Forced password update!

[navjotjsingh]

BTW Your email was classified as phishing attack and links in it have been disabled by Gmail. Can you check as I found about this thread from my Spam folder.

[digitaltoast]

Quote:

Originally Posted by OneManShow

Also, I didn't receive anything about the warning via my e-mail ?

Gmail had marked it as phishing. Check your spam folder, make sure you "unmark as phishing".

Quote:

Originally Posted by rmcewan

Brent - typically, a company would inform it's customers of a potential security breach by snail-mail and would enact an auto password change only after some period of notification

Er, unless terminology has changed, snail mail to me means getting a printer to print several hundred thousand letters, stuff them into envelopes and put a stamp on them and then they can take 10-14 days to get across the pond for my local postman or anyone in between to steal them. You didn't seriously mean that did you?

Quote:

Originally Posted by supernix

Telling me about the possible breachs to my security shows concern, but changing my pass without consent shows lack of respect.

I don't know whether to ROFL or cry at that. I don't even think I could form a reasoned reply to an unreasoned post

Quote:

Originally Posted by ShelbyGuy

If you are so dissatisfied why do you hang around? Many long-time users are very happy here. I have been with some HUGE hosting companies that cannot hold a candle to HostGator! I have been hosting sites since 1997 and HG is the best yet! Fanboy? Yes, I guess I am.

I've just moved here from site5,previously Powweb,previously Pipex - if anyone thinks HG have any problems, you should seriously try a spell with another host.This has been handled way better than any of them have ever handled anything.

Quote:

Originally Posted by maxthompson

max: gIVE ME HIS EMAIL - i DON'T DO FORUMS. oTHERWISE i'LL START MIGRATING.
Cody S: One moment please.
Cody S: What is the last 4 digits of your credit card number on file?
max: I don't know

Quote:

Originally Posted by quietFinn

It is very amazing how desparate need some people have to make themselves a fool
This guy "doesn't do forums" but he had to post this...

Lol! I thought exactly the same! What a complete (and that gator is NOT playing a guitar!).

My only problem is - what kind of system lets staff see plain passwords? I've never worked in a place where this is so.
BUT...I have worked in places where similar things have happened, and you wouldn't believe the kind of crap that was made up to cover it. At least the email alluded to the reasons, if not as transparent as the post in this thread.

[digitaltoast]

Quote:

Originally Posted by golddave

When I try to change it in CPanel I get an error saying that I can't change it because the password is based on a dictionary word. While it is based on a dictionary word it includes a number/letter substitution. Everywhere else I have tried to use this method of changing a dictionary word it has been accepted. So why not here?

Presumably because they use a better crack dictionary?

Quote:

Some of these dictionary crackers can "manipulate" each word in the wordlist by using filters. These rules/filters allow you to change "idiot" to "1d10t" and other advanced variations to get the most from a word list.

Quote:

Originally Posted by golddave

And if I can't use a password based on a dictionary word than how am I supposed to remember it?

You're not - you need something like the multi-platform KeePass.

[shuriway]

Anyone else having problems accessing cpanel?

[digitaltoast]

Quote:

Originally Posted by shuriway

Anyone else having problems accessing cpanel?

What kinda problems? Is everything else on your server working OK? Have you tried the live chat? I'm in OK on my cpanel, but then I'll be on a different server (xlr)

[bodypainter]

Quote:

Originally Posted by shuriway

Anyone else having problems accessing cpanel?

My cPanel is working except it wouldn't accept any of the passwords I wanted to use.

And now I've forgotten the randomly assigned password I was given yesterday so I guess I'm stuck with it until I bother to contact support. I've been waiting for a definition of an acceptable password before I do that, but it seems likely now that HostGator doesn't know exactly what constitutes a valid password.

wtg HG.

[golddave]

Quote:

Originally Posted by gwyneth

You're not supposed to be able to remember it (at least easily). That might sound flip, but it's not--something that's easy to remember would be easy to crack.

Perhaps the letters remaining in the rejected password form another word?

The concept of "secure" means as close to random a selection as possible.

There are many things that are easy to remember that are not easy to crack. Don't lecture me about security. I'm in the security business and know plenty about the issue.

[rmcewan]

Quote:

Originally Posted by digitaltoast

Gmail had marked it as phishing. Check your spam folder, make sure you "unmark as phishing".Er, unless terminology has changed, snail mail to me means getting a printer to print several hundred thousand letters, stuff them into envelopes and put a stamp on them and then they can take 10-14 days to get across the pond for my local postman or anyone in between to steal them. You didn't seriously mean that did you?
I don't know whether to ROFL or cry at that. I don't even think I could form a reasoned reply to an unreasoned post
I've just moved here from site5,previously Powweb,previously Pipex - if anyone thinks HG have any problems, you should seriously try a spell with another host.This has been handled way better than any of them have ever handled anything.Lol! I thought exactly the same! What a complete (and that gator is NOT playing a guitar!).

My only problem is - what kind of system lets staff see plain passwords? I've never worked in a place where this is so.
BUT...I have worked in places where similar things have happened, and you wouldn't believe the kind of crap that was made up to cover it. At least the email alluded to the reasons, if not as transparent as the post in this thread.

Wow, thanks for all your advice digital. We are all wiser for your presence.

[golddave]

Quote:

Originally Posted by digitaltoast

Presumably because they use a better crack dictionary?
You're not - you need something like the multi-platform KeePass.

I see. So to upgrade my security I'm supposed to change my password. Fair enough. But then I'm supposed to put a piece of software on my computer to remember the password. So now anyone with physical access to my computer can find ALL of my passwords. That's not exactly security since it's just transference of risk (transferring the risk from HostGator to me). It's just liability control at the inconvenience of the customer.

I'm not against the required password change. I'm just annoyed at the way it was done and how restrictive the new passwords must be.

[fuzzfree]

Totally unprofessional.

- No clear instructions we should use the email address we signed up.
- First time the form submission took forever to load and stopped
- Re-submission of form with the address I signed up.. message "This IP has already been used. Please contact support for more information."
- Turn off/on my connection still same message..
- Now I am locked out from cpanel/whm
- A domain has exceeded its bandwith and cannot reset limits...
- Waiting for live support... no success til now..
- all I need is the new password emailed to my address...

EDIT: live support provided me with the new password. OK.

[MrPete]

OK. I'm back in. It was no trouble at all... for the most part.

Some hints for others:
1) The cPanel response about "found in the dictionary" is a bug. The password strength checker gives that message, any time it thinks your password is too simple, no matter why.
2) I think a minimum of 8 characters is required, but not certain.
3) The new password can't be very similar to the previous one.

I think the strength checker has a bug in any case. For example, here is a password it would not allow due to "being in the dictionary": q1!W2@e3#

That's not completely random but is pretty good.

A password it fully accepted for me has six letters, one digit and a punctuation, in the pattern LLdLLLLp (L=letter, d=digit, p=punct). And two of the letters DO form a word. Yet it is an "ok" password.

Anyway, I recommend you just try again if it doesn't like your password.

Here's a strategy to create passwords you can remember but others can't guess:
* Think of a phrase that you can remember
* Pick out the first letter of each word
* Convert one or more letters to digits, add in some punctuation
* Make sure there are at least 8 characters when you are done.

The result will look random to others and memorable to you!

HGw8utc!

Looks random but is right at the top of this page

[digitaltoast]

Quote:

Originally Posted by rmcewan

Wow, thanks for all your advice digital. We are all wiser for your presence.

No problemo. I've been doing this for 12 years and people used to help me, so I'm just paying it forward!

Quote:

Originally Posted by golddave

I see. So to upgrade my security I'm supposed to change my password. Fair enough. But then I'm supposed to put a piece of software on my computer to remember the password. So now anyone with physical access to my computer can find ALL of my passwords.

Er, I'm not entirely sure you read the KeePass site properly! You enter your passwords into the vault, then lock the vault with a ridiculously good password. Then remember it. Maybe write it backwards on a bit of paper and put it under a floorboard? From the site:

Quote:

Even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe.
Even quantum computers won't help that much. The algorithms are symmetric so its complexity would be reduced a bit, anyway, the sun will go nova before you have decrypted the database.
The complete database is encrypted, not only the password fields. So your usernames, notes, etc. are protected, too.
SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.

Two of the largest companies I have worked for trust this, one is one of Europe's largest car rental companies, the other is a large utility, in one case they built the source to be extra sure. I'm pretty sure if it's good enough for them....then you won't like it anyway.
Besides, you should never have the same password for two sites.

[Target2019]

I can still login to my reseller Cpanel and WHM with the password assigned by HG in February of 2008. I'm guessing that I am in the clear and can stop following the thread.

[columbonet]

Quote:

Originally Posted by shuriway

Anyone else having problems accessing cpanel?

it let me change the password but will not let me access the cpanel page now. I keep getting a time out error.

[jabguit]

To which account is this 'new' password applied? Forum? Mail account? The term 'account' is kind of vague.

[UT3MODS]

I get a timeout error also when trying to access the cpanel. The live support people seem to access the page ok. Are you guys blocking access to ip's outside your network.

[jabguit]

I can't even log into my CPanel.

[columbonet]

cpanel loads now. hopefully that was just a temp glitch

[shuriway]

Quote:

Originally Posted by columbonet

cpanel loads now. hopefully that was just a temp glitch

I still can't login to cpanel. Support told me it was an "internet" problem with port 80. No idea what this means to be honest.

[digitaltoast]

Quote:

Originally Posted by jabguit

To which account is this 'new' password applied? Forum? Mail account? The term 'account' is kind of vague.

Cpanel/WHM. If you can login to cpanel, then you're probably not affected

Quote:

Originally Posted by shuriway

I stii can't login to cpanel. Support told me it was an "internet" problem with port 80. No idea what this means to be honest.

Does your normal website load OK? If not, can you try a tracert?
ie: (windows) open a comment prompt and type
tracert <yourservername) and see if it completes. I had a bit of trouble with the ssh port the last couple of days, it seems their firewall is very touchy about anything that looks remotely like a scan or DOS attack.

[shuriway]

Quote:

Originally Posted by digitaltoast

Cpanel/WHM. If you can login to cpanel, then you're probably not affected
Does your normal website load OK? If not, can you try a tracert?
ie: (windows) open a comment prompt and type
tracert <yourservername) and see if it completes. I had a bit of trouble with the ssh port the last couple of days, it seems their firewall is very touchy about anything that looks remotely like a scan or DOS attack.

Yes I can reach all my websites. Support told me they were on a different port to cpanel?????

[digitaltoast]

Quote:

Originally Posted by shuriway

Yes I can reach all my websites. Support told me they were on a different port to cpanel?????

Yes, that's correct. Each port on a server can accept/block/run a completely different protocol and webserver/site.
This was just to establish that the actual server itself was running. OK, try this (if you haven't already)
For WHM: (reseller type stuff)
http://<yourserver>:2086/ or https://<yourserver>:2087/

and for normal shared accounts:
http://<yourserver>:2082/ and https://<yourserver>:2083/
any of those work for you?

[shuriway]

Quote:

Originally Posted by digitaltoast

Yes, that's correct. Each port on a server can accept/block/run a completely different protocol and webserver/site.
This was just to establish that the actual server itself was running. OK, try this (if you haven't already)
For WHM: (reseller type stuff)
http://<yourserver>:2086/ or https://<yourserver>:2087/

and for normal shared accounts:
http://<yourserver>:2082/ and https://<yourserver>:2083/
any of those work for you?

I'm on shared server. No neither work. They just hang.

[digitaltoast]

Quote:

Originally Posted by shuriway

I'm on shared server. No neither work. They just hang.

OK, and just to be sure, you are definitely putting https in front of the server when using port 2083?

[corgipower]

Quote:

Originally Posted by gwyneth

You're not supposed to be able to remember it (at least easily). That might sound flip, but it's not--something that's easy to remember would be easy to crack.

Perhaps the letters remaining in the rejected password form another word?

The concept of "secure" means as close to random a selection as possible.

True, but if it's random, how do you remeber it??