Maximizing loyalty programs and credit card rewards has taken me to over 60 countries in my life and I’ve tried almost every tip out there: use transfer bonusesclipping cards with limited time welcome offers, double or triple dipand even mattresses and mileage races.
But one of my strategies isn’t all that exciting, although it’s arguably more important than all of those things combined.
And it is… drum roll… a password manager.
Here’s why you should use one of these tools to protect your hard-earned rewards.
What is a password manager and why should you use one?
In essence, password managers serve as a secure repository for storing your login credentials across various websites and mobile apps. Additionally, they can help generate new passwords when you set up a new account or update an existing one. This helps ensure that you have a unique, hard-to-guess password for each of your accounts.
Some of you may have a “favorite” password that you find easy to remember and so you use it on all your accounts (no judgment, I was there once). Unfortunately, this makes you incredibly vulnerable to a hack. After all, if that password finds its way onto the dark web, a hacker could gain access to not just one but all of your accounts.
For example, let’s say you set the password for your favorite frequent flyer account to P@ssw0rd. While this may satisfy the password requirements of that program (as it includes a capital letter, a number, and a special character), it is far from secure. In fact, a study 2025 VPN provider NordPass found it ranked 15th on a list of the most used passwords worldwide. The most common? 123456 – with more than 21.6 million instances.
If hackers can find your account number, they can try various password combinations to gain access.
However, a password manager can make this almost impossible.
Reward your inbox with TPG’s daily newsletter
Join over 700,000 readers to receive breaking news, in-depth guides, and exclusive offers from TPG experts.
I personally use LastPass to protect my passwords, and while writing this section, I asked it to generate a new, unique password: 16 characters, with lowercase and uppercase letters, numbers, and random symbols. This is what came back:
Hh6BAuXP#OvryiA#
The chance of a hacker guessing this or even a brute force computing effort discovering it is quite small. In fact, using the above parameters gives more than 37 nomillon possible combinations (that’s 37 with thirty zeros after it).
Of course, there is very little chance that I can remember this password myself, which is where the repository feature comes into play. All of my unique and hard-to-guess passwords are stored neatly inside my LastPass vault. When I need to log in from a trusted device, the password is filled in automatically.
Why is this so important for loyalty programs?
A password manager can help protect all your accounts, but there are a few key reasons why loyalty programs are so vulnerable. For starters, these programs offer no legal or published protections, a notable contrast to credit cards, where the Fair Credit Billing Act limits your liability for unauthorized charges to $50. Many issuers go even further and offer $0 fraud liability for unauthorized purchases.
Related: How a 10-Minute Call Reversed $2,300 in Fraudulent Charges on My Credit Card
That’s not the case with most loyalty programs.
As an example, here is an excerpt from the program terms and conditions of a major airline:
“[Airline name] assumes no responsibility and is not responsible for any unauthorized access by third parties to a member’s account or account information, including any unauthorized reward transactions made from the account, except as provided by applicable laws. [Airline name] does not assume any obligation or duty to re-credit any unauthorized mileage withdrawal made by third parties; however, [Airline name] reserves the right to review, in its sole discretion, requests for recreditation of unauthorized mileage withdrawals, provided that such request is made to [Airline name] “within three months following the unauthorized removal.”
Additionally, many of these programs do not require two-factor authentication, or even have it as an option.
To test this, I tried logging into six popular airline programs and four major hotel loyalty programs from a private window in a browser I’d never used before.
| Program | Two-factor authentication? |
|---|---|
|
Text message to confirm |
|
|
Choice of text or email to confirm |
|
|
None |
|
|
Email to confirm |
|
|
None |
|
|
Text message to confirm |
|
|
None |
|
|
None |
|
|
Choice of text or email to confirm |
|
|
None |
At the time of writing, only half required an additional verification step.
I tried the exact same thing with my accounts from seven credit card issuers, and all of them required two-factor authentication, either immediately after logging in or when clicking on the redemption options.
Finally, once inside your account, hackers can quickly burn through your rewards on cash-equivalent redemption options or last-minute travel bookings, hoping that you won’t notice the attack until it’s too late, which is exactly what’s happened to several TPG employees over the past few years.
Chief Spokesperson Clint Henderson Your AAdvantage account was hacked in 2024, with almost 400,000 miles burned for last-minute rental cars. Later that year, senior editor Gabrielle Bernardini had a The hacker uses more than 17,000 points. from your Southwest Rapid Rewards account toward a hotel for a last-minute stay. And just a few weeks ago, editor-in-chief Ben Mutzabaugh received a preemptive notification that a hacker was attempting to use his US miles to obtain gift cards, though fortunately, this was caught before his account was depleted.
While both Clint and Gabby regained their footing, each required considerable time to do so.
In a nutshell
There are few things more frustrating in the world of points and miles than a hacker using your rewards. Fortunately, there are steps you can take to protect your account, including using unique, hard-to-guess passwords for each account. And a password manager can play an important role in saving these credentials so you don’t have to remember long strings of seemingly random characters.
Of course, this is not a foolproof solution, as hackers can still find a way to gain access. However, it’s an important step to add an extra layer of security to your loyalty program accounts, especially since our testing shows that several popular loyalty programs don’t use two-factor authentication.
If you are not currently using a password manager, I highly recommend doing so right now. Otherwise, those points and miles may not be available when you really need them.
