Maximizing loyalty programs and credit card rewards have taken me to more than 60 countries in my lifetime, and I’ve tried just about every tip out there — using transfer bonuses, snagging cards with limited-time welcome offers, double- or triple-dipping, and even mattress and mileage running.
But one of my strategies is nowhere near as exciting — though it’s arguably more important than all of those things put together.
And it is…drumroll…a password manager.
Here’s why you should be using one of these tools to protect your hard-earned rewards.
What is a password manager, and why should you use one?
In essence, password managers serve as a secure repository to save your login credentials across various websites and mobile apps. In addition, they can help generate new passwords when you’re setting up a new account — or updating an existing one. This helps ensure you have a unique, hard-to-guess password for each of your accounts.
Some of you may have a “favorite” password that’s easy for you to remember, and because of that, you use it across all of your accounts (no judgment — I was there once). Unfortunately, this makes you incredibly vulnerable to a hack. After all, if that one password makes it to the dark web, a hacker could gain access to not just one but all of your accounts.
For example, let’s say you set the password on your favorite frequent flyer account to be P@ssw0rd. While this may satisfy the password requirements of said program (since it includes a capital letter, a number and a special character), it’s far from secure. In fact, a 2025 study from VPN provider NordPass found that this ranked 15th on a list of the most commonly used passwords across the globe. The most common? 123456 — with over 21.6 million instances.
If hackers can find your account number, they can try various password combinations to gain access.
However, a password manager can make this nearly impossible.
Reward your inbox with the TPG Daily newsletter
Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts
I personally use LastPass to secure my passwords, and while writing this section, I asked it to generate a new, unique password — 16 characters long, with lowercase and uppercase letters, numbers and randomized symbols. Here’s what it came back with:
Hh6BAuXP#OvryiA#
The chance of a hacker guessing this or even a brute-force computing effort uncovering it is quite small. In fact, using the above parameters gives over 37 nonillion possible combinations (that’s 37 with thirty zeroes afterward).
Of course, there’s very little chance that I could remember this password myself — which is where the repository feature comes in. All of my unique, hard-to-guess passwords are saved seamlessly inside my LastPass vault. When I need to log in from a trusted device, the password is populated automatically.
Why is this so important for loyalty programs?
A password manager can help secure all of your accounts, but there are some key reasons why loyalty programs are so vulnerable. For starters, these programs don’t offer published or legal protections, a notable contrast to credit cards, where the Fair Credit Billing Act caps your liability for unauthorized charges at $50. Many issuers go even further, offering $0 fraud liability for unauthorized purchases.
Related: How a 10-minute call reversed $2,300 in fraudulent charges on my credit card
That’s not the case with most loyalty programs.
As an example, here’s an excerpt from the terms and conditions for a major airline’s program:
“[Airline name] assumes no responsibility for and is not liable for any unauthorized access by third parties to a member’s account or account information, including any unauthorized award transaction made from the account, except as provided under applicable laws. [Airline name] assumes no obligation or duty to re-credit any unauthorized mileage withdrawal made by third parties; however, [Airline name] reserves the right to review, in its sole discretion, requests for re-crediting unauthorized mileage withdrawals provided such request is made to [Airline name] within three months of the unauthorized withdrawal.”
In addition, many of these programs don’t require two-factor authentication — or even have it as an option.
To test this, I attempted to log in to six popular airline programs and four top hotel loyalty programs from a private window in a browser I’d never used before.
| Program | Two-factor authentication? |
|---|---|
|
Text message to confirm |
|
|
Choice of text or email to confirm |
|
|
None |
|
|
Email to confirm |
|
|
None |
|
|
Text message to confirm |
|
|
None |
|
|
None |
|
|
Choice of text or email to confirm |
|
|
None |
At the time of writing, only half required an additional verification step.
I tried the exact same thing with my accounts across seven credit card issuers, and all of them required two-factor authentication, either immediately upon logging in or when clicking into the redemption options.
Finally, once inside your account, hackers can quickly burn your rewards on cash-equivalent redemption options or last-minute travel bookings, in the hopes that you won’t notice the hack until it’s too late — which is exactly what happened to multiple TPG staffers in recent years.
Principal spokesperson Clint Henderson had his AAdvantage account hacked in 2024, with nearly 400,000 miles burned for last-minute rental cars. Later that year, senior editor Gabrielle Bernardini had a hacker use over 17,000 points from her Southwest Rapid Rewards account for a hotel for a last-minute hotel stay. And just a few weeks ago, managing editor Ben Mutzabaugh received a preemptive notification that a hacker was trying to use his American miles for gift cards — though thankfully, this was caught before his account was drained.
While both Clint and Gabby had their balances restored, each one required some significant time to do so.
Bottom line
There are few things more frustrating in the world of points and miles than a hacker using your rewards. Thankfully, there are steps you can take to secure your account — including the use of unique, hard-to-guess passwords for every one of them. And a password manager can play an important role in saving these credentials so you don’t have to remember long strings of seemingly random characters.
Of course, this isn’t a foolproof solution, as hackers may still find a way to gain access. Nevertheless, it’s an important step to add an additional layer of security to your loyalty program accounts, especially since our tests show that several popular loyalty programs don’t use two-factor authentication.
If you’re not currently using a password manager, I’d strongly encourage you to do so — right now. Otherwise, those points and miles may not be there when you really need them.
Stacie Harris is a local resident and reporter of the Maple Grove area. Stacie reports on medicine and science for the Maple Grove Report.
