Support staff should not ask for my password

[Jse2015]

I Called support since I've opened a ticket online and haven't had a response in 3 hours.

When I called support I was told there was nothing she could do for me without logging into my cpanel with my password. When I said I was uncomfortable with this and that most companies will tell you their support will never ask for your username/password, she responded "we don't send that out".

I'm uncomfortable giving out my password and I suggest a system where support does not ask you to give it out.

Well, the thing is, if we keep a system of passwords, the customer will probably change it and not update us to keep a password on file. cPanel is funny about access to certain things, and sometimes we must have the current password to directly log into your cPanel to do it. Your representative was correct, we never disclose your password to anyone. We have the ability to reset your password if need be, but rather than do that, we prefer to obtain your authorization directly by asking for your password. We also apologize for the long wait on your support request. What is your ticket number, so we can resolve whatever issue you are having?

[Jse2015]

The ticket number is DCQ-2782716. If you could look into it, I'd really appreaciate it. I've missed a number of emails today.

Thanks again.

[softwarecandy]

Quote:

Originally Posted by Jse2015

I'm uncomfortable giving out my password and I suggest a system where support does not ask you to give it out.

In this context (only) you should be comfortable giving out your password because otherwise it would mean that your password is accessible to anyone in the support team... When asked for your password, be prepared to change it immediately after the tech support professional has finished handling your case (and do so!). Large financial institutions use this same exact method.

[nathangrubb]

Quote:

Originally Posted by softwarecandy

When asked for your password, be prepared to change it immediately after the tech support professional has finished handling your case

Wouldn't it make more sense to change it before they access it, give them the changed password, then change it back?

Yes, that would make more sense.

[cleanxhost]

Quote:

Originally Posted by nathangrubb

Wouldn't it make more sense to change it before they access it, give them the changed password, then change it back?

Same thing really...

[gwyneth]

Quote:

Originally Posted by Jse2015

When I called support I was told there was nothing she could do for me without logging into my cpanel with my password. When I said I was uncomfortable with this and that most companies will tell you their support will never ask for your username/password, she responded "we don't send that out".

I'm uncomfortable giving out my password and I suggest a system where support does not ask you to give it out.

Perhaps a little reflection will make you feel better about the HG practice.

First, it's a shared server anyway and HG can get at anything it wants if it really needs to. It's sort of like living in an apartment complex: whether the maintenance folks use a master key or a copy of yours, they can get in. And like an apartment lease, you're supposed to let them have a copy of a key if you get additional locks. The TOS here, for instance, calls for dedicated account holders to keep HG updated when their root passwords change.

That's why the "most companies" doesn't ordinarily include firms selling server space. Also, I think a little research would indicate that the "we never ask for passwords" is usually appended with something to the effect of, we don't email you or call you up and ask for the password. Those policies aren't about keeping legitimate personnel out--they're worded that way so you know that someone calling or emailing you who asks for the password is not a legitimate employee and therefore running a scam.

In short, if you don't trust your hosting firm with your password, you shouldn't trust it to have your account.

As suggested, you can (and are encouraged to) change your password after the support request.

[GvilleRick]

I worked for a host that used cPanel and the most common thing that delayed ticket responses was the user refusing to provide a password (or giving the wrong one.) Requiring the password was there, in theory at least, for a few reasons. One was that it was a quick way of verifying that the ticket submitter was the site owner. If they didn't know the password we required other information such as the last 4 digits of the credit card to verify ownership (which had to be verified by another department causing further delays.)

Another reason for having the password was to be able to reproduce the error by logging in just as the user would rather than using the root password. In addition, all techs didn't have root passwords so they could not do anything really without the password. If the problem was something they couldn't handle or that required server access then the ticket was passed to another tech.

Another factor is that some features in cPanel require the user password and the root password or WHM password will not work.

I'm not as good with the analogies as Gwyneth but I see not providing the password on par with dropping off your car at the shop and refusing to leave the keys. Sure, the techs could probably hotwire it to check it out but why should they have to jump through more hoops?

[gwyneth]

Quote:

Originally Posted by GvilleRick

I'm not as good with the analogies as Gwyneth but I see not providing the password on par with dropping off your car at the shop and refusing to leave the keys. Sure, the techs could probably hotwire it to check it out but why should they have to jump through more hoops?

In addition to your informative post, Rick, that's a much better analogy than my apartment complex/keys one.

It makes me laugh just thinking about how the car repair place would look at you.

[ViragoTech]

Its still unnearving since the password forced changes a month or so back when they said an ex employee could of been trying to get into things. I myself paused for a min before I gave it to live chat.

[vince]

They store it in plain text anyway. That's how it's emailed to you on pretty much every single account change.

My observation is that security is not a priority at HG. If you need high security you chose the wrong host. Just look at the 'ex employee made off with our password DB' thread. Awesome that they admitted the potential for breach, however they're still emailing passwords.

Time for some one way hashes HG.

[fused0ne]

I thought HG already had access to our passwords, I had purchased a domain through HG and asked for access to it via the HG Domain manager, and they told me they set the password for me to use the Domain manager to the same password I used for Cpanel. Now I did not give them the password for my cpanel, so the tech had to have already been able to get it. It didn't occur to me that perhaps they should not already have access to it. Thanks to the original poster of this thread, it made me think. Now it makes me wonder who can see my password.

[GvilleRick]

Quote:

Originally Posted by vince

They store it in plain text anyway. That's how it's emailed to you on pretty much every single account change.

My observation is that security is not a priority at HG. If you need high security you chose the wrong host. Just look at the 'ex employee made off with our password DB' thread. Awesome that they admitted the potential for breach, however they're still emailing passwords.

Time for some one way hashes HG.

The passwords are stored in ModernBill, the billing software that HG uses right now and is working on changing. I would not expect the techs to have access to that program so they would not have access to passwords.

Many hosts, especially budget hosts, use the software that HG uses or has used. HG takes security as seriously (if not more so) than other hosts that offer similar packages. I personally don't have a problem with them emailing me my password when the account is set up, etc. I always go in and change it at that point.

[skeetr]

Quote:

Originally Posted by fused0ne

I thought HG already had access to our passwords, I had purchased a domain through HG and asked for access to it via the HG Domain manager, and they told me they set the password for me to use the Domain manager to the same password I used for Cpanel. Now I did not give them the password for my cpanel, so the tech had to have already been able to get it. It didn't occur to me that perhaps they should not already have access to it. Thanks to the original poster of this thread, it made me think. Now it makes me wonder who can see my password.

It is my understanding that HG only has access to your ORIGINAL password that you used to sign up with. If you have changed the password since then, I dont think HG has access to that. That is why we had a mandatory password change earlier this year.

Therefore, if you have to give a password to a tech for something, it is best to change the password after the issue has been resolved.

[fused0ne]

Do they have it for Modernbill only or cpanel as well?

[quietFinn]

Quote:

Originally Posted by fused0ne

Do they have it for Modernbill only or cpanel as well?

If you change your cPanel password it can not be seen by anyone.

[Dan85]

I just change my passwords to temporary one then switch them back after. The fact that staff need me to give them the password is reassuring, they are only human after all, no matter what bussiness you run staff can never be totally trusted theres usually a bad egg somewhere in the basket.

[nathangrubb]

Quote:

Originally Posted by cleanxhost

Same thing really...

Not really, if you do that way you keep your old password, while if you do it by changing your pass after it's been given, you have to deal with a new password

[TonyB]

I just see it as a good excuse to go to the trouble of changing my password, which I know I should do much more frequently than I do.

I've got notes around here somewhere to remind me all the places that has to be updated.

• Change pw in cpanel. Also change:
  
• * WSFTP
• * DirectoryOpus
• * UltraFXP
• * backup FTP script
• * Dreamweaver

[Kris Siegel]

Quote:

Originally Posted by GatorZach

Well, the thing is, if we keep a system of passwords, the customer will probably change it and not update us to keep a password on file. cPanel is funny about access to certain things, and sometimes we must have the current password to directly log into your cPanel to do it. Your representative was correct, we never disclose your password to anyone. We have the ability to reset your password if need be, but rather than do that, we prefer to obtain your authorization directly by asking for your password. We also apologize for the long wait on your support request. What is your ticket number, so we can resolve whatever issue you are having?

I'm not sure why giving out your password or keeping a list of passwords are your only options. If the system was setup for support you would give each HostGator employee a login that worked for certain servers they were authorized to access and they could be limited to only change certain information. This prevents abuse (their accounts can easily be limited and locked out) and keeps the customer's information secure.

As it is now, if someone calls up HostGator the support rep has access to everything including some of their billing information. That's not a very good design, IMO and I hope this gets corrected at some point. Security needs to be a priority, not a second thought.

Quote:

Originally Posted by gwyneth

First, it's a shared server anyway and HG can get at anything it wants if it really needs to. It's sort of like living in an apartment complex: whether the maintenance folks use a master key or a copy of yours, they can get in. And like an apartment lease, you're supposed to let them have a copy of a key if you get additional locks. The TOS here, for instance, calls for dedicated account holders to keep HG updated when their root passwords change.

This is not true. If HostGator secured their passwords correctly (i.e. securely hashing them), then they could never get them without running some sort of brute forcing technique which could take decades.

Quote:

Originally Posted by GvilleRick

I worked for a host that used cPanel and the most common thing that delayed ticket responses was the user refusing to provide a password (or giving the wrong one.) Requiring the password was there, in theory at least, for a few reasons. One was that it was a quick way of verifying that the ticket submitter was the site owner. If they didn't know the password we required other information such as the last 4 digits of the credit card to verify ownership (which had to be verified by another department causing further delays.)

Another reason for having the password was to be able to reproduce the error by logging in just as the user would rather than using the root password. In addition, all techs didn't have root passwords so they could not do anything really without the password. If the problem was something they couldn't handle or that required server access then the ticket was passed to another tech.

Are there not mechanisms so higher level techs can use their logins to "simuate" the user? At the company I work for we have certain support agents who have the ability to login as a user without their passwords as long as they have the appropriate access. The simulation is exactly as if the user logged in but prevents the support techs from actually updating or viewing certain information. If there is an issue with that area then it's a data or code issue at which point it's passed onto the developers who re-create the issue with dummy data.

Quote:

Originally Posted by GvilleRick

I'm not as good with the analogies as Gwyneth but I see not providing the password on par with dropping off your car at the shop and refusing to leave the keys. Sure, the techs could probably hotwire it to check it out but why should they have to jump through more hoops?

I would disagree with this analogy. I would say it's more along the lines of dropping off your car at a shop who has master keys that allow them to do what they need to do but they still want your key as well.

[gwyneth]

Quote:

Originally Posted by Kris Siegel

Quote:

This is not true. If HostGator secured their passwords correctly (i.e. securely hashing them), then they could never get them without running some sort of brute forcing technique which could take decades.

I didn't say HG could get your passwords; I said it could get at anything it wants in an account on a shared server. Wouldn't this always be true for root on a 'nix box?

[Kris Siegel]

Quote:

Originally Posted by gwyneth

I didn't say HG could get your passwords; I said it could get at anything it wants in an account on a shared server. Wouldn't this always be true for root on a 'nix box?

Depending on how the security is setup on the box that would most likely always be true. I had thought you were referring to the user's password.

I'm not entirely sure how it's setup but changing certain things even with root on the box may require the user's password or a root cPanel password (I'm not sure how everything is setup).

Though I'm still a firm believer in that there is no need for support to ask for passwords nor is there ever a reason passwords should not be hashed securely. If anything, they could at least implement a support pin to verify that you are who you say you are.

[ghpk]

Fantastico applications are one of the examples where you need to be logged in as user and not ROOT to be able to fix issues.

HG is a good and trusted company and would be least interested in any customer's password, if they would have been shady types they would not have been at the TOP LEVEL they are today.

I've many hundred user accounts on my multiple dedicated boxes here, and i trust HG and never had such a problem. If a support tech ever asked me password on Live chat i provide them the ticket ID which has the password and they take care of the rest.

If anyone still feels insecure, they can always change the password and RELAX once your ticket/issue has been resolved.

I think this thread is getting bit streched towards off-topic talks.

[ghpk]

Quote:

Originally Posted by Kris Siegel

they could at least implement a support pin to verify that you are who you say you are.

They do ask for part of card details, if they ever feel to verify you over phone or chat or sometimes even tickets if the need be.