Forced password update!

[navjotjsingh]

I asked for SSH request and was given this form to fill: https://secure.hostgator.com/sshrequest.php

This form upon confirming the email posted my password in full public view in the tickets section. Now everybody viewing that ticket can see my hosting password? So what about this forced password update when there is no security?

[GvilleRick]

I generally will change my password after the ticket is closed.

[GatorChrisN]

Quote:

Originally Posted by navjotjsingh

I asked for SSH request and was given this form to fill: https://secure.hostgator.com/sshrequest.php

This form upon confirming the email posted my password in full public view in the tickets section. Now everybody viewing that ticket can see my hosting password? So what about this forced password update when there is no security?

All of our request forms are securely handled via SSL and these tickets only go to the department that handles the request. The password is required to update your account. You are welcome to change the password if you would like after the request has been completed though.

[webmist]

Quote:

Originally Posted by bodypainter

So, are you saying you really don't know the exact criteria for an acceptable cPanel password?

That's what I want, it should be the easiest thing in the world to supply. How in the world can you guys not have this information? Please publish the specification just like every other professional organization I deal with.

Thanks.

I want to know what "professional organization" you deal with. Most don't tell you any more than what has been said here. Including other hosting, financial, credit cards, and IP's.

Quote:

Originally Posted by supernix

So you can be 100% safe if you choose.
Mac is alright but I much prefer Linux.
Simple rules for success are stay away from porn and illegal software and you will rarely ever have a problem at all.

Trust me no one is a 100% safe. They just haven't found anything they want from you. Maybe if you hosted the Bank of England.

I just want to say even not being notified (on vacation for the past week) our websites had no glitches in the past week at all. We received no complaints from my brother's clients. I had no problems accessing my personal sites either. I've successfully changed passwords for my shared accounts as well as my brothers accounts and all is well.

You know vB did this a few weeks ago and probably due to a similar situation and people ranted for awhile, but things have gotten back to normal as will this.

[Max Entropy]

All fixed on this end - after a few unsettling moments when I thought someone might have cracked my account, or something had happened to my credit card and the monthly fees weren't getting paid.

I finally got a forum login recently, or I might not have known about this. Or did you put it in the public section? I didn't check.

Very glad I wasn't in a hurry to get logged in today.

Next time, please send out notices by email. That might prevent heart attacks in some of us geezers. ;-)

[donby]

Quote:

Originally Posted by GatorChrisN

All of our request forms are securely handled via SSL and these tickets only go to the department that handles the request. The password is required to update your account. You are welcome to change the password if you would like after the request has been completed though.

I'd really like to know what needs to be done that requires the customer password to setup ssh access. Or is this a highly confidential HG process?
(this should probably go into a different thread; password security on HG)

It doesn't matter if it's passed via SSL or just sitting on a private network, storing passwords in plain text is a huge no no. NEVER store a password in plain text or reversible encryption. Doing so almost negates the point of having a password. Too many places take the "crunchy outside, gooey inside" approach to security. There is a staggering statistic about how many security breaches come from the inside. Typically a disgruntled or naive employee. This fiasco is a prime example.

I've been a Unix SA for a pretty long time an have never requested a user to give me their password. Of course I have root access so having someone's password would be a step down on the privilege ladder.
For restricted root privileges we use sudo, http://www.sudo.ws/sudo/. Great stuff if you work in a *nix shop and occasionally need to run commands as root, or another user, take a look at it.

It's disheartening how service providers, almost any service, have a terms of use policy that focuses completely on the service user and nothing about the service provider. Service providers should have a statement of their minimum level of security. This may never fly, unless the provider is publicly traded and bound by the SOX ACT. However it would still be a warm fuzzy if providers spelled out in plain language how your personal and *private* information is handled. Specifically how they deal with your password.

When this thread was suddenly closed I started looking for another hosting company. Brent's comeback has reassured me that maybe they are trying. Everyone makes bad choices now and then. I just hope it wasn't my choice of selecting HG for my hosting. If I'm going to be on edge and have to change my HT passwords every week to feel sort of secure it may have been my choice.

Don

[Max Entropy]

I'm certainly not about to walk out the door as a customer. HG has given me outstanding hosting service, a country mile better than my last provider. I'm not too up on the security issues - that's one reason I use hosting services instead of trying to "roll my own." But I *am* a bit concerned about the personnel matters implied here.

True, once in a while you run into a dishonest person on the job. But they're not usually malicious, just greedy. There's a big difference, though both can cause lots of harm.

In most cases, employees don't take malicious actions against an employer unless they think they've been poorly or unfairly treated. You can't watch every employee ever second - you have to be able to trust them. You can't trust angry people. If one person at HG reacted that way to the way he was treated, how can we be sure that there won't be more disgruntled employees to breach security or cause damage in retaliation for the way HG management is treating them?

Of course I only know what I've read in this thread, and I know nothing about the situation with the person who closed the support tickets. Who knows, I might be totally off base with the above. Maybe this person was just a wacko.

But I would have thought twice (if not 3 or 4 times) before releasing a "trustworthy, hard working" employee for one mistake, even as serious as it was. I would have made darn sure she had the necessary safeguards in place for the future, but "trustworthy, hard working" employees are in pretty short supply and when one leaves it's a major loss.

These seemingly unrelated personnel matters may collectively indicate some developing problems with corporate culture at Hostgator. I hope you'll give some thought to this, even if you think I'm out of line in mentioning it.

Thanks.

[DarkSorrow]

Quote:

Originally Posted by GatorChrisN

All of our request forms are securely handled via SSL and these tickets only go to the department that handles the request. The password is required to update your account. You are welcome to change the password if you would like after the request has been completed though.

So I guess sales handles SSH requests heh?

[euronerd]

Quote:

Originally Posted by GatorJamyn

[...] I can't really discuss any of the other internal controls, as I'm sure you understand. Thanks!

An essential misconception. If a security system can be broken by understanding how it works, it's an insecure system to begin with.

[cptbob123]

well done Hostgator for looking over security!

I have had no website downtime.. I didnt get the email though :S I also change my passwords often..

The only thing I would advise is that you don't ask for my root password over normal email Although being security minded I change it after you have fixed my issue..

Blame yourself for shit passwords and not changing them.. not Hostgator.. as for downtime on sites.. why the hell are you using your main aco**** username and password as your SQL password..

[donby]

Quote:

Originally Posted by cptbob123

Blame yourself for shit passwords and not changing them.. not Hostgator..

Their system won't allow for secure passwords. They only allow characters, upper and lower case, and digits. No special chars makes for a poor password.
My accounts were just under three months old. How often do you change your password?

[donby]

Quote:

Originally Posted by donby

Their system won't allow for secure passwords. They only allow characters, upper and lower case, and digits. No special chars makes for a poor password.
My accounts were just under three months old. How often do you change your password?

Ok, I'll retract that now. I changed my cpanel password to a significantly strong 20 character, mixed case, alpha numeric with lots of special characters.
Sorry HG. Things do appear to be changing for the better.

[DarkSorrow]

Strong is good

[cptbob123]

Quote:

Originally Posted by donby

Their system won't allow for secure passwords. They only allow characters, upper and lower case, and digits. No special chars makes for a poor password.
My accounts were just under three months old. How often do you change your password?

My password is pretty secure I would say I use the random thingy in the FTP aco**** manager to make random ones then store the password in a program. So I dont even know what my password is...

I change it whenever its given out.. And when I feel like it.. roflol!

[justirw]

okay, HELP !
ever since the email from hostgator.com on 5/24/08 when I make the mistake and followed the directions and I changed my password, I am unable to get into sitestudio. I try www.hostgator.com/build

I get to the "cpanel", I key in my username and the new password it gave me from,....https://secure.hostgator.com/password_reset/

and then I get this error from SiteStudio
.
The user you have indicated does not exist. Please make sure you enter your login correctly. SiteStudio may also be inaccessible because you have not registered with a host. In this case contact the support service.

HELP, SOMEONE PLEASE HELP.
THANK YOU

[regentronique]

Quote:

Originally Posted by justirw

okay, HELP !
ever since the email from hostgator.com on 5/24/08 when I make the mistake and followed the directions and I changed my password, I am unable to get into sitestudio. I try www.hostgator.com/build

I get to the "cpanel", I key in my username and the new password it gave me from,....https://secure.hostgator.com/password_reset/

and then I get this error from SiteStudio
.
The user you have indicated does not exist. Please make sure you enter your login correctly. SiteStudio may also be inaccessible because you have not registered with a host. In this case contact the support service.

HELP, SOMEONE PLEASE HELP.
THANK YOU

Have you reported this to LiveChat or opened a ticket regarding this issue?

[justirw]

oh yes, that is the other amusing thing.
I reported it, and it said it would send me an email shortly with the ticket number, yea well, still haven't seen an email with the ticket number and I tried it twice, got to the screen where it said it would send me an email with the ticket number, haven't seen email yet. (and it's been quite awhile since the last attempt)

I opened a chat issue (twice already with two different people, first person said, oh yea, we know it's an issue with sitestudio and this password email, second person said nothing about that), they said, well, send email to support@hostgator.com

done that, sent the email, haven't heard anything back yet, not even a "automated acknowledgement" that "hey, we recognize you have a problem, and here's a ticket number".

my email address hasn't changed, next time it will be a cold day in he** before I follow this idiotic "change your password advice again".

[regentronique]

With all the recent servers problems adding to the precedent password problems the ticket response time would be quite higher.

I would not expect a ticket response from them for at least 4 hours, so do not send another reply to your ticket so it wont go back in the bottom of the waiting queue.

You can go login to http://support.hostgator.com/index.php to view if they received the ticket and if they had replied, just in case there is also a email issue with your account.

[justirw]

the second "supposed ticket generation email " that never arrived was within the 4 hours, however the first "supposed ticket generation email" that never arrived was well over 4 hours ago, well, over 8 hours ago, etc.
etc.


Thanks much for the website, I logged in, and lo and behold it showed several tickets there from me. YEA. It would have been nice had it actually emailed these ticket numbers to me (by the way, I know my email works, since I typed my password wrong on purpose into the support site, and it actually sent me an automatic email with the password).

Thanks again for the link.

[mikesmithfl]

I'm reading and rereading this, it's hard to follow any logical, rational pattern.

I didn't get a message, does that mean I'm OK?

What customers is this for - dedicated, resellers, shared accts?

[chr1831]

No one can figure out why i never got the email, did everyone else get the email???

-Chris

[RainbowViper]

No, not everyone got it. I didn't. None of my passwords changed. If you can still login to "everything", you don't need to worry.

I would suggest, though, that if your passwords aren't secure (the score being at least into the yellow), that you change them. It's just good practice. Personally, I always choose one that scores green.

[RAMWolff]

Well, it wasn't clear to me WHY I had a sudden reset. Nothing within the email to indicate why this was happening. It was sudden and absolute. I even followed the instructions and then couldn't even log into my cPanel at first and created a ticket. The nice person wrote cranky me back and provided me a link to this thread and said they were able to into my panel using the provided user name and password. So I'm all set but I really think it could have been handled a tiny bit better!!

Thanks for the explanation of what's going on!

I can't subscribe to this thread using the Thread Tools drop down menu? I don't have permissions?? WTF? Being a moderator in the past at varying sites these tools are usually for the end user. If they are for admins then they need to be set to "hidden" so end users are not confused and try to use them!

[tpeck]

What an extraordinary thread! For the first time in ages I am unable to absolutely positively agree or disagree with just about everyone and everything in it. Did I ever learn a lot though? You bet.

For one thing we have an owner of a hosting company who's a good guy and champions free speech. But at the same time freely continues to allow to be revealed what can only be described as pretty appalling security glitches.

You wanna leave Hostgator knowing that other hosting companies out there are keeping this sort of thing under wraps? Not me.

We have a staff member who closes the forum but just before he does, mouths off to bodypainter for repeatedly asking the same question - in my view, the most important question possible in a thread about password security: how to definitively go about choosing a secure password. It wasn't actually answered - though many tried. How can a company use another company's product for such an important purpose and not be able to categorically know how cpanel allows passwords to be framed? To be told to ask cpanel is just about the dumbest thing I have I ever read written by a support staffer. On the other hand, this chap also wrote what has to be the most concise help and sensible viewpoint on password security I have ever come across.

We have resellers in this thread with legit complaints about this foul up but who get stuck in to folks like digitaltoast who try to provide some perspective. Then again, it's useless to deny some people really got hurt.

And even Max the forum-hater had a point. This thread should be turned in to a novel with the best character list since War And Peace.

I wonder how many posters though, have actually been hacked at HG? I have. It was a horrible experience. My fault? I don't believe so. Hostgator's? Who knows? These things are hard to prove either way.

You can have a password the length and strength of pi to a thousand places and it's all for nought if HG itself is hacked.

The bottom line, at least for me, is...if you think it's bad at HG, you don't want to be anywhere else after reading this thread. I've been with other hosts and some of them should be locked up for ever with 256 bit encryption on the lock.

I'm grateful to Brent for the continuing window on this subject, but to tell you the truth, I'm more scared now than ever before. But more scared to move.

Perhaps it's time to up my dose.

Forced password change or no forced password change? Either way, someone's gonna get fried. 'Fess up or hire a PR firm to treat us all like mushrooms?

I really don't know any more.

[mvandemar]

Quote:

Originally Posted by tpeck

I really don't know any more.

Why the hell would you bump a 5 month old dead thread that had not been replied to in 2 months, and that people were no longer upset about? What purpose could that possibly serve?

-Michael