack. In spite of everything, if that one password makes it to the darkish internet, a hacker may achieve entry to not only one however all of your accounts.
For instance, for instance you set the password in your favourite frequent flyer account to be P@ssw0rd. Whereas this may increasingly fulfill the password necessities of stated program (because it features a capital letter, a quantity and a particular character), it is from safe. In actual fact, a 2025 study from VPN supplier NordPass discovered that this ranked fifteenth on an inventory of essentially the most generally used passwords throughout the globe. The most typical? 123456 — with over 21.6 million cases.
If hackers can discover your account quantity, they’ll strive numerous password mixtures to realize entry.
Nonetheless, a password supervisor could make this almost inconceivable.
Reward your inbox with the TPG Day by day e-newsletter
Be a part of over 700,000 readers for breaking information, in-depth guides and unique offers from TPG’s consultants
I personally use LastPass to safe my passwords, and whereas scripting this part, I requested it to generate a brand new, distinctive password — 16 characters lengthy, with lowercase and uppercase letters, numbers and randomized symbols. Here is what it got here again with:
Hh6BAuXP#OvryiA#
The possibility of a hacker guessing this or perhaps a brute-force computing effort uncovering it’s fairly small. In actual fact, utilizing the above parameters offers over 37 nonillion potential mixtures (that is 37 with thirty zeroes afterward).
After all, there’s little or no probability that I may bear in mind this password myself — which is the place the repository function is available in. All of my distinctive, hard-to-guess passwords are saved seamlessly inside my LastPass vault. Once I have to log in from a trusted system, the password is populated robotically.
Why is that this so vital for loyalty applications?
A password supervisor will help safe all your accounts, however there are some key explanation why loyalty applications are so weak. For starters, these applications do not supply printed or authorized protections, a notable distinction to bank cards, the place the Fair Credit Billing Act caps your legal responsibility for unauthorized costs at $50. Many issuers go even additional, providing $0 fraud legal responsibility for unauthorized purchases.
Associated: How a 10-minute call reversed $2,300 in fraudulent charges on my credit card
That is not the case with most loyalty applications.
For example, this is an excerpt from the phrases and circumstances for a serious airline’s program:
“[Airline name] assumes no duty for and isn’t accountable for any unauthorized entry by third events to a member’s account or account data, together with any unauthorized award transaction made out of the account, besides as supplied beneath relevant legal guidelines. [Airline name] assumes no obligation or responsibility to re-credit any unauthorized mileage withdrawal made by third events; nevertheless, [Airline name] reserves the correct to evaluate, in its sole discretion, requests for re-crediting unauthorized mileage withdrawals supplied such request is made to [Airline name] inside three months of the unauthorized withdrawal.”
As well as, many of those applications do not require two-factor authentication — and even have it as an choice.
To check this, I tried to log in to 6 fashionable airline applications and 4 prime resort loyalty applications from a personal window in a browser I might by no means used earlier than.
| Program | Two-factor authentication? |
|---|---|
|
Textual content message to verify |
|
|
Alternative of textual content or e mail to verify |
|
|
None |
|
|
Electronic mail to verify |
|
|
None |
|
|
Textual content message to verify |
|
|
None |
|
|
None |
|
|
Alternative of textual content or e mail to verify |
|
|
None |
On the time of writing, solely half required a further verification step.
I attempted the very same factor with my accounts throughout seven bank card issuers, and all of them required two-factor authentication, both instantly upon logging in or when clicking into the redemption choices.
Lastly, as soon as inside your account, hackers can shortly burn your rewards on cash-equivalent redemption choices or last-minute journey bookings, within the hopes that you simply will not discover the hack till it is too late — which is precisely what occurred to a number of TPG staffers lately.
Principal spokesperson Clint Henderson had his AAdvantage account hacked in 2024, with almost 400,000 miles burned for last-minute rental vehicles. Later that yr, senior editor Gabrielle Bernardini had a hacker use over 17,000 points from her Southwest Fast Rewards account for a resort for a last-minute resort keep. And just some weeks in the past, managing editor Ben Mutzabaugh acquired a preemptive notification {that a} hacker was making an attempt to make use of his American miles for reward playing cards — although fortunately, this was caught earlier than his account was drained.
Whereas each Clint and Gabby had their balances restored, each required some important time to take action.
Backside line
There are few issues extra irritating on the planet of factors and miles than a hacker utilizing your rewards. Fortunately, there are steps you possibly can take to safe your account — together with using distinctive, hard-to-guess passwords for each one among them. And a password supervisor can play an vital position in saving these credentials so you do not have to recollect lengthy strings of seemingly random characters.
After all, this is not a foolproof resolution, as hackers should still discover a strategy to achieve entry. Nonetheless, it is an vital step so as to add a further layer of safety to your loyalty program accounts, particularly since our exams present that a number of fashionable loyalty applications do not use two-factor authentication.
Should you’re not at present utilizing a password supervisor, I might strongly encourage you to take action — proper now. In any other case, these factors and miles might not be there when you really want them.
Trending Merchandise
