Password updates

[GatorBrent]

Yesterday, some HostGator customers might have received an email that looked like this:

"Dear Customer,

As you are aware, we did password resets a couple of months ago to
ensure account security.

We recently did another scan and found that your current password
matches the password that you used during signup. To ensure security, we
are resetting the passwords of all accounts that currently utilize the
same password as when they signed up.

You may change your password to anything you'd like as long as it does
not match your original password. We will continue scanning passwords on
a daily basis and resetting those that match the original password used
during signup.

This change affects your (( account )) on our (( server )) server.

In order to quickly and easily obtain your new password, please click on
the following link:

https://secure.hostgator.com/password_reset/

Please remember to continue using a password that is different from the
password you used during signup. Otherwise, it will be reset again.

If you have any questions or problems, we will do all that we can to
assist you. Please direct all support inquires related to this or any
password concern to passwords@hostgator.com. Submitting your questions
to this email will ensure that you are assisted by representatives
trained and able to assist you with password issues.

To ensure these changes go as smoothly as possible, we are increasing
our staffing and having employees work overtime. However, it is more
than likely that you will experience some delay when contacting us over
the next few days. You can rest assured that we will be working as hard
as we can to ensure this delay is minimal and that you are given the
service and support you are used to.

We appreciation your patience and cooperation.

Best regards,

HostGator.com"

This email is legitimate. We are sending it out to customers who we feel may be at risk for having their accounts hacked.

If you received this email, it is critical to follow the advice in this email and to reset your password. Doing so will ensure your account will remain safe and secure.

Do not change your password back to what it used to be. If you do this, it will be reset once again. Please choose a new password that is both secure and unique.

If you have any questions, please do not hesitate to contact us. We have setup a special support queue (passwords@hostgator.com) for this issue and have extra staff standing by ready and willing to assist you. There may be a delay, but if you remain patient, you will receive a reply in a timely manner.

Thank you for your cooperation. We apologize about the inconvenience.

[esl]

I am in the USA and have an IP address that is for a city less than 30 miles from my house. I receive the following message:

Quote:

We're sorry, but we're unable to process your request at this time. This may be due to one of the following reasons:

Unusually high rate of fraud or chargebacks: You may be located in an area that has consistently used fraudulent/stolen credit cards, or filed chargebacks on a regular basis. When a specific location has an extremely high percentage of fraudulent/stolen signups, it is no longer viable for us to continue to offer service to that area.

Embargo restrictions: If you are currently located in Iran, or another country with an active US embargo, we are unable to process your request due to federal law.

Using a proxy: You may appear to be using a proxy to visit the order form, or otherwise attempting to mask your true location/IP. In this case, visiting the order form without using a proxy may resolve the issue.

We apologize if you have been impacted by these restrictions, but in an effort to continue to keep our costs low and comply with federal law, we must take appropriate measures to maintain a pleasant hosting experience for everyone. Thank you for your understanding.

[esl]

It works now. Thanks Dave C!

[ccreole]

Brent,

I am tired of you guys screwing with my passwords on multiple domains. I do not need Big Brother to protect me, nor do I attempt to hold Host Gator liable should I get hacked thru my own negligence.

You cause me and your staff a lot of extra work to enforce this, especially the last time when the link to change passwords myself did not work and I had to tie up one of your support staff to get things fixed.

Although I do appreciate the service provided by your company and applaud it's technical merits and pricing, I'm starting to rethink my association with Host Gator or the recommendation of it due to the unilateral decision process when it comes to the administration of my domains.

Bob
Santa Fe, NM, USA

[dlmtechnology]

Quote:

Originally Posted by ccreole

Brent,

I am tired of you guys screwing with my passwords on multiple domains. I do not need Big Brother to protect me, nor do I attempt to hold Host Gator liable should I get hacked thru my own negligence.

You cause me and your staff a lot of extra work to enforce this, especially the last time when the link to change passwords myself did not work and I had to tie up one of your support staff to get things fixed.

Although I do appreciate the service provided by your company and applaud it's technical merits and pricing, I'm starting to rethink my association with Host Gator or the recommendation of it due to the unilateral decision process when it comes to the administration of my domains.

Bob
Santa Fe, NM, USA

I second this statement! It is my damn password, and if it is insecure, it is my own damn fault and responsibility, not HostGator's to change it.

[JGarrido]

Agreed, very inconvenient. Now how do I go about changing the password myself to something I could actually remember?

[mxk.com]

Well Im not thrilled with the password changes either.
Its a real pain in the ass.

HG's response may have something to do with security of their ((server)) if someone hacks your ((account)).

Frankly if this is the case Id be little worried about overall security.

[CrazyMan72]

I have a fairly strong password that i signed up with, its hard to guess, its the hardest past word i own at least 8 letters and extra characters and i don't think i need to change... the ones that should change are the ones with less than 6 letters in a standard word pattern

[JGarrido]

Now I'm not able to login at all, the server is timing out on me. And this comes just a short while after my server was taken down for RAID array maintenance on the 19th without any prior email or phone notification. The only notice provided was in the form of a forum post (like this one), as if my clients and I sit around all day monitoring the forums. HostGator has really been a disappointment lately.

[quietFinn]

Quote:

Originally Posted by CrazyMan72

I have a fairly strong password that i signed up with, its hard to guess, its the hardest past word i own at least 8 letters and extra characters and i don't think i need to change... the ones that should change are the ones with less than 6 letters in a standard word pattern

For me it seems quite obvious that they don't want you to use the password you used when you signed up because they either know, or at least suspect, that those passwords are leaked.
If that is the case then the strength of the password does not help.

[stefrose]

I really hate the password changes.

First, I hate that it was changed without my permission.

Then, when I try to change it to something I'd actually remember, I get the message that it's a dictionary word. Then it's too short. Then it doesn't have enough different characters. This is ridiculous!

I don't want some password to be some random string of characters.

I want the password of my choice!

[toonces51]

So how do we change our password, since HG support doesn't seem to be able to get back to us as timely as I'd like since they're swamped with people upset about this?

[toonces51]

never mind...I guess I figured it out.

[esl]

I don't see what is so hard about changing a password... small potatoes, big potatoes.

[striddy]

There's no way I can remember my hundred + passwords that use varying case letters, numbers and other characters, so I use Roboform on Windows. Some people use Keepass. And there's 1Passwd for Mac users.

[TT1]

You guys sure work hard to piss your customers off. Your "password reset" page doesn't work, so I'll sit here on hold until I can waste a support tech's time with this nonsense.

Seriously, do you guys sit in meetings thinking up ways to make customers jump through hoops just to maintain their service?

Shame on you for this stupidity.

[smeallum]

Hi.

I am a reseller. I reset my password through the form mentioned in the email I received. I logged in to my Cpanel's main account with that newly created password and changed it to one of my choice by clicking in CPanel's "Change password" icon, ok.

Are my customers affected by this? Are their CPanel passwords reset as well?

It is of crucial importance for me to know weather that is the case or not.

Thanks.

[Shifty]

Quote:

Originally Posted by dlmtechnology

I second this statement! It is my damn password, and if it is insecure, it is my own damn fault and responsibility, not HostGator's to change it.

Actually, if you're on a shared server with hundreds of other customers, you are impacting their websites as well if you get hacked. I would be quite upset if there was serious downtime or worse, I lost information if other user on the same server was using an insecure (or duplicate) password.

Anyways, it's always wise to change passwords periodically. A decent system is to use a variation of a (non-dictionary) word for each website, but with slight change. For example, always use the word GTPfran55, then append a couple letters corresponding to the website you're visiting. Hostgator = GTPfran55ho. Slashdot = GTPfran55sl. Google = GTPfran55go. etc. etc.

Easy to remember, and more secure than using the same password for each website. I also use Keepass, which is indispensable for remembering passwords and usernames I rarely use. FYI.

[firebugmichelle]

I have tried several hosts over the years. For the most part, HostGator is #1 in my book when it comes to combining prices and service. Until today - I only had two complaints about you and they were fairly minor. But this is a BIG one.

I can understand setting rules to password creation. Perhaps not allow anyone to have a 'weak' password to start with. But is it really that bad to let people keep the passwords that they signed up with? I chose a unique password for hostgator that I do not use anywhere else. It follows a system of passwords that are easy for me to remember but near impossible for someone else to guess. ... I am responsible when it comes to my password creation. But when you force me to change, I am tempted to pick easier to remember passwords.

Yes - security is important. But I do not approve of this method. It would be better to assign random at signup and send an email giving people their password, explaining why it is important to select a secure password, and then giving them directions to change the password if they want. ... And in the event that you feel like you HAVE to reset passwords like this - Why can't you send out an email a few days ahead of time and warn us? I would have already changed my password if I got a warning email.

I am so frustrated because I know why this has to be done. It's because of the people who take security too lightly and mess it up for the rest of us. I have a reseller account, but I refuse to sell space to people I don't personally know and trust because I don't want to take a chance of letting someone bad on a shared server. ... I am a secure person and I think this stinks! I don't log on from public computers, I keep my virus and spyware protection up to date, and if at any time I am even slightly suspicious someone else may have gotten hold of my password(s) - I change them IMMEDIATELY from a secure computer.

[jgoforth]

This is utterly ridiculous.

1. I was given no warning or asked to change my password. It was simply changed and I was locked out until it was dealt with.
2. Forcing people to change passwords often does nothing to increase security. It only stops people who have already stolen a password. In fact, it usually decreases password strength since users have to remember a new password.
3. The fact that it is a shared server means almost nothing. Someone will not be able to do anymore harm by breaking into my account than could be accomplished by paying for a single month of service. If their security is not sufficient to kept paying customers from hurting each other, then keeping people from gaining unauthorized access to cPanels isn't going to do anything.
4. The password validater is broken. It seems to be complaining of using dictionary words because the password ends in a dictionary word. For example, 5e$stone will fail because it is based on a dictionary word, when in fact, it just ends with a dictionary word. How is that any more secure than 5e$stonr which does work?

As far as I am concerned this isn't doing anything but pissing off your customers. I didn't like the idea of HostGator automatically changing to PHP5 and then messing with my files, and in the process reducing their services since some things still require PHP4. I didn't like it, but I understood wanting to move on. But I am staring to see a pattern here of willful disregard for customers. I had been considering opening a reseller account since I have plenty of customers who need hosting, but at this point, I am not sure I want to even host here myself.

[GatorBrent]

This was not a "routine" password update. I truly believe if we had not done this your accounts would have been hacked. The last thing we want to do is waste both your and our time. This change will cost us $1,000's in employee overtime as well as another $10,000+ in customers canceling.

The problem with your password was not a problem of your security it was in fact ours. The way the 3rd party billing system we use displayed passwords was very insecure. Now that you have a new password that has never been listed in our billing system (modernbill) you are once again secure.

[Dena]

Thanks Brent! I have a question... I just got the email and got my new password via generator then changed it to another that is random and secure. That password did work on my cpanel, checked it out. I needed to update my cc in the billing section, as for some reason last month, my auto bill did not work. When I tried to login to billing, my new password did not work!

So I used the password emailer THERE to send me the password by email. It is different than any I have seen. It's not my original. It's not the one made by the generator and it's not the same one I made in Cpanel.

So, is this going to be a different one for now on for billing? Different than regular login? Thanks!

Dena

[acaby]

I really do not know what the big deal is with all the complaining. Hostgator is only working in our best interest. SO WHAT if you have to change your passwords. Any browser worth it's salt i.e. Firefox will ask you if you want the password remembered anyway so you will not have to type it in. If that doesn't work for you put them in a rolodex for goodness sake and quit complaining. If you can not do that then Go out and see if you can find a host that offers you what you have now for the price (G-O-O-D L-U-C-K)
Just an opinion from a VERY satisfied customer.
Arthur

[RainbowViper]

Brent's first post, and then his followup, is one reason I'm using Hostgator and plan to keep doing so.

His willingness to expose Hostgator's "warts" while being forthright with his customers, rather than retreat behind obfuscating lawyer-speak or say nothing at ALL, is damned refreshing in today's business world.

And acaby is right. There are many ways to keep your passwords both secure AND easily retrievable.

Oh, and I should add, I've had to change a few of my passwords as well. And gladly so, to make them more secure.

[tribe]

It's inconvenient, but in the end it's for our own good. I would have liked to a warning e-mail a couple days before though. Like at work, we get reminder e-mails every day for 15 days before our password expires so at least we have a grace period to change it ourselves.

Different passwords are a real pain to remember and typical password policies make it even more difficult to remember them so you win up writing them down anyways. Why can't passwords be answers to security questions like long sentences (with spaces)? Those are a little easier to remember and the words actually mean something.