Forced password update!

Quote:

Originally Posted by Kazper

2) You need to hire someone professional to handle your PR and communicate such cases as this. The email in question did look like Phishing and was - unsurprising - marked as such by some email providers like Gmail resulting in users not getting the mail at all. You are at a size now where you need someone in that position.

I will not disagree with this. Point made.

Quote:

Originally Posted by Kazper

3) You REALLY need to test your scripts before they go live. Sending the wrong name to an unknown (but fairly large) number of users was about the worst foul up you could possibly make in an email of this importance, and where your first reason to trust it is "check we have your name"

I completely agree. I do not know how this slipped past QA. Regardless, I wouldn't be able to discuss it even if I did. I agree, your point is valid here as well.

Quote:

Originally Posted by Kazper

4) I like that you are open and honest about the reasons in this thread. Good practice I don't see many places.

Thanks. Brent is a good man; things are not perfect in life (or business), but based on the many conversations I've had with him, I know he does his best to do what is right.

Quote:

Originally Posted by Kazper

Ok.

Finally I just want to say to all those that say we should all use KeePass (or similar):

You don't understand security (like about half the security people in the world).

Someone else said that it's just transferrence of risk to the user, and this is absolutely correct.

The only difference between KeePass and sticky notes is one single password. If that password is compromised (brute-force, scamming, phishing, just someone looking over your shoulder) then you are SOL. Thus using such a single storage app for password storing is UNsecurity at it's worst (almost - sticky notes are worse).

KeePass does not display the master password while it's being entered, of course.
It encrypts the database of passwords using AES-256. It attempts to evade spyware that would otherwise monitor the clipboard and keyboard hooks. If the user values the data inside the database, they will tie the database to the USB stick itself, which would require physical access as well as theft of the master password to open the database (the option to tie KP to the USB stick or some other PKI is built into KP software itself). I would argue something like this is not a perfect solution, but rather an improvement over the existing solution for most people.

It's not that people don't understand security. It's that people work within the bounds of realistic expectations. I would love for users to have 64 character completely random passwords, but I do not expect it. I realize that the majority of people will choose something simplistic, if given the opportunity.

Instead, I present an "easy" solution to the end user (something like KeePass) to make it easier to have a complex password everywhere while still having some convenience.

Yes, if someone compromises your primary KP password, you've got serious issues. But, the responsibility of creating a secure password is always in the accountholders hands, and the difficulty of the password shows how much they value that asset. If they choose "cat" for their cPanel password, they do not value their databases/webpages/privacy of their email. If you assign no value to your KP master password (like any other password), and make it something simplistic, that's a personal decision and it's something people really have to accept as their responsibility.

Given what I've seen at most businesses after many years consulting, using something like KeePass (for the typical user) would be a huge step forward in account security compared to their standard password strengths and patterns, and that applies pretty much anywhere and everywhere.

I see no harm in recommending something that would be an improvement for the majority. If they do not treat their "master password" like they would their credit card or social security number, and if they do not take reasonable measures to secure their environment (desktop, etc) then regardless of whether they used a centralized database or not - each individual password would be compromised/sniffed over time anyway.

I am not going to argue that it is the perfect solution. I will argue that it provides an easy way to have difficult passwords for many different items in a convenient manner. True security is never convenient; the two are diametrically opposed. That does not mean the suggestion would not be an improvement for many. You work within what you are given until you can improve the process.

[calum]

Do HG use something like this:

http://www.whmezlogin.com/

?

I know it doesnt really solve the problems posted, but I am guessing you probably have something like this or some other setup.

Quote:

Originally Posted by calum

Do HG use something like this:

http://www.whmezlogin.com/

We do not use that product, but yes - we have a system that uses similar logic. Actual server passwords are not distributed to staff. I can't really discuss any of the other internal controls, as I'm sure you understand. Thanks!

[Kazper]

Quote:

Originally Posted by digitaltoast

I'm sorry, I just don't agree. When I was at one of Europe's largest car companies, they used to keep the passwords in a book, in a strong safe. After an audit, they used KeePass (or Passwordsafe at that time) and passed the next audit. When I worked at an electric utility, they also used a version of Keepass.

Comparing physical notes kept in a safe to KeePass is actually pretty accurate. We just don't agree on how safe that practice is. Also - unlike a safe - if you use the mobile version of KeePass (and otherwise it's not much help) you will be entering the password/safe-code in more or less public places, which greatly increases the risk of being observed. Also it's a lot easier to brute-force a computer password than a safe

Quote:

Originally Posted by digitaltoast

You talk about a brute force attack, but you know, all the computers ever built working on one task taking longer than the Sun will survive to crack it? I'm happy with those odds!

Eh. You said you were employed with computer security? I'm seriously asking because it sounds like you have no clue what-so-ever about what brute-forcing means?

When you brute-force a password what matters is ONLY the strength of the password (barring any downright exploits in the encryption code). It doesn't matter how many bits encryption KeePass use and and the quote you use deals only with cracking their encryption - not brute-forcing at ALL, which is something else entirely.

Quote:

Originally Posted by GatorJamyn

KeePass does not display the master password while it's being entered, of course.

No but neither does an ATM, and people still get scammed out of cards and PIN numbers using those. It only takes someone looking at the keyboard with a good memory

Quote:

Originally Posted by GatorJamyn

It encrypts the database of passwords using AES-256. It attempts to evade spyware that would otherwise monitor the clipboard and keyboard hooks. I would argue it is not a perfect solution, but rather an improvement over the existing solution for most people.

[...]

I see no harm in recommending something that would be an improvement for the majority. If they do not treat their "master password" like they would their credit card or social security number, and if they do not take reasonable measures to secure their environment (desktop, etc) then regardless of whether they used a centralized database or not - each individual password would be compromised/sniffed over time anyway.

I think we are basically in agreement here. My "beef" isn't with KeePass so much as people who mistakenly think that it's the magical solution to all security issues. And it clearly is not. And clearly you are not one of those people. Recommending it is fine as long as one is aware of the issues - and you did make a very good post about selecting safe passwords too!

Quote:

Originally Posted by GatorJamyn

It's not that people don't understand security. It's that people work within the bounds of realistic expectations. I would love for users to have 64 character completely random passwords, but I do not expect it. I realize that the majority of people will choose something simplistic, if given the opportunity.

I do appreciate the complex issues here. The problem is how - as an admin - can you ansure that the users have safe passwords. But I guess my point is - that you can't. No matter what technical issues you institute all it takes is a misplaced stickynote, and the more "safe" practices the more risk of such a note. I really think it's a question of educating people and telling them how easy it is to pick a secure password. Just like you did in the first part of your previous post.

Heck I managed to teach my old dad how to choose such secure passwords, and he's about as shy of technology as anyone I've ever known

Quote:

Originally Posted by GatorJamyn

Given what I've seen at most businesses after many years consulting, using something like KeePass (for the typical user) would be a huge step forward in account security compared to their standard password strengths and patterns, and that applies pretty much anywhere and everywhere.

Unfortunately I cannot disagree with you. I'd love to - but my experience tells me that you are dead on about how much it'd be an improvement.

That just doesn't make it the right solution in my book. Sometimes there just isn't an easy way to do something. Sometimes you just have to educate people and go for the long term solution. As you said yourself "True security is never convenient".

Anyway, I think we are mostly or completely in agreement. I probably stated my opposition to KeePass (or similar) a bit too strongly because I'm tired of some people thinking that any convenient tool will absolve them of their own responsibility

[skeetr]

[this is appropriate for feedback@. Not appropriate for the forums].

Quote:

Originally Posted by skeetr

I opened a reseller account on May 20th and today (6 days later) I received this email.

I truly do NOT believe that it has anything to do with any of your past employees or anything that you have explained in your original post.

If my password was good enough when I signed up, then it should be good enough now. I signed up AFTER your email first started coming out.

The intent was to have all older accounts that had never changed their password do a forced reset. Presumably, the process caught your account as well, and marked it as an account that had never done a password change, and it sounds like the account page/date check was missed. Regardless, comparisons of whether or not an original password was 'secure' enough or not can't really be done.

[donby]

I knew when I signed up several months ago that employees could view my password, which is why I didn't bother with an ultra secure one. Besides, your password character restrictions don't really allow for true strong passwords. I've never felt that HG had a very secure platform when it came to protecting passwords. Mostly because they are stored in plain text or reversible encryption. The reason I know this is because they are able to show or email my password to me, a very insecure thing to do.

I too feel that this was not handled very professionally. A written notification long before any change was instigated would have been an appropriate start. Email, any email, is suspect, especially when they discuss things of a personal nature like passwords and accounts. (And just because you call me by my name in an email still does not mean I can trust it.) Building a secure password infrastructure before forcing the change would have been more appropriate, because now I'll have to change it again once your system changes are complete.

Three questions:
Why change my password before you change from the system that allows employees to view the password?
RE: "3. We are about to launch our new billing system. The current system we use (modernbill) displays your password for every employee in the company to view."

When will you impliment a system that can handle special characters in passwords?
!@#$%^&()?/><[{]}\|~ and the like.

Well we be notified when a secure password infrastructure is in place?

Don

[sakowski]

ALL my database pages were wiped out! I only took notice after reading a post here. A reminder about databases would have been nice. Oddly enough, the databases were running OK on the old passwords, for awhile.

The email you sent looked very much like a phishing email and it was sent to my junk mail folder. Fortunately, I took the time to open it and then come to this forum.

[windy]

Quote:

Originally Posted by bodypainter

So, are you saying you really don't know the exact criteria for an acceptable cPanel password?

That's what I want, it should be the easiest thing in the world to supply. How in the world can you guys not have this information? Please publish the specification just like every other professional organization I deal with.

Thanks.

They did. I am not going to spend time search for their exact response but it was something like this
unacceptable
putting any real word inside the group of characters that make the password up:
examples:
April2008
fglovefg

Very Weak: all lower case
thus fghjkl will probably pass but is easily cracked

weak: all lower case letters and a few numbers
example: taltuaei42 (the answer to life the universe and everything is 42) If you added the second t you'd spell "at" in the password and it will most likely be rejected.

strong; Some upper case, some lower case, some numbers
example: TaLtUaEi42

Super Strong: Some upper case, some lower case, some symbols, some numbers
example T#tL%U&Ei42

I should add that Cpanel accepts 7 characters as enough for a password. It may accept 6 depending on your version of cpanel.
hope that helps
gayle

[WallyGator]

Hi,

Can someone tell me how to change the password for my databases? Most of my sites are returning errors after the password change (similar to another poster in this thread--however, I have not been as fortunate as they with getting HG to help me fix things).

Live Chat told me to email support so I emailed a copy of the chat transcript and also emailed a follow-up asking if that was received, but no answer as of yet so now I'm going to brave it and try to fix my sites myself (just hope I don't mess things up further). But when I go into phpmyadmin, I can't locate the password variable...can someone tell me how to locate it?

Thanks,
Dan

[GvilleRick]

The password is usually stored in a config file for the particular script. The name of the file can vary. If you provide details on what scripts you are running someone may be able to be more specific on where to find the info. I would suggest adding a user to the database rather than using your cPanel username so that when you change your cPanel password it does not affect your databases.

[bodypainter]

Quote:

Originally Posted by windy

hope that helps
gayle

Sorry but no. I've read this and the other thread from end to end, and the info I seek isn't there. I expect I'm being ignored by the Gator* folks because they don't know the answer and don't want to admit it.

[algorhythm]

This was really rather ridiculous, IMHO. My PW was strong, and only a month old. The new one I was assigned didnt work, forcing me to spend ~30m with tech support to get a new one, twice, before it worked. Why not put the onus on the user? It's our responsibility to create a strong PW.

I wear a seatbelt in my car....I've done so well before there were laws forcing me to. Lots of people still don't wear one. Forcing people to protect themselves never works.

[skiershorty]

I've followed the steps that were set forth in the email and now the old password doesn't work. The new password doesn't work. I would submit a ticket but my password doesn't work. I arrive at a window that asks for a confirmation code that will arrive in an email. I closed the window to wait for the email. When I try to access that same window again does it rest the confirmation code?

Instead of using the link in the email I should have reset the password on my own to save the frustration.

[windy]

skiershorty
the password was already changed when they sent you the email. The password is displayed on the page where you type the email that is associated with the cpanel and your old password. A few lines below where you typed in your old password your new password appears.
You can copy it and paste it into your login window but make sure you don't get any spaces before or after it.
Then you can change your password in your cpanel to one you like better if you wish.
You can go back to the password page and do it again and again and again and it will give you the same password every time. It is not generating one. It is giving you the one that was generated for you Friday night/Saturday morning

bodypainter
Sorry I guess I didn't understand your question. I thought you were asking what was an acceptable password. That shows you how stupid I am. hmmm I had no problems with the password change form.

gayle

[tedsimages]

Quote:

Originally Posted by GatorJamyn

Difficult passwords can be a pain, but there are simple ways to come up with a solid password that is easy to remember. This is one method I use; lets say I needed to come up with something non-simplistic for a password. For example, I might be thinking (but do not use this example of course):

"I need a pretty secure password for my Hostgator account that is not easily guessed."

OK, let's take the first letter of each of those words:
...

While that's good advice in theory, I think the sheer proliferation of passwords and user IDs makes it useless in practice. Any regular user of Web services will accumulate an impressive collection of passwords. I just counted my own collection (in Password Safe, similar to KeePass) and it amounts to 127 user ID/password combinations. I use maybe a dozen of them regularly.

Memorizing 10 or 12 "strong" passwords that change every few months is probably beyond the capability of even the most dedicated individual. How many phrases that are not commonly known but personally meaningful can you think of right now? And how many new ones will you be able to think of after a year of creating them for, say, quarterly password changes? I'm not disagreeing with your suggestions or with the similar advice from experts on creating "strong" passwords and changing them frequently. The advice is valid, but most people find it impractical to follow.

The continual proliferation of passwords and PINs we're asked to create, memorize, and reliably reproduce when needed is rendering them useless as security devices. We will need a more reliable alternative, perhaps some sort of biometric scanner or a pocket-sized hardware "token" device tied to a biometric scanner. Until we have a technological breakthrough, we're stuck with creating and memorizing many "strong" passwords. And many of us won't be able to do that.

[dulake]

I'm in the same boat as a lot of other customers it seems. This really makes me MAD.

[psylenced]

One of my emails has failed over the last few days, and came on here and found out why.

I'm quite upset with the contents of the email.

My password was in the format of: k24mg1kf (random numbers and letters), which you'd think would be pretty secure

[digitaltoast]

Quote:

Originally Posted by dulake

What I want now is a begging pleading on your knees APOLOGY from the person that decided to do this, even if you don't mean it.

ie: nothing would make you happy, you just want to whine a lot and gloat rather than spending 5 minutes changing your password and moving on?

Quote:

Originally Posted by dulake

A BETTER idea might have been to say "This is a reminder from HG, please remember password security is important. To avoid your account be breached please remember to change your password every few months. If you haven't changed your password yet, please do so!" There you're covered and so are your customers.

So, you haven't read the original post in this thread, or understood the whole problem then?

[slick]

Having a security crisis at hand is one thing.

[digitaltoast]

Quote:

Originally Posted by slick

But telling us how your "Aunt Rose" from Florida MAY HAVE allowed security penetration and some guy being served for getting back at you, an other guy being investigated by the DA for whatever is downright UNPROFESSIONAL!

Oh dear lord... can I suggest you actually read just a little of the thread? The whole point is that they sent an email out with the minimal of information, and some HG customers virtually beat them into submission to provide the full explanation they have done.
They haven't locked you out of your site, it takes all of 5 mins to change the password (at most), the only people who've had problems are those who used the same username and password for everything (like databases etc which is insane).
So, they post a short email saying the minimal amount they can, and people complain they are not being told everything.
They post more details, and people say they shouldn't post more details.

Tell me, what would make you happy? For Brent to personally come and give you $500 and then drop to his knees and blow you dry?

[supernix]

I never thought about that before but that does bring up a point. You would think someone smart enough to do support would be smart enough to never end up with a trojan. You would think such a person would have the best in antivirus and trojan protection. Norton is expensive but certainly cheaper then getting fired. Not to mention the freeware programs that also provide pretty good protection as well.

[Rockoids]

Quote:

Originally Posted by supernix

I never thought about that before but that does bring up a point. You would think someone smart enough to do support would be smart enough to never end up with a trojan. You would think such a person would have the best in antivirus and trojan protection. Norton is expensive but certainly cheaper then getting fired. Not to mention the freeware programs that also provide pretty good protection as well.

There is no such thing as 100% protection, my friend.

One reason I use a Mac.

[jeannedb]

Quote:

Originally Posted by digitaltoast

Oh dear lord... can I suggest you actually read just a little of the thread? The whole point is that they sent an email out with the minimal of information, and some HG customers virtually beat them into submission to provide the full explanation they have done.
They haven't locked you out of your site, it takes all of 5 mins to change the password (at most), the only people who've had problems are those who used the same username and password for everything (like databases etc which is insane).
So, they post a short email saying the minimal amount they can, and people complain they are not being told everything.
They post more details, and people say they shouldn't post more details.

Tell me, what would make you happy? For Brent to personally come and give you $500 and then drop to his knees and blow you dry?

Now that I've wet my pants laughing, I better go change clothes.

[Rockoids]

Quote:

Originally Posted by jeannedb

Now that I've wet my pants laughing, I better go change clothes.

Better his female assistant, if he has one.