No! This is not common at all. Of all of the FF programs I’ve used (Delta, Southwest, Korean Air, etc.) all require a password to log in. Not only is this uncommon, it’s an absolutely horrible security practice for the reasons you’ve found out.
Here are a couple of examples of how major programs currently handle this:
Delta’s website requires a username and password to log in normally.
If you’ve forgotten your password, you need to enter your name and e-mail address and they send the link to change your password to that e-mail address, so having control of that e-mail account is required to reset.
If you’ve forgotten your username or SkyMiles number, you again enter your e-mail address and name and they’ll e-mail your username to you.
Southwest’s website also requires a username and password to log in normally.
If you’ve forgotten your password, like with Delta, you enter your e-mail address and name and they e-mail you the link to change your password.
If you’ve forgotten your username/account number, you need to enter your name, ZIP code, and e-mail address, and then answer your security questions before it will give you your username and account number. If you don’t have access to your original e-mail address, you have to enter your name, ZIP code, old e-mail address, and account number in order to change your e-mail.
You say that the program in question is a ‘big fish.’ If it’s big enough to be part of one of the major alliances (OneWorld, Star Alliance, or SkyTeam) and they won’t quickly fix their account security, you might want to consider joining a more secure FF program from another one of the members of the same alliance and just start crediting your flights to that program instead. Most of them have reciprocal mileage earn and awards, as well as at least some degree of reciprocal elite benefits with other member airlines of the same alliance.
Credit:stackoverflow.com‘