Forced password update!

[regentronique]

Quote:

Originally Posted by mvandemar

Why the hell would you bump a 5 month old dead thread that had not been replied to in 2 months, and that people were no longer upset about? What purpose could that possibly serve?

-Michael

Wrong! There is STILL people upset about it...

[mvandemar]

Quote:

Originally Posted by regentronique

Wrong! There is STILL people upset about it...

Well, yeah... now that it's been brought up again. But I'm willing to bet you didn't awaken from nightmares this morning screaming, "Damn you! Damn you and your new passwords!".

In fact, I'm guessing it's been months since you even thought about it at all.

-Michael

[regentronique]

Quote:

Originally Posted by mvandemar

Well, yeah... now that it's been brought up again. But I'm willing to bet you didn't awaken from nightmares this morning screaming, "Damn you! Damn you and your new passwords!".

In fact, I'm guessing it's been months since you even thought about it at all.

-Michael

Wrong again! Each weeks i have at least one thought about the wrong doing of many people concerning the forced password threads. Mostly because even if Brent Oxley asked his staff to put back the main thread about it to its state before one employee badly censured it. Maybe 50% of the thread modifications were repaired, but many posts were still badly modified...

So, please do not try to represent all other people of this forum in your own comments. Some are thinking like you and others don't...

[tpeck]

Because I'm 57 years old?

...and two months is just a hiccup to a guy like me, maybe not you.

I hoped I'd contributed something meaningful - maybe not. Is HG any more secure now than it was 5 months ago? Did the password changes work? I don't really see why they would make much that difference if security was so lax in the first place. And modernbill wasn't even going to be updated before the resets. Way out there!

I was hacked four, five weeks ago. My password often changes so I didn't receive the dreaded email in May. I have good reason to believe the attack was HG's side and now I'm leaning even more to that conclusion. But I'm not crucifying HG just yet. At any given time HG (and everyone else with accounts just waiting to be compromised) has hundreds of hackers going for it. New exploits will probably always be found. But the idea that hack attacks only come from weak passwords and scripts - I don't buy.

My point is that password changes are useless if the host's security is woeful. I would like to see HG implement some kind of rock-solid policy in that regard. Make it known, understandable, as tough as can be expected, and give bodypainter his long-awaited definitive answer. If that can't be done, it might be time to move on, but like I say - that gives me the shudders too.

Until that happens, expect a few more bumps in the night.

[AaronLS]

Is it necesary that the "SSH access request form" place the user password in plain text in the ticket it creates? By doing so the employees can see my password and you are recreating the potential for this same problem again.

What if my site handled sensitive information, such as an ecommerce site? The employee could login with my credentials, query tables, and collect sensitive information, and log out. My visitors sensitive information could be used to defraud them. They might experience idnetity theft, and what's worse, it'd be difficult for them to know where the criminal got the information, since most people these days do business with numerous online businesses. The criminal could repeat the process numerous times, and since they aren't damaging or modifying my site, then I'd prob ably never reallize it.

[slapshotw]

Many Hostgator employees can login to your server and browse your tables anyway, without your SSH password--they have root access to your box.

That doesn't necessarily excuse the plain-text issue, but you should know that the situation you described could theoretically happen on any shared server you have your data on.