Mike's Musings
on
customer
support,
security,
passwords,
web
Peloton Customer Support
My roommates have a Peloton Bike in the house. It's a neat thing -- it's a stationary bike with a built-in computer (think large tablet) that basically streams live or pre-recorded Spin classes to your house. It's a great way for cyclists
to stay in shape during the long winters, especially in Chicagoland, where I live. It is not, however, without its problems.
Keep me logged in
So over the winter, I created my own account on the Peloton bike's computer. This hooks into the Peloton website, and voilá, the integrated solution gives you an account there, too. Helpfully, there's a "Keep me logged in" style checkbox
when you sign in, which I made sure to check so that I'd remain logged in.
Since I travel for work during the week, I'm not there to use the bike all the time. In fact, I might even have gone a few weekends without using it. Shocking, I know.
So once, I went back to use it, and I found myself logged out. So much for "keep me logged in."
At that time, I didn't have time to mess with it, so instead I just got off and did something else. Great way to encourage use, that.
Resetting my Password
So yesterday, before flying out for the work week, I went to go use it again. I was still logged out, and didn't remember my password. So I went downstairs, grabbed my laptop, and reset my password using the Peloton website successfully.
Since I use 1Password, I created a strong, secure password -- 50 characters long, containing 3 digits and 2 special characters. Or maybe the number of digits and specials was the other way around. Whatever.
As I always do when I reset my passwords using 1Password, I like to make sure that everything works. So I immediately logged out of the Peloton website and tried to log back in using my shiny new password.
Um....what?
Enter Customer Support
It was at this point that I noticed the Peloton website has a "Start a Live Chat" feature on the site. So...I did.
Before I paste the chat transcript, I want to be very clear: I believe that I received reasonably ok customer support from the Zendesk person who helped me out. He or she, I'm sure, has a script to follow. The script, as you'll see,
might need some updating. And while the "resolution" to my issue did not come from the customer support person, they were very professional, and stayed with me for almost 50 minutes. That's an eternity in customer support realms.
I'm going to alter a few things in the chat that aren't really important to get my points across. The main thing I'm changing is the CSR's name, because I really don't believe that matters.
Mea Culpa
The thing that I feel most badly about in the above exchange is that I abruptly ended the chat. I'm sorry for having done that. I should have stuck around to at least say "thank you for your time and help."
Problems, problems, problems
OK, let's see. There are a number of things wrong on the Peloton side that I see in the above exchange.
At 05:10:52, the CSR asked for my password.
Why would they even do that?
Does this mean that passwords are stored in cleartext in the Peloton systems? Have they learned nothing from all the hacks and break-ins at larger retailers?
Usernames are case-sensitive? Really? The website makes no mention of that.
At this point, haven't most websites written code to specifically disallow that password? :)
The browser I was using that's unable to login to the Peloton Website is: Google Chrome Version 42.0.2311.135 (64-bit) on Mac OSX Yosemite.
Extensions installed are:
1Password
AdBlock Plus
ColorZilla
FlashBlock
Google Docs
HTTPS Everywhere
Conclusion
The Peloton Twitter Account reached out to me earlier today in response to one of my tweets yesterday. I know they're at least watching, and I welcome further engagement so that I can get my issue resolved. Hopefully,
along the way, I might learn a few more things:
that Peloton's passwords are not stored in cleartext
that they have a plan to
either make usernames not case-sensitive, or
at least make some note on their website that usernames ARE case-sensitive
that they'll not allow people to set new passwords to "correct horse battery staple"