on customer support, security, passwords, web

Peloton Customer Support

My roommates have a Peloton Bike in the house. It's a neat thing -- it's a stationary bike with a built-in computer (think large tablet) that basically streams live or pre-recorded Spin classes to your house. It's a great way for cyclists to stay in shape during the long winters, especially in Chicagoland, where I live. It is not, however, without its problems.

Keep me logged in

So over the winter, I created my own account on the Peloton bike's computer. This hooks into the Peloton website, and voilá, the integrated solution gives you an account there, too. Helpfully, there's a "Keep me logged in" style checkbox when you sign in, which I made sure to check so that I'd remain logged in.

Since I travel for work during the week, I'm not there to use the bike all the time. In fact, I might even have gone a few weekends without using it. Shocking, I know.

So once, I went back to use it, and I found myself logged out. So much for "keep me logged in."

At that time, I didn't have time to mess with it, so instead I just got off and did something else. Great way to encourage use, that.

Resetting my Password

So yesterday, before flying out for the work week, I went to go use it again. I was still logged out, and didn't remember my password. So I went downstairs, grabbed my laptop, and reset my password using the Peloton website successfully.

Since I use 1Password, I created a strong, secure password -- 50 characters long, containing 3 digits and 2 special characters. Or maybe the number of digits and specials was the other way around. Whatever.

As I always do when I reset my passwords using 1Password, I like to make sure that everything works. So I immediately logged out of the Peloton website and tried to log back in using my shiny new password.

You have entered an invalid email address, username, or password. Please try again.

Um....what?

Enter Customer Support

It was at this point that I noticed the Peloton website has a "Start a Live Chat" feature on the site. So...I did.

Before I paste the chat transcript, I want to be very clear: I believe that I received reasonably ok customer support from the Zendesk person who helped me out. He or she, I'm sure, has a script to follow. The script, as you'll see, might need some updating. And while the "resolution" to my issue did not come from the customer support person, they were very professional, and stayed with me for almost 50 minutes. That's an eternity in customer support realms.

I'm going to alter a few things in the chat that aren't really important to get my points across. The main thing I'm changing is the CSR's name, because I really don't believe that matters.

(05:07:17)  *** Mike joined the chat ***
(05:07:18)  Mike: I just reset my password on the website, and I cannot login.
(05:07:27)  *** CSR joined the chat ***
(05:07:45)  CSR: Can I have your email address
(05:07:51)  Mike: my@email.addr
(05:08:34)  CSR: Are you trying to log into the website or are you trying to log in to the bike?
(05:08:52)  Mike: Right now, the website. Once I complete logging into the website, I'll go use the bike.
(05:09:22)  CSR: Okay and can I ask what password you were trying to reset
(05:09:32)  Mike: I don't understand your question
(05:09:58)  CSR: What are you resetting your password to?
(05:10:01)  Mike: I went to the website, clicked the "Forgot Password" link, and then I reset my password from the link that the website sent me.
(05:10:52)  CSR: okay, so what is your password now?
(05:11:08)  Mike: I don't understand why you would even ask that question.
(05:11:20)  Mike: It's 50 characters long, it has some numbers, and some special characters in it.
(05:11:33)  Mike: I use 1Password to create strong, secure passwords that I never need to remember.
(05:12:08)  CSR: Okay, May I ask what error message you are receiving when you try yo input your password?
(05:12:18)  CSR: to*
(05:12:58)  Mike: You have entered an invalid email address, username, or password. Please try again.
(05:13:09)  Mike: For my username, I entered "my@email.addr"
(05:13:42)  CSR: Have you try inputting your username with your password as well?
(05:14:21)  Mike: I have tried to use my normal username, which is mikevitale42
(05:14:38)  Mike: I think that's the username I entered for Peloton, but I can't be sure, since I can't login.....
(05:15:18)  Mike: None of the emails that you have sent me contain my username.
(05:17:02)  CSR: No we do not send usernames when we reach out to our customer , I can try to reset your password to a temporary one and you can change it once we gain access to your page,
(05:17:25)  Mike: ok...
(05:17:30)  Mike: But before we do that
(05:17:44)  Mike: Is there a problem with using a strong, secure password like the type I mentioned I use?
(05:17:57)  Mike: 50 characters, numbers, and special characters?
(05:20:08)  CSR: Or you can input the username as we have on file MikeVitale42 being that our system is case sensitive,
(05:20:28)  CSR: There may be an issue using the special characters in the password
(05:20:50)  Mike: Usernames are case sensitive?
(05:21:01)  Mike: 1) Your website doesn't mention that
(05:21:20)  Mike: 2) Your website allowed me to set my password to the strong, secure password
(05:21:30)  Mike: But now it doesn't let me login using the password I just set it to
(05:23:38)  CSR: Yes they are case sensitive and perhaps that may be the reason why you can not log in, If you can please try to input the username as MikeVitale42 with your strong secure password
(05:23:52)  Mike: I did try that. Same error message
(05:23:53)  CSR: to see if this allows to log into the webiste
(05:24:19)  CSR: Okay give me one moment,
(05:29:55)  CSR: I can created a temporary password just so we can be clear that there is not a bigger issue with your account other than not being able to log in, would you like me to do that?
(05:31:22)  Mike: I just tried using the "Forgot password" functionality from the website. When it asked for my email, I gave it "my@email.addr", and I'm getting an error message: "my@email.addr not found"
(05:31:47)  Mike: I just reset my password using that same functionality like half an hour ago (right before starting this chat)
(05:31:51)  Mike: What is going on?
(05:38:31)  Mike: So...I eventually got a reset password link in email. I used it, and reset my password again. It's STILL not letting me login on your website.
(05:38:37)  CSR: Sorry for the wait I just wanted to see if we were having problems with our website and I just went through the forgot password using my own login info without any issues, I did have a password of 10 characters including one special characters and several numbers, So I just want to make sure that the 50 character password was inputting correctly as well , I have sent you a new link to reset your password, usually when riders get that message it means that one of the credential being put in is putting in incorrectly
(05:38:50)  Mike: You have entered an invalid email address, username, or password. Please try again.
(05:40:09)  Mike: I've tried using both my username (MikeVitale42) and my email address (my@email.addr) and my new password
(05:40:14)  Mike: Which is one that I can remember.
(05:40:18)  Mike: Still can't login.
(05:44:01)  CSR: When a rider received that message it means that either the password or email address is being put incorrect, sometimes if a space is put in front of the email can even be the issue as well, I can try to gain access to your account however that does me I will be using a simpler temporary password for the time being, again I and my tech team just tested the forgot password link with our own account and it allowed us to go into our profile, you can even give me the temporary password that you would want me to use
(05:44:55)  Mike: Please use "NewPassword" without the quotes, case sensitive, as the password when you reset mine.
(05:45:11)  CSR: okay give me one moment
(05:46:05)  Mike: I just received another "Reset Password Request" email.
(05:46:19)  Mike: I assume that you have to send that to me so that you can get the link and use it yourself?
(05:48:32)  CSR: So I was able to access your account with these credentials.
(05:49:20)  Mike: I'm not.
(05:49:20)  Mike: You have entered an invalid email address, username, or password. Please try again.
(05:50:30)  Mike: Oh, I see.
(05:50:33)  Mike: It's the browser I'm using.
(05:50:46)  Mike: Your website doesn't allow me to login using Chrome on my Mac.
(05:51:00)  Mike: When I try it from Safari, it works.
(05:51:04)  Mike: That's...greaaaaat.
(05:52:36)  CSR: Oh okay, that is wonderful that you were able to log in to your account.
(05:53:11)  Mike: Sure it is.
(05:53:30)  CSR: Is there anything else that you need today?
(05:54:14)  *** Mike left the chat ***

Mea Culpa

The thing that I feel most badly about in the above exchange is that I abruptly ended the chat. I'm sorry for having done that. I should have stuck around to at least say "thank you for your time and help."

Problems, problems, problems

OK, let's see. There are a number of things wrong on the Peloton side that I see in the above exchange.

  1. At 05:10:52, the CSR asked for my password.
    1. Why would they even do that?
    2. Does this mean that passwords are stored in cleartext in the Peloton systems? Have they learned nothing from all the hacks and break-ins at larger retailers?
  2. Usernames are case-sensitive? Really? The website makes no mention of that.
  3. At 05:40:14, the password I used that I can remember: correct horse battery staple
    1. At this point, haven't most websites written code to specifically disallow that password? :)
  4. The browser I was using that's unable to login to the Peloton Website is: Google Chrome Version 42.0.2311.135 (64-bit) on Mac OSX Yosemite.
    1. Extensions installed are:
      1. 1Password
      2. AdBlock Plus
      3. ColorZilla
      4. FlashBlock
      5. Google Docs
      6. HTTPS Everywhere

Conclusion

The Peloton Twitter Account reached out to me earlier today in response to one of my tweets yesterday. I know they're at least watching, and I welcome further engagement so that I can get my issue resolved. Hopefully, along the way, I might learn a few more things:

  1. that Peloton's passwords are not stored in cleartext
  2. that they have a plan to
    1. either make usernames not case-sensitive, or
    2. at least make some note on their website that usernames ARE case-sensitive
  3. that they'll not allow people to set new passwords to "correct horse battery staple"