Forced password update!

[Kitsune]

Quote:

Originally Posted by bodypainter

What is the criteria for an acceptable password as defined by CPanel? All of the ones I want to use (and which are acceptable where I work, for my online banks, etc) are being rejected.

This is my 4th request for this information.

A word or words that are 10 or more characters combined, followed by 2 or more numbers. I dont find it that strict, my college doesnt allow us to use ANY words at all in our passwords.

[lxndr]

Quote:

Originally Posted by ShelbyGuy

If you are so dissatisfied why do you hang around? Many long-time users are very happy here. I have been with some HUGE hosting companies that cannot hold a candle to HostGator! I have been hosting sites since 1997 and HG is the best yet! Fanboy? Yes, I guess I am.

Although the above is not directed to me I would like to point out that this is NOT about being generally happy or not with Hostgator as in terms of general support and uptime and facilities I'm pretty content .. it's simply about the password debacle .. and fanboy comments like yours contribute nothing meaningful to the debate.

[kitfanc]

Quote:

Originally Posted by bodypainter

What is the criteria for an acceptable password as defined by CPanel? All of the ones I want to use (and which are acceptable where I work, for my online banks, etc) are being rejected.

This is my 4th request for this information.

As near as I can tell, along with numbers, it will only accept random letters. If even 2 of your letters spell a word that can be found in the dictionary, it will be rejected.

It's a very sensitive program. not everyone uses it. HostGator does.

CJ aka kitfanc

[windy]

I must say that I was asked for a great deal of detail before the gentleman in live chat would asset me on my password change. I am senile and I flip things when I type, so changing passwords is frustrating beyond belief. But having read the reason, I can understand their concern.
Even this old senile ninny created a different password for the forum then for my cpanel. Come on folks. You are web masters, right? You do know PHP then. Do a view source. Okay now setup your browser so it won't run any scripts or active X or anything without your permission. Make sure nothing can set a cookie without asking. You are in charge of your security, not HostGator.

I am not pleased at having to change my password. I can remember things I did when I was five years old, but remembering what I did yesterday is a problem. So, I am not amused.

However, if someone knows that your bank account can be hacked and they send you a snail mail on it, it is a useless legal tool to alleviate them from the responsibility for the hack. If they change your password and protect you, they have taken the chance to get you angry in order to protect you.
I do not think any of you can have a harder time with a password change then I will. However, I will say Thank You to the folks that cared enough about me to step over the line in my defense.

Thank you
gayle

[Bobby Watson]

> You are in charge of your security, not HostGator.

That's not entirely true. And the problem is not changing a password but of being locked out without adequate means of reopening.

[bodypainter]

I'd like to hear from someone who has "Gator" in their username what the precise requirements are for the password.

I know there must be such a definition, my employer has one, my on-line bank has one. I don't understand Hostgator won't tell me what ours is.

[GvilleRick]

The password change in cPanel is controlled by cPanel and not HG. I searched some in the cPanel forums but haven't found a good description of the requirements for a password there. cPanel 11 does have a password strength indicator when using the X3 skin which should make it easier to determine what cPanel is after.

[galiel]

Ok, despite everything, I gave this one more shot. I followed the instructions "GatorBrent" (at this point, I'm not sure I even trust that the usernames on this forum haven't been hacked) gave me in a private message.

I went to this supposedly secure page, gave information I don't want to give out based on this abortion of a procedure, and got the following error message:

"This IP has already been used. Please contact support for more information."

Starts with an email addressed to the wrong person, written like a classic phishing scam.

Then tech support sends me my old password, in plaintext, in an email - not that I requested it - but they get one character wrong.

Then I get a private message, supposedly from Brent, asking me to provide my domain, username, password (asking for my password "to get your password"!) and last 4 of my cc. Asking me to type it on an insecure page in a private message on a public forum after we have been warned, supposedly by a post the company CEO in a public forum, that the company has been exposed to and is vulnerable to multiple security breaches (but, of course, none have happened yet to their knowledge).

Then I get an email, supposedly from support, asking me to send my billing information and last 4, via email, to get my new password - when what I asked was to have my old password restored.

Then I try to follow the instructions given by "GatorBrent", because I just can't believe someone could orchestrate such an elaborate social engineering/takeover of all of HostGator's systems, and that this must be simple incompetence on the company's part. And, guess what? The instructions don't even friggin' work. Guess it wasn't hackers.

And, remember, this entire thing WAS LAUNCHED ON A FRIDAY AFTERNOON BEFORE MEMORIAL DAY 3-DAY WEEKEND!!

What's next? Is HostGator going to refuse to give us our passwords in the first place, on the grounds that we might share them with someone or write them on a sticky note and put them next to our computer? Are we going to have to get a note from our mothers granting us permission to access the accounts we pay HostGator for?

I have been a customser for a long time. I have always been happy with HostGator's tech support, customer support, general service, features and reliability.

This just does not seem like the company I know.

The alternative, that the website, forums, live chat, tech support, ticket system, and servers, have been taken over by malicious people (or aliens from outerspace, for all it matters) is too tin foil for me to believe.

But, believing Brent and co. could perpetuate such an utterly incompetent series of events is stretching my credulity to the point that I don't know WHAT to believe any more.

All I know is I want access to my files and my clients' files so we can get the hell off this service and move somewhere sane.

[gwyneth]

Quote:

Originally Posted by RainbowViper

(P.S. I'm envious of where you live, if your "location" is true. :P)

Well, during the winter it's a hovel a few miles away on the mainland.

[OneManShow]

OMG, what you guys are doing here?
You must thanks HostGator that they take care of our Hosting accounts.
If this happen in another Hosting Company, no one will talk about it and they will leave their customers under the mercy of any employee.
Thank you HostGator for holding your responsibility about our accounts.
Thank you again.......

[kingcaw]

I followed the instructions provided in the email and in this post, and although the form you fill in gave me a new password, I now can't actually access my cpanel.

I tried my new pass in the login box, and it didn't work, so I tried my old one, seemed to accept it, but then wouldn't load up my actual cpanel; instead I end up with an error saying the server can't be contacted.

I know its not an actual problem with my account or the server i'm on, as I can see my sites without issue; so I haven't got a clue whats happening.

As a couple of guys have said, it all seems very fishy but its also hard to beleive someone would go so far as to completely hijack HG and impersonate the owners.

[Sweeper]

Quote:

Originally Posted by kingcaw

I followed the instructions provided in the email and in this post, and although the form you fill in gave me a new password, I now can't actually access my cpanel.

I tried my new pass in the login box, and it didn't work, so I tried my old one, seemed to accept it, but then wouldn't load up my actual cpanel; instead I end up with an error saying the server can't be contacted.

I know its not an actual problem with my account or the server i'm on, as I can see my sites without issue; so I haven't got a clue whats happening.

As a couple of guys have said, it all seems very fishy but its also hard to beleive someone would go so far as to completely hijack HG and impersonate the owners.

I'm having the same problems. Can't access Cpanel but my sites are showing up and hopefully they will continue to!

[OneManShow]

Quote:

Originally Posted by kingcaw

I followed the instructions provided in the email and in this post, and although the form you fill in gave me a new password, I now can't actually access my cpanel.

I tried my new pass in the login box, and it didn't work, so I tried my old one, seemed to accept it, but then wouldn't load up my actual cpanel; instead I end up with an error saying the server can't be contacted.

I know its not an actual problem with my account or the server i'm on, as I can see my sites without issue; so I haven't got a clue whats happening.

As a couple of guys have said, it all seems very fishy but its also hard to beleive someone would go so far as to completely hijack HG and impersonate the owners.

Quote:

Originally Posted by Sweeper

I'm having the same problems. Can't access Cpanel but my sites are showing up and hopefully they will continue to!

Submit a ticket to support, and they will fix it soon.

[GatorBrent]

It seems a lot of people here didn't read my original post

1. We don't outsource support at all. We have a few employees as remotes in Florida that use to work side by side with me. When we relocated to Texas a few of them couldn't move so we allowed them to stay with the company as remotes.

2. I never said we were hacked / compromised! You go to any company in the world with a few employees and there is no way 100% they can honestly tell you an employee or ex employee didn't take secure information with them. I've had my credit card skimmed at Applebees and at Dave and Busters. A friend of mine knows a stock broker at one of the major firms that's moving to a new company. He's taking his customer list with him.......

3. If we had to do it all over we most likely would have chosen modernbill as our billing system again. Why? When we started hostgator there was really only two options and modernbill had the best reputation at the time. You go to almost any hosting company right now and the entire staff is going to be able to see your full password in plain text.

I could send one of my better employees to another hosting company and within a few weeks they would most likely have the entire companies username / pw list.

We are about to move over to our new billing system and have made this change to help be as secure as possible. Please don't hate us for being honest and upfront. We could have left all your passwords the same and most likely nothing would have ever happened. Would that have been the smart thing to do knowing some of the inside details I gave?

We have become one of the largest hosting companies in the world and with that we can't expect to get away with how smaller hosting companies run.

I know it's a pain but what if we ignored this whole situation..... Maybe 99% chance nothing would have happened but even at one percent chance of having accounts hacked I think we made the right decision.

[regentronique]

Quote:

Originally Posted by GatorBrent

...

I could send one of my better employees to another hosting company and within a few weeks they would most likely have the entire companies username / pw list.

We are about to move over to our new billing system and have made this change to help be as secure as possible. Please don't hate us for being honest and upfront. We could have left all your passwords the same and most likely nothing would have ever happened. Would that have been the smart thing to do knowing some of the inside details I gave?

We have become one of the largest hosting companies in the world and with that we can't expect to get away with how smaller hosting companies run.

...

If you are so concern regarding our account access security, why do you still allow anyone of this forum to get access to all others customers main account username?

There is 2 pieces of information needed to get access to our hosting account, the username and the password. Both of them should be secured, not only the password!

[gwyneth]

Quote:

Originally Posted by regentronique

If you are so concern regarding our account access security, why do you still allow anyone of this forum to get access to all others customers main account username?

I don't think that's true--where's this available?

[regentronique]

In your own profile anyone can read this :

About gwyneth
Location
***********************
Account Type
*****
Package Type
**********
User Name
******
Hosted Domain Name
**************
HostGator Server
**************

[Bobby Watson]

You don't have to provide that information to register on the forum. I didn't anyway.

[regentronique]

Quote:

Originally Posted by Bobby Watson

You don't have to provide that information to register on the forum. I didn't anyway.

It is HostGator that put it there for most of the users ...

[GvilleRick]

Quote:

Originally Posted by regentronique

If you are so concern regarding our account access security, why do you still allow anyone of this forum to get access to all others customers main account username?

This is a rather odd claim, as far as I can see. Unless someone posts their username in a post there is no way we can see their username. The only thing I can think of that you are referring to is the username showing under your forum ID but that is only visible to the person logged into that ID.
The company I worked for before decided to change their policy to only allow randomly created usernames (for new accounts.) It was done to make it harder for hackers to break into accounts since we had seen a number of exploits. There were tons of "I will take my business elsewhere" posts in the forum there at the time.

[WildCelticRose]

This all looks just a bit too much like a phishing scam for my liking, and I'm not about to click on a link sent via email. Nope... NOT going to happen.

I'm going to wait a bit longer before filling out a form and giving out all my information.

I have yet to see anyone from HostGator tell us exactly what an acceptable password is.

[bodypainter]

Quote:

Originally Posted by GatorBrent

It seems a lot of people here didn't read my original post

GatorBrent,

What exactly are the requirements for an acceptable password?

[edit] This has been answered at least 4 times by others in the forum.


To be more specific, I'm asking how many characters are required, if any characters are not allowed, if any characters must be shifted or numeric, etc.?What other rules are there?

Since you are making such a Big Deal of this, I think you owe us this information.

[Tom-KH]

I have also one small question.

Wenn you are reseller and you use Enom from Hostgator. And you pay for domains with Creditcard (automatic).
Is this information then still secure?

For me the password change is no big problem. I'm happy that Hostgator is telling us this. Manny big companys will keep this kind of information about ex employes intern. And HG is now just playing onnest with us.

[gwyneth]

Quote:

Originally Posted by GvilleRick

This is a rather odd claim, as far as I can see. Unless someone posts their username in a post there is no way we can see their username. The only thing I can think of that you are referring to is the username showing under your forum ID but that is only visible to the person logged into that ID.
The company I worked for before decided to change their policy to only allow randomly created usernames (for new accounts.) It was done to make it harder for hackers to break into accounts since we had seen a number of exploits. There were tons of "I will take my business elsewhere" posts in the forum there at the time.

Rick, I'd thought you were right. But regentronique clearly just looked at my profile to discover all that stuff.

Users: you can (and should) remove details with "Edit details" in the User CP of this forum. I just did.

regentronique--you were right. Now would you PLEASE edit your post to get rid of my stuff (even though it's old)? Thanks--I really think you could have proved your point by saying "looking up a user's profile" without being so specific.

[GvilleRick]

Yeah, I apologize. Didn't realize that the Profile added that from signup. I agree that it is not a good idea to have the main username in there.