Password change email?

[nd4spd]

I just received an email supposed to have come from Hostgator. It reads in part:

Quote:

Dear XXXX,
We've recently have done an audit of HostGator's web hosting services and have found that
many of our customers have a weak password.

In an attempt to secure your hosting further we have changed all of our customers
passwords to a randomly generated password that meets our guidelines .

In order to obtain your new password please click the following link:


https://secure.hostgator.com/password_reset/



How do you know this is from HostGator?

1. We put your name in the email.
2. Mouse over the url and it is in fact https://secure.hostgator.com
3. Try logging into your account and you will notice the password has been changed.

My question: Did you really send this? Reason being, the person it was sent to is not me (not even close). Also, what's to ensure everyone sees this email. Wouldn't an announcement or a message on the login screen be more appropriate?

Regards,
Aaron

[csl]

Yep, I got this -- currently chatting to support about it.

[nd4spd]

Let me know how that works out. Frankly, this was a really poor way to handle something like this.

[csl]

Okay -- filled in the form, and although nothing appeared to happen, I then received a new password via email. Not a very clear process though -- I couldn't tell if the form had worked or not.

[Papajin]

I received one as well, and agree whole-heartedly. Unless there was some pressing reason to make an emergency password change, you don't just go and make a change spur of the moment without letting folks know. Would an email a week in advance have been so hard?

Hostgator is no longer some tiny host being run out of a dorm room (I hope) any longer -- let's start seeing some customer service that indicates this is the case... It shouldn't take a genius to see that a change like this is going to impact a HUGE number of people and realize it would be wise to give them a small amount of time to both prepare for the change as well as let us all know it's not a scam email in advance.

It appears to be valid btw. I can't get into my control panel or the main ftp account with the old password. I browsed the email source as well and it appeared to be valid - all links pointed where they should have.

[nd4spd]

Papajin,

Yes, I checked source and links as well. And you are correct, this is NOT the way to handle it. Besides, if they want secure they shouldn't be sending passwords via email anyway.

Nice job HG. Throw this right before a (US) holiday weekend. Thanks.

[gwyneth]

Quote:

Originally Posted by nd4spd

Papajin,

Yes, I checked source and links as well. And you are correct, this is NOT the way to handle it. Besides, if they want secure they shouldn't be sending passwords via email anyway.

Nice job HG. Throw this right before a (US) holiday weekend. Thanks.

This thread appears to have prompted an announcement in the Host Gator Announcement category...which would be both after the fact and unnoticed by many customers.

The "all customers" bit is followed by "if yours has been reset..." which at the least is contradictory.

If it's really ALL customers, I predict massive unintended consequences and support traffic jams...very poorly thought out, if ALL were changed at once.

[Serra]

Quote:

Originally Posted by nd4spd

Yes, I checked source and links as well. And you are correct, this is NOT the way to handle it. Besides, if they want secure they shouldn't be sending passwords via email anyway.

Nice job HG. Throw this right before a (US) holiday weekend. Thanks.

I'm fairly sure that Brent didn't wake up this morning and say, "Hey, lets just screw everyone!". I imagine there is a good reason they are doing this.

Edit: I'm guessing that the system will not accept crap passwords any more too.

[nd4spd]

Quote:

Originally Posted by Serra

I'm fairly sure that Brent didn't wake up this morning and say, "Hey, lets just screw everyone!". I imagine there is a good reason they are doing this.

Edit: I'm guessing that the system will not accept crap passwords any more too.

I'm sure he didn't. However the lack of testing or notification bothers me. I've received 3 or 4 of these notices and not ONE has had the correct name on it. In my opinion it is just slack and not well planned out.

[nd4spd]

Oh, this is great security. Since I've several domains under one account email address it has set the passwords for multiple accounts to the same password! I hardly see how this is secure.

For example:
email_address@tld.com
|__> www.account1.com
|__> www.account2.com

Reset password for account 1, password works for account 1 AND 2

[gwyneth]

Quote:

Originally Posted by Serra

I'm fairly sure that Brent didn't wake up this morning and say, "Hey, lets just screw everyone!". I imagine there is a good reason they are doing this.

Edit: I'm guessing that the system will not accept crap passwords any more too.

Of course he didn't. But "all" is a pretty big genie to let out of a bottle...at both ends (the customers and HG support).

Presumably this means even folks with secure passwords got changed?

[Serra]

Quote:

Originally Posted by gwyneth

Presumably this means even folks with secure passwords got changed?

As I pointed out in the other tread, HG can't know what people's cPanel passwords are, they aren't recoverable. Discovering that HG could determine people's cPanel passwords would be enough to send me into a coma, as that would mean that cPanel has a major security flaw. (Not like it doesn't have one every other week, but we've had this weeks flaw already, haven't we?)

[Kazper]

Argh. I HATE companies and programs that try to tell me what a secure password is. I have a 12 digit long pwd with a combination of upper and lowercase, numbers and special chars. And it STILL rejects it because apparently 4 of those letters (mixed case) put together forms a "dictionary" word in English.

Quite aside from the spelling errors, the phishing similarities, the WRONG name in the mail, and the requirement of apparently using my first pwd - that simple fact is enough to aggravate me to hell and back. I get enough of that crap from the sysadmins at my work that forces you to use 5 different pwds with varying demands.

Way to mess things up!

[wllow]

I have to agree. If you want to convince someone that this is not a phishing email, at least get the customer's name right. And FYI, just "mousing over the URL" isn't proof enough that the URL is not faked - with HTML email, Javascript, AJAX, and all that dynamic stuff, you cannot trust that to be right. Add to it the fact that I'm seeing the email come from "HostGator@yahoo.com" (I received this at my Yahoo! email) doesn't increase my confidence either.

[Grumpy]

sticky thread on this
http://forums.hostgator.com/showthread.php?t=33155