Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In this case, a legacy system (Sabre) whose origins predate the integrated circuit.

I'm sure a lot has changed since then, but it's a bit scary to wonder what hasn't.



I doubt that the passwords come from SABRE. There is a lot of stuff between the front end and SABRE. I expect Jet Blue manages their own systems that only call SABRE internally.


I interviewed with an airline in the past few years for a project involving migrating its reservations and management systems (interesting tidbit: both maintenance and reservations were tied to the same underlying system). And integration with SABRE was very much a part of the job req.

I passed largely as it seemed that there were some significant organizational issues and wrestling with 60 year old computer systems stopped being my definition of fun a while ago. There were some glitches in the rollout but they got things running by and by.


I don't find that scary. I think it's a testament to the original architects and to the people who maintain it.


It's 2014. Passwords need to be treated as a serious matter. Legacy system or not, there is no good reason to reduce keyspace. As others have mentioned, this is a sign that passwords are being made compatible with old phones without these letters available... and likely the passwords being reduced to numbers before storage. The prohibition of special characters also seems to corroborate this.

Furthermore, the poster below who showed screenshots of being emailed their password indicates JetBlue is storing passwords either in plain-text, or encrypting them (both just as bad), instead of properly cryptographically hashing before storage.


Honestly, if you add one extra digit/character to the password, that more than compensates for the loss of Q & Z. There are lots of circumstances where being able to work with legacy phone systems effortlessly would be most helpful. If you are taking passwords seriously, this might be the very last thing you worry about.


Or emailing them before they hash them.


I'm not sure about that. Sabre is an extremely (assumption) functional tool in an extremely niche market. That makes the barrier to enter it very high, and the barrier to rewrite equally so. Underneath the covers it could be a real piece hung together by duct tape and vacuum tubes, but why rewrite it if it's working and keeping planes in the air?


Because OMG HACKERS. Seriously, why do we have any security on anything?


It's nice to see these thoughts at the top of the thread. I get tired of hearing people in the security industry constantly smirking at "dump developers". They don't have a clue what it's like to develop real code with deadlines. They point fingers at others and call that an accomplishment.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: