Forced password update!

[supernix]

Quote:

Originally Posted by Rockoids

There is no such thing as 100% protection, my friend.

One reason I use a Mac.

I have used the net for a good 8 years solid and no less and downloaded anything and everything you can think of. All this time I have never ever had a trojan. So you can be 100% safe if you choose.
Mac is alright but I much prefer Linux.
Simple rules for success are stay away from porn and illegal software and you will rarely ever have a problem at all.

[Rockoids]

Quote:

Originally Posted by supernix

I have used the net for a good 8 years solid and no less and downloaded anything and everything you can think of. All this time I have never ever had a trojan. So you can be 100% safe if you choose.
Mac is alright but I much prefer Linux.
Simple rules for success are stay away from porn and illegal software and you will rarely ever have a problem at all.

Aw, you're missing out on all the fun

Well, obviously, my dedicated server is Linux, so I get a taste of that world too when I need to.

[calum]

Right, my password hasn't changed and I didn't get this email, is there a reason for this?

[broughaj]

Quote:

Originally Posted by GatorBrent

We hope this step-by-step list makes your part of the change as simple as possible.

1. Visit https://secure.hostgator.com/password_reset/

2. If this is successful the page will display your new password to login to your ftp / cpanel. Please make sure to enter the email address and password you originally signed up with. If you can't remember this password you can find it in your welcome email you received upon joining.

3. If this is not successful no password will be listed.

4. If the reset form still doesn't like the information you're trying, contact Live Chat. Once we verify it is in fact your account we will provide you with the correct information to put on the form and help you to obtain your new password.

5. If you continue to have problems and can't log into the support system, notify support by email (mailto:support@hostgator.com).

* The first few servers we did customers received the wrong name in the email that was sent out. This had to do with a wrong variable in our script we quickly got corrected.

This worked for me first time!

[Kazper]

Quote:

Originally Posted by supernix

You would think such a person would have the best in antivirus and trojan protection. Norton is expensive but certainly cheaper then getting fired. Not to mention the freeware programs that also provide pretty good protection as well.

If you hadn't posted later that you were actually using Linux I might have been scared that you were trusting Norton to keep you safe Norton is the biggest joke in security, and one of the biggest in the software industry at large. There is no reason to ever use their steaming pile of.... Especially not when there are far, far better alternatives - free or commercial

[galiel]

I thought things were clearing up, but the misinformation keeps piling up.

Brent and other Gators keep insisting it is only the primary account that is affected - but, in fact, ALL of my virtual domains have their passwords changed to the new "secure" password forcibly assigned by HostGator - so now, ALL of them share the same single password (which is less secure than most of the passwords used for the domains before).

A major wordpress site of a client of mine's went down after the password change, and the tech who restored it told me the password change had affected the database running the site. That didn't seemto make sense, so, after the site was back up, I tried logging in to the database. Sure enough, my old username and password (which, incidentally, were different than the old cpanel password, anyway) worked, while trying the new forcibly assigned HG password did not.

When are we going to get a straight, accurate explanation from HostGator for what the hell is going on - not to mention an unconditional apology and taking of responsibility for all this pain and suffering by loyal customers of theirs?

As I've said before, this is not the HostGator I once knew and respected and recommended. This is terrible.

[galiel]

Quote:

Originally Posted by GatorJamyn

The intent was to have all older accounts that had never changed their password do a forced reset. Presumably, the process caught your account as well, and marked it as an account that had never done a password change, and it sounds like the account page/date check was missed. Regardless, comparisons of whether or not an original password was 'secure' enough or not can't really be done.

Once again, what is missing from Gator communications is any taking of responsibility, let alone an apology for the inconvenience or worse.

Instead, classic passive avoidance language is used:

"the process caught your account", "the intent was", "the account page/date check was missed".

In reality, all these procedures were set by human beings according to policy set by other human beings. The people who have been harmed by all this are human beings, too, not impersonal "processes" and "checks".

I still see NO sign that HostGator, let alone its leadership, are taking responsibility for this abortion of a process, let alone the added mess created by incompetent attempts to fix it.

This is not the HostGator we once knew.

[galiel]

Quote:

Originally Posted by digitaltoast

Quote:
Originally Posted by bodypainter
Support fixed it and gave me an explanation that I didn't understand,

Yes, I can see why that might be Quote:
Originally Posted by bodypainter
but there's no doubt that this password change took my site down.

Mmmmm, hypocritical irony (if there is such a thing).

You know, digitaltoast,


I have been a customer of HG for years, and a customer of hosting services for years before that, going back to the very birth of the web. I have also been engaged in private message exchanges with Brent Oxley himself. I can assure you that the issues many, many customers are having as a result of this poorly-thought-out, ill-executed password change are real.'

Some time after the password change, a major, publicly prominent site of a client of mine went down.

When the site was restored, the tech told me that the database was fubared because of the password change. That didn't sound right to me:
1) the password was not the same as the cpanel password,
2) the site was a virtual domain, which should not have been affected by changes to the primary account - at least according to that Gators, including Brent, have said repeatedly on this forum.

In fact, after the site was restored, I checked and was able to log in with my old database username and password!

Now, ALL my virtual domains have had their passwords synched -they are ALL the same as my primary account password.

Incidentally, I followed, not only the instructions posted in this forum, but instructions provided to me personally by Brent Oxley in a private message. I am so happy for you and others for whom the instructions worked. I assure you, however, that they did NOT work for me. I had to have a tech support person verify my identity and then provide me with the new password - which, since they were able to type to me in a live chat window, means they still have access to look up passwords, just like before.

All that has changed is that:

A) my accounts are now less secure than before;
B) clients are upset (worse than the virtual domains, including the one that went down, are the independent clients I set up who bill their own accounts - I have to walk them through dealing with tech support themselves - something they pay me to handle - because the password change process, which they had to attempt themselves as well, did not work for them, either.

It is not helpful to mock every customer with a problem and put your head so far up the rear of a service provider that not even a stray photon has a chance of reaching it.

By all means, share with us your successful experience with this change, but do NOT keep denying the reality of those of us for whom this has been, not only a major aggravation, not only an inconvenience during a 3-day weekend, not only an embarrassment for those of us who provide add-on services to others, based upon our trust in HostGator's sevices. No, this has materially harmed our businesses, both current and prospective. And HostGator won't even do so much as apologize, much less take responsibility for the problems.

This is the last time I am going to address this issue

[galensgranny]

Quote:

Originally Posted by bodypainter

So, are you saying you really don't know the exact criteria for an acceptable cPanel password?

That's what I want, it should be the easiest thing in the world to supply. How in the world can you guys not have this information? Please publish the specification just like every other professional organization I deal with.

Thanks.

He gave the exact criteria! It should be the easiest thing in the world for you to make a new password using the information given.

It seems some people on this thread just are in complain mode.

[regentronique]

Thank you Galiel for expressing what many of us think of the digitaltoast messages!
But at least he have something to think about!

[jaenosjelantru]

I'd like to add my name to the this was poorly conceived, terribly executed, unprofessional, seemingly useless and badly timed hat.

With that said, I will remain a faithful HG customer due to the -typically- outstanding support, great prices and excellent uptime I have enjoyed for many years.

Quite suprisingly, I was provided with a modicum of entertainment from the forum posts and I was easily able to change my passwords. Galiel wins with the funniest post about the fanboy who seems to be a colossal a-hole. Congrats.

A PR firm of some sort to deal with things like this and other inanity would be a good idea.

[Amnet-JM]

With all due respect, I wish this had been handled much differently. I have been a client of HG for 3+ years, and I doubt this event will lead me to leave. That being said, has HG only recently found all of the reasons listed? Or have you only now decided to act on the many glaring security issues...?

I understand growing pains, HG, so please consider the impact your decisions will have on clients who are more than just home users (no offense)-- your message to our business was routed to our spam filter; fortunately I found it.

Next time, could we possibly have a heads-up before you change things for us?

Respectfully,
J. Martin,
Amnet Admin

(and just for humor's sake: )

[Kazper]

Quote:

Originally Posted by galiel

Some time after the password change, a major, publicly prominent site of a client of mine went down.

When the site was restored, the tech told me that the database was fubared because of the password change. That didn't sound right to me:
1) the password was not the same as the cpanel password,
2) the site was a virtual domain, which should not have been affected by changes to the primary account - at least according to that Gators, including Brent, have said repeatedly on this forum.

In fact, after the site was restored, I checked and was able to log in with my old database username and password!

You do realize that this means that the password to the database was - in fact - not changed? Just as explained. It also means the "tech" that said the password change was to blame sounds like he is talking out his ass.

Bottom line: Any properly made script with properly configured individual database access/password was not affected by this.

As for the rest - not having a reseller account - I can't comment, but that does sound bad if they were all sync'ed to the same password.

[Fabrice]

Quote:

Originally Posted by SandyFish

Hey Gators -
I must have missed the e-mail (an overflowing box!) BUT, I did discover the change when I tried to sign in to my cPanel. I appreciate your efforts to keep my informtion out of the hands of former/possible future hackers.
For ONCE the newbie - me! - didn't have to contact tech support to figure something out
THANKS FOR ALL YOU DO!!!!!

Well in my case the program did NOT work. So I used live chat. The guy said the password update was buggy "due to overuse" and I should email sales[at]hostgator. After doing this, they send me another password that does NOT work. Still waiting for a working password

[gwyneth]

Quote:

Originally Posted by Fabrice

and I should email sales[at]hostgator. After doing this, they send me another password that does NOT work. Still waiting for a working password

Perhaps s/he meant to type "support[at]hostgator", the instruction given in the list.

[GatorDaveC]

Quote:

Originally Posted by Fabrice

Well in my case the program did NOT work. So I used live chat. The guy said the password update was buggy "due to overuse" and I should email sales[at]hostgator. After doing this, they send me another password that does NOT work. Still waiting for a working password

Who were you talking to about the password reset? There are no known bugs that we know of so far. The script does exactly what it is supposed to do. If you could PM me the chat transcript or the person you were talking to, that would be great.

[Drakkenfyre]

I received the new password for one of the sites that I am the webmaster of, but it doesn't work. Surprisingly, the original password does work, lol.

-Drakk )))

[galiel]

Quote:

Originally Posted by GatorDaveC

Who were you talking to about the password reset? There are no known bugs that we know of so far. The script does exactly what it is supposed to do. If you could PM me the chat transcript or the person you were talking to, that would be great.

The script most certainly does NOT do what it was supposed to do, unless it was designed to cause a large number of customers to receive error messages when they follow the directions in your forum post and emails.

Why don't you address the fact that, for many of us, the instructions fail, with various unhelpful error messages?

The only people who are helping at all - and the reason you may still salvage some of your customer base from this mess - are the poor techs who worked overtime while most people were enjoying a barbeque and a long weekend.

You are only making things worse with this attitude.

[pHRESh]

I don't have time (right now) to read through all 10 pages of these posts to see if anyone else has posted this issue, so please forgive me if this is redundant!

[pHRESh]

This is the response I received from HostGator support when I submitted a ticket with my above observation:

Quote:

Hello,



What we use to verify an account is the last paypal transaction ID, the last four digits of the credit card on file or the current password on file for the account. We are not responsible for the people you give access to your billing account. Changing our verification method is not a viable option.


If you have already given access to someone who now knows the last four digits of the credit card then you can request that we add a security question and answer to your account for any password resets. It can be placed as your secondary email so that all agents know to ask for that for any password resets. You of course would need to change the billing password once it is added as to not compromise that information. Our billing system is intended for a single user that is considered the owner and is responsible for the account and has the ability to do password resets when necessary. I apologize for any inconvenience that this may have caused.


If you have any further questions or concerns feel free to contact us.


Thank you for hosting with HostGator.

------------


Regards,


Mario R.
Hostgator Sales Administrator

It is puzzling to me that my direct reference to this alarming issue could be overlooked in this response ...

[SwollenCranium]

HostGator still rocks in MY book.

Pffft to the haters.

[trau]

As a new user (joined Friday) I was a little annoyed to receive the email on Monday and even a little shocked when I reset the password and the new password was less secure than my original 14 random character password. But that said I do appreciate HG for being willing to take all the inevitable grief and doing what they thought was right. But I do have to agree with what others have said about the fact that the email could have been worded/phrased far better.

[entensity]

Quote:

Originally Posted by galiel

Once again, HostGator's focus is on deflecting blame to individual techs, who are clearly doing their best to handle a nightmare not of their own making.

The script most certainly does NOT do what it was supposed to do, unless it was designed to cause a large number of customers to receive error messages when they follow the directions in your forum post and emails.

Why don't you address the fact that, for many of us, the instructions fail, with various unhelpful error messages?

So far, all we are getting from Gators on this forum are [random conjecture. Removed. Inaccurate].

The only people who are helping at all - and the reason you may still salvage some of your customer base from this mess - are the poor techs who worked overtime while most people were enjoying a barbeque and a long weekend.


You are only making things worse with this attitude.

I would like to let you know that you are mistaken & I have never read anything so incorrect in my life. If you are still having issues CONTACT support. This is a "PEER SUPPORT FORUM," don't expect to get any answers from HG. I'm not sure why you are making a big deal out of something fairly simple. All it takes is a password change for heavens sake! It seems as if your life stopped all of a sudden.

[thetazzbot]

Quote:

Originally Posted by digitaltoast

I don't understand - this had nothing to do with databases or the sites. This was just the cpanel/whm login that was changed. Why would this affect your database or make your site go down? It didn't do this to me or anyone else who has had to change passwords

yeah it may have been a momentary glitch

or i got a sequence out of whack. but if you go into cpanel and change your password
it changes the main user password for mysql. so if you login to cpanel as joeblow you have a mysql user "joeblow" in addition to any others you manually created.

So it may have been after I changed the password in cpanel that i noticed the blogs were down, so that of course would be expected in this situation.

[thetazzbot]

My last thoughts are:

I chalk this up to growing pains. I've been with enough startups and small companies to know that when you are moving fast, sometimes you take shortcuts, you take your lumps and bruises, and you grow.

Honestly, there are billions of dollars lost every year from major companies, banks, etc, and they don't disclose anything. Here's a small company doing the right thing, saying hey, we screwed up, and we're fixing it. Sure they might lose a few low hanging fruit as a result, that's the cost of doing business.

I'm sure I would have been a LOT more pissed if I had read in the news "100,000 customer credit cards stolen from insecure databases at hostgator" than the minor irritation of resetting my password. But I'm not a reseller, i don't have customers to answer to, and only run blogs. So in a way, I'm a low hanging fruit haha! But I'm stayin.

[btw I spent 7 yrs in a large global ISP so I know the bumps in the road]

Mark