Password updates

[GatorBrent]

Hi Dena,

Yes your billing password is going to be different then your cpanel pw.

This change did not affect any reseller's customers.

We're getting close to completing our new billing / affiliate system. Once we have this launched and all the bugs worked out you will all see the new and improved hostgator. Better notifications, support, billing, affliate system, integration, etc.

You'd be amazed how band aided up many of our 3rd party scripts are that we currently use.


Thank you everyone for your patience!!!

[tribe]

Ohh, thanks for the head's up. I just realized after you said that my new cpanel password wasn't same as my billing / support password.

[Tirelth]

All I have to say is, I don't mind having to change my password, but I'm VERY unhappy that I'm going to have to come up with some completely random, nonsensical, and difficult to remember series of numbers and letters that makes no sense to me because EVERY one of my personal passwords is 'based on a dictionary word', even though NONE of them appear in any English dictionary that I know of.

I'm quite capable of ensuring that I come up with passwords that aren't going to be easy to fish out of thin air. I don't need you guys telling me I have to have a password I'm not going to remember. After all, how safe is it if I have to write it down somewhere so I can access it again?

[oc404]

OK, no gripes, just a quick question....

I've generated a new password and logged into my WHM. on the blue horizontal menu bar, just under "WHM", I'm getting an open lock with an "insecure" designation. As much as I can recall, that has always said "secure" in the past. Can anyone tell me what's up with that? Thanks.

[firebugmichelle]

Thank you for the update. I considered being calm and asking if anything like this was going on, but to tell you the truth I am SICK of being forced to change my passwords! Banks, credit cards, and other companies have been forcing me to change the last few months. I hope it is not a trend that will stick around long. It makes no sense except in cases like yours where you have reason to suspect security has been compromised.

Anyhow, I apologize for taking my frustrations out on hostgator. Although - I and several other people would have been much more understanding if you had just stated the reason in your original email. ... I hope you will be a bit more upfront about stuff like this in the future.

[GvilleRick]

Quote:

Originally Posted by oc404

OK, no gripes, just a quick question....

I've generated a new password and logged into my WHM. on the blue horizontal menu bar, just under "WHM", I'm getting an open lock with an "insecure" designation. As much as I can recall, that has always said "secure" in the past. Can anyone tell me what's up with that? Thanks.

How are you logging into WHM? If you use https://yourdomain.com/whm it should show secure. If you log in using http://yourdomain.com/whm (http rather than https) then it will show as you describe. I'm not sure if HG forces secure mode (which is an option that can be set in root).

[oc404]

Thanks GvilleRick - Yeah, I was logging in under http rather than the secure version. I've always used an http url in the past, and could swear it showed as "secure" in the past. Funny thing, when I try to login under the https url, I get a security certificate warning....

[mwinsor]

Quote:

Originally Posted by ccreole

Brent,

I am tired of you guys screwing with my passwords on multiple domains. I do not need Big Brother to protect me, nor do I attempt to hold Host Gator liable should I get hacked thru my own negligence.

You cause me and your staff a lot of extra work to enforce this, especially the last time when the link to change passwords myself did not work and I had to tie up one of your support staff to get things fixed.

Although I do appreciate the service provided by your company and applaud it's technical merits and pricing, I'm starting to rethink my association with Host Gator or the recommendation of it due to the unilateral decision process when it comes to the administration of my domains.

Bob
Santa Fe, NM, USA

I agree with this sentiment. It's incredibly annoying. Unless you guys had a major breach of security, there's no need for this.

[M99]

Since your email addy doesn't work, I'll post the mail delivery error here.

Here's the email address you sent me:
passwords@hostgator.com

Here's the result of my response to your email.:

Quote:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

pipe to | /home/gator/public_html/email/newhandle.pl
generated by passwords@tickets.hostgator.com
local delivery failed

The following text was generated during the delivery attempt:

------ pipe to | /home/gator/public_html/email/newhandle.pl
generated by passwords@tickets.hostgator.com ------

Can't call method "quote" on an undefined value at /home/gator/public_html/email/newhandle.pl line 315.

------ This is a copy of the message, including all the headers. ------

Return-path: <removed>
Received: from gator.hostgator.com ([67.18.54.2]:58676)
by tickets.hostgator.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <removed>)
id 1KNwOu-0000Mm-V1
for passwords@tickets.hostgator.com; Tue, 29 Jul 2008 16:06:33 -0500
Received: from smtp105.sbc.mail.re2.yahoo.com ([68.142.229.100]:32753)
by gator.hostgator.com with smtp (Exim 4.63)
(envelope-from <removed>)
id 1KNwNg-0002dS-PI
for passwords@hostgator.com; Tue, 29 Jul 2008 16:05:16 -0500
Received: (qmail 9616 invoked from network); 29 Jul 2008 21:05:19 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=removed;
h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Message-ID:From:To:Subjectate:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE;
b=Lgis1k6rDZg91x+IE+jcO3dATZKNpGTKI0OLM606IhGQlLoe fUA2IhVhAO7FQ8fNwUnvh9Jp4b4dqgyuCYyxgUn9vKgIgLqsef oZUJ7bZZaJ2rBdxLTiO8o9ajE6h/ORzipKRmPOcuxGO4ooDn4x+uFYgSMW36vQWI3wejcPdqA= ;
Received: from unknown (HELO youre8f3d31063) (removed@70.233.137.85 with login)
by smtp105.sbc.mail.re2.yahoo.com with SMTP; 29 Jul 2008 21:05:19 -0000
X-YMail-OSG: HQdbORQVM1l4g1952JVns4dU8kLuDtzlEtHSiSzVbxJBRb8Azi 5pULF14V4oFr_0.ciaZhg.1UOEI4kZiBd.KQr51Isg4x6lM2kr 1DMC5IaOf4r09T2T2YJ082OzlMo8gWSUqREyRVQgmw_idoJpbl mS
X-Yahoo-Newman-Property: ymail-3
Message-ID: <001b01c8f1be$54304930$6601a8c0@youre8f3d31063>
From: "removed" <removed>
To: <passwords@hostgator.com>
Subject: Fw: HostGator Password Update
Date: Tue, 29 Jul 2008 16:01:53 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator.hostgator.com
X-AntiAbuse: Original Domain - hostgator.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - removed

I understand your concerns about security.

I understand that one of your former employees may have taken login
information.

I don't understand why you feel you must (unilaterally) change the
passwords. Ya, ya, security. So how would a hacker that knows my password
affect the entire server? Short answer....it would not affect anything
other than my accounts. Right?

After your first message about this, I changed my password. None of my
database-driven sites would work. Seems that I would need to change all of
the config files, and the pass and permissions within mySql section. Bah.
A lot of work and every chance to screw up the whole mess.

So, now I'm faced with the same thing all over again. And, even more
frustrating, there is every chance that the same thing will happen again.
At some point you will say that your security has been breached (again) and
we'll have to reset our passwords. Bah.

I'm not a happy camper.

I suppose my only recourse is to reset the password, then wade thru the
necessary changes to the db stuff, test the sites, then move all of them to
a different hosting supplier.

Bah. I didn't sign on with hostgator, these many years now, to go thru this crap.

[vancleef]

Well, one thing you guys could do to prevent the exposure of password is STOP SENDING THEM IN PLAIN TEXT EMAIL MESSAGES!!!!

I was shocked when I received my first confirmation e-mail with my password included. I was stunned when I got my second one. By the time you sent me my password, in plain text via e-mail the fourth or fifth times I became numb.

[NowhereMan]

I have a question. Now that I have a 'newly generated password' can I change it to something I can remember (other than my original password, of course)?

Thank you in advance

[esl]

Yes you may.

[NowhereMan]

Thank you Evan

[esl]

You are welcome. Just make sure it is hard to guess.

[GeekBug]

I know a lot of you have been upset about the password changes, but I would like to add my two cents as well.

If you are on a shared/reseller server, then your account can affect everyone else on that server. We all use the same resources on the computer. There's not one PHP program installed for every account on a computer, but just one PHP program for us all.

If an account is compromised, the infiltrator may find a hole in a script that can wipe us all out.

This has happened personally to me, where a user on my server had a poorly outdated code that was compromised by someone else that wiped all of our websites out. It was a nightmare and it took a very long time and headaches to fix. It cost me a lot of money to deal with.

So changing a password is a mere minor inconvenience compared to what other consequences I may face instead.

So ... yes you should have the right to use whatever password you want, as long as you are not sharing resources with someone else. It's sort of like our constitution. You have the right to free speech, as long as it does not infringe upon the rights of others.

But if you're sharing a server with me, you had better heck change your password.

[E55AMG]

Oh man, not again. It's a real pain. Did you think about people who has over 100 whm's how inconvient that will be? Once a year ok fine but every couple of months, kinda scary!

[skeetr]

The last time this happened, I was actually affected by it. Luckily I was not affected this time.

I have to apologize to everyone that had to view my rant when it all happened last time, as I was filled with anger over having to change my password. Since that rant, I have had time to really think about it, and I must say that I am thoroughly embarassed over my reaction. This is not something that is all that big of a deal.

I can honestly say that it is not going to happen to everyone everytime so this one-time password change should not get you in an uproar. If it does, then maybe you need to take a break for just a little while, really look at the situation and then get back to business.

To HG staff: Please accept my apologies for my rant and thank you for actually deleting the rant so that more people did not need to see it. HG rocks!

[andrewtayloruk]

I understand the need to keep things secure but i've had problems since changing my password.

My new password will get me in cpanel but neither my old or new passwords allow me to log into my main ftp account, neither passwords are working with SSH either.

I had a response to one of my tickets telling me that they have now been synced but this isn't the case as it still isn't working.

This is about 16 hours since i changed the password.

Like has already been mentioned, some more notice would be nice.

Just like to add, this is the first problem i've had with you guys in around 8 months.

[kota069]

Like the vast majority, I'm pretty honked off about it myself. I PAY for this service - Host Gator doesn't have the right to change MY password. Not once a year - not EVER.

I too have been considering buying a hosting account - not NOW!
In fact when my billing year is up I'll likely change hosts. Perhaps I can find one with a less facist attitude/approach.

Screw Host Gator.

[andrewtayloruk]

What i'd like to know is why is hostgator using this password reset script if it isn't actually updating everyones accounts with the new passwords?

I've been told that to get a new password i need to send over the last 4 digits of my credit card, the thing is, i have a joint credit card which my girlfriend has who i wont be seeing until the weekend.

Basically i wont be able to get a new password until i have these details. I'm sorry but this is terrible service.

[GatorJess]

Regarding Databases tied to the main cPanel user, there is a great way around this.

Create a database user in cPanel's MySQL Databases page and add that user to all of your databases. Use that specific user for the setup of the databases and in the Config files rather than tying it to your main cPanel user/pass. This way, anytime the cPanel password may be updated by you or anyone else, it would not affect any of your database connections.

******

Also, regarding those of you who have received your new password:

Once logged back in, you may update your password using cPanel's Change Password (Password Modification in WHM if a reseller). Please do not set it back to the old password for the security of your account. Please use a new password that is easy for you to remember but difficult for others to guess. ( Example: Instead of using abc123, use something like 4bC!2e )

--------------------------------

Should any of you need any assistance whatsoever with getting the new password, the new password not working, the form not working, etc., please stop by LiveChat. That's what we're here for and we're happy to do anything we can within our power to help.

[Shifty]

Quote:

Originally Posted by kota069

Like the vast majority, I'm pretty honked off about it myself. I PAY for this service - Host Gator doesn't have the right to change MY password. Not once a year - not EVER.

I too have been considering buying a hosting account - not NOW!
In fact when my billing year is up I'll likely change hosts. Perhaps I can find one with a less facist attitude/approach.

Screw Host Gator.

To kota069 and mwinsor,

Try reading the thread before posting. There WAS a reason for changing the passwords ...

I'm glad HG is doing this, and is another reason why I want to stay with them.

[andrewtayloruk]

My issue has now been resolved. Sweet.

[volswagn]

Quote:

Originally Posted by GatorBrent

This was not a "routine" password update. I truly believe if we had not done this your accounts would have been hacked. The last thing we want to do is waste both your and our time. This change will cost us $1,000's in employee overtime as well as another $10,000+ in customers canceling.

The problem with your password was not a problem of your security it was in fact ours. The way the 3rd party billing system we use displayed passwords was very insecure. Now that you have a new password that has never been listed in our billing system (modernbill) you are once again secure.

So once we change this password ONCE to something else, we will not be prompted to change it again in several months??

Promise?

[plav]

Originally Posted by GatorBrent
This was not a "routine" password update. I truly believe if we had not done this your accounts would have been hacked. The last thing we want to do is waste both your and our time. This change will cost us $1,000's in employee overtime as well as another $10,000+ in customers canceling.

The problem with your password was not a problem of your security it was in fact ours. The way the 3rd party billing system we use displayed passwords was very insecure. Now that you have a new password that has never been listed in our billing system (modernbill) you are once again secure.

-------------

I applaud you, Brent, for being so forthcoming. And I appreciate the fact that you've been proactive about addressing what you felt would certainly lead to worse trouble later. Sure, you may alienate some customers; sometimes it's not easy to do the Right Thing.

This is coming from someone that got reset despite my use of high-quality passwords. I spent some unplanned time jumping through the hoops in Live Chat. Big deal, it turned out okay in the end. And now there's another item on my to-do schedule. But WTF, if I griped every time there was something new to do, I'd never get anything done!

The use and maintenance high-quality passwords is just one of those 'costs of doing business' (no matter if you're 'in business' or not) that we all need to shoulder to operate effectively in today's online world. We can spend an awful lot of time debating various aspects of that, but at the end of the day (and oh, how I hate that expression!) we still need to do it.

If you have trouble managing your credentials, be it because of sheer volume or whatever, I humbly suggest that you devote some serious effort toward learning how to make the task easier. For the need is certainly not going to go away any time soon. In fact, it will likely worsen. The sooner you get started, the sooner that problem will be behind you.

As for me? My methods are not perfect but they work for me, honed with many years of practice. When they are no longer effective for me then I will join you in casting about for alternatives.

Thanks for listening. And Brent, good on ya. Keep it up.