She drives me crazy (passwords)

Another day another “we can’t tell you much cuz ‘security’ but, um, we might have accidentally lost something that relates to you somehow, don’t worry nothing bad happened and you are fine, but, uh, we locked you out of your account”. Today it was Air Canada. Lets take a look and dissect, Below:

Dear <<ME>>,

We recently detected unusual log‑in behaviour with Air Canada’s mobile App between Aug. 22‑24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data.

Am I affected?
As a result of our analysis, we are confident your account was not affected by these unauthorized attempts. As an additional security precaution however, we have locked all Air Canada mobile App accounts to further protect customer data.

To reactivate your Air Canada mobile App account, please see the instructions below or follow the prompts the next time you log into your Air Canada mobile App.

Your privacy and the protection of your data are extremely important to Air Canada. Our security is multi‑layered, and we work with leading industry experts to continuously improve our practices as technology and security procedures evolve.

Reset your password
Please reset your password to resume using Air Canada’s mobile App and mobile products with confidence.

Your new password must be a minimum of 10 characters. Here are some helpful tips in creating your new password:
• Minimum of 10 characters which must contain at least 1 uppercase letter, 1 number, 1 symbol/special character, 1 lowercase letter
• Do not use your old password
• Do not use your name or something easily associated with you
• Do not use your Air Canada mobile App password with other accounts

You can reset your password by following the prompts when you next log‑in to your Air Canada mobile App, or you may reset your password now 

OK. Observations:

• Do I trust their assurance?
• They make you click on a link. This is bad, this is exactly how spear-phishing works, they are reinforcing it (how do I know this is really from AC)?
• Lets examine those requirements. So, I need a complex password, in the mobile app (this is different password than the web site!). Not only is it different than the web site (and your online booking etc), but the requirements are different. Look at the below.  Min 10 chars vs max 10. No special characters vs must have special characters.
• My mobile device is already secured, why do I need an ‘app password’? Why can’t this work like e.g. gmail or marriott apps? And this is truly a password you need to enter each time, its not a browser that can remember.

Sigh, so I run ‘pwgen -y 12’. I click on the link. It logs me into the web profile etc. But from there you can’t change or set your mobile password. Strike 1, the instructions are wrong. I open the app. Strike 2, instead of forcing me to set a new password as above, its locked out. So i do the ‘forget password’ link and it emails a one-time link. I click that, the app opens, but now it just times out (network not avail). Sigh. Do I really need this app?

See below for their two screenshots. This is so frustrating. Lets get our pitchforks and rise up against the password people.