You don't need my password... (lack of security)

[GloryImSaved]

I upgraded my account today to the business plan. By doing so, SSH was disabled on my account. I logged into live chat to have SSH enabled (as the knowledge base states). The tech insisted that I fill out the SSH request form. Low and behold, the form requires my password.

In cPanel I submitted 2 requests for account addons. One was for an SSL cert. as provided by my account upgrade. I logged into HG's ticket system, opened the ticket, and low and behold... my user name and password were clearly shown in the ticket.

Apart from all of this, there are several other forms which require customers to give their passwords. I understand that you're probably hiring people from India with zero access to any of HG's servers. However, I do not agree with the way account management is handled. I don't find it necessary to reveal my password to anyone. This has to be stopped. For a company that touts millions of websites and thousands of customers, it would seem they have very little privacy or security concerns for their customers.

I don't care how "honest" your employees are. They're given my domain and password. All they would need to do is memorize, wait 2-3 months, and access my site. If I run a business this poses a problem as it places my clients at risk as well.

Is there anything in the TOS which states our private information (user names / passwords) are disclosed to 3rd parties, regardless of employment?

In case you missed it, my suggestion is this: encrypt passwords for customer security and provide your live support with a different means of upgrading accounts without the use or requirement of my password.

Edit:
Also, please keep in mind that it wouldn't take much for someone to create a fake e-mail or website which requests the user name and password of a specific customer. This is why the majority of the internet follows a golden rule: never ask the customer for their password. Why? Because a plethora of scams resulted in countless accounts being stolen throughout the late 90's. I dare say -- not even free web hosts request your password in e-mail or site submission. Bottom line, this method is not secure and to do so is unprofessional and juvenile given the risks involved.

[capt_happy]

>>>>>I don't care how "honest" your employees are. They're given my domain and password. All they would need to do is memorize, wait 2-3 months, and access my site. If I run a business this poses a problem as it places my clients at risk as well.<<<<


While I agree with what you say, why would you NOT change your password on a regular basis?

[gwyneth]

Quote:

Originally Posted by GloryImSaved

For a company that touts millions of websites and thousands of customers, it would seem they have very little privacy or security concerns for their customers.

Actually, I think HG is working on the assumption that customers take reasonable security precautions themselves...such as reflexively changing their password the instant support doesn't need it any more.

IMO, this also encourages customers to do what they should be doing themselves, anyway (a parallel, for example, to assuming HG backups don't exist).

Quote:

Originally Posted by GloryImSaved

I don't care how "honest" your employees are. They're given my domain and password. All they would need to do is memorize, wait 2-3 months, and access my site. If I run a business this poses a problem as it places my clients at risk as well.

Passwords are not supposed to be permanent, anywhere. The idea of being "professional" enough to run a business, have customers, and NOT change the password regularly--let alone as a routine matter after extending access--seems like an oxymoron, IMO.

Quote:

Originally Posted by capt_happy

While I agree with what you say, why would you NOT change your password on a regular basis?

I am also curious about this.

[fanfavorite]

Some people don't think about changing their passwords all the time. What I recommend is maybe hostgator should reset the password when checking and then tell the user how to restore it back to whatever they like after or direct the person to change it temporarily for the support.

These are things that Hostgator may want to consider documenting to help new users. Most people don't think of everything and Hostgator could avoid some unhappy users by creating a Resellers Starting Guide. I understand that this is not their responsibility, but am just thinking about the beginners and how Hostgator could make them happier.

[GloryImSaved]

Quote:

Originally Posted by gwyneth

Actually, I think HG is working on the assumption...

HG does not limit their business to the security conscious administrator or network security consultant. Changing passwords often is a good practice, but you're deferring from the issue and taking a liberal approach. The issue isn't how often a person changes their password, but why HG is using careless, insecure, and unprofessional techniques in order to provide support for its customers.

A quick glance at whois information: NS1721.HOSTGATOR.COM (has 667,384 domains). Do you mean to tell me that of those 667k+ domains, every single person is security conscious and changes their passwords often?

Again, I'll point out the statement "I think HG is...assumption." It is a double negative and is merely an opinion.

Quote:

Passwords are not supposed to be permanent, anywhere. The idea of being "professional" enough to run a business, have customers, and NOT change the password regularly--let alone as a routine matter after extending access--seems like an oxymoron, IMO.

I am also curious about this.

Rather then reading and addressing the issue Gwyneth, you chose to attack my business ethics when I was merely using examples.

Again, I did not start a topic based upon the frequency of my password changes nor did I claim that I don't change my password. This is completely irrelevant concerning the topic at hand. HG uses insecure methods in order to provide support for their customers.

Case in point: Rather then attack or question my methods, try addressing the issue at hand; HG's methods.

[txitcs]

I'm not sure, so this is why I'm asking. In the places HG asks for passwords, are they over SSL? If so, and they don't send it over email, I don't see an issue. If it is not over SSL, then this is something that should definitely be implemented.

HG has 200+ employees. I can promise you only a select few have the root passwords to those servers. In order to access a users account in cPanel you have to either have root access or have the user's password.

So answer me this...would you rather have 200+ people with root access to the server you're on, or the few people that handle your trouble tickets have your account password?

[gwyneth]

Quote:

Originally Posted by GloryImSaved

HG does not limit their business to the security conscious administrator or network security consultant. Changing passwords often is a good practice, but you're deferring from the issue and taking a liberal approach. ...

Again, I'll point out the statement "I think HG is...assumption." It is a double negative and is merely an opinion....

Rather then reading and addressing the issue Gwyneth, you chose to attack my business ethics when I was merely using examples.

...

Case in point: Rather then attack or question my methods, try addressing the issue at hand; HG's methods.

My comment was about "anybody running a business" and was clearly my opinion that if his/her customers would be hurt by not changing passwords, it's unprofessional not to.

I'm floored you're interpreting that as an attack, let alone on your own ethics. It's also my opinion that if the dog groomer knows that a product makes Fido's coat glow in the dark, using it anyway would be unprofessional.

All I was and am saying: whatever security measures HG takes or does not take on behalf of your password, you're still responsible for keeping it safe, which means frequent changes. I didn't address, let alone defend, HG practices, except to say they encourage diligence of our (customers) own.

Besides, if the security of sensitive data or transactions--anything that might be attractive to a hypothetical dishonest host firm employee--could be breached simply by having that account's password, the accountholder hasn't protected his/her stuff very well at all.

Credit card numbers and sensitive data such as social security numbers or health records shouldn't be stored on shared or reseller accounts, period. If the account or its own clients are processing financial transactions, separate security measures would normally be in place to protect them from being breeched even with possession of the account password.

Those concerns are something that anybody who's even thinking about handling sensitive stuff with their account needs to address.

Of course, just because there shouldn't be any attractive target for the hypothetical dishonest host company employee to steal, doesn't annul your point, and I'm not saying it does.

You associate frequent password changes with the "security conscious administrator or network security consultant". But I meant "passwords everywhere" literally.

Outside the internet, one of my banks has posters next to each teller asking, "How old is YOUR pin?" Cable tv commercials urge parents to change child-safe lockout codes every month; settable padlocks for luggage and bicycle arrive with stickers advising frequent changes; and I've gotten an identical promotional refrigerator magnet from insurance agents and security system companies suggesting in large fluorescent type that "old codes are no codes".

[GloryImSaved]

Quote:

Originally Posted by gwyneth

My comment was about "anybody running a business" and was clearly my opinion that if his/her customers would be hurt by not changing passwords, it's unprofessional not to.

I'm floored you're interpreting that as an attack, let alone on your own ethics. It's also my opinion that if the dog groomer knows that a product makes Fido's coat glow in the dark, using it anyway would be unprofessional.

All I was and am saying: whatever security measures HG takes or does not take on behalf of your password, you're still responsible for keeping it safe, which means frequent changes. I didn't address, let alone defend, HG practices, except to say they encourage diligence of our (customers) own.

Besides, if the security of sensitive data or transactions--anything that might be attractive to a hypothetical dishonest host firm employee--could be breached simply by having that account's password, the accountholder hasn't protected his/her stuff very well at all.

Credit card numbers and sensitive data such as social security numbers or health records shouldn't be stored on shared or reseller accounts, period. If the account or its own clients are processing financial transactions, separate security measures would normally be in place to protect them from being breeched even with possession of the account password.

Those concerns are something that anybody who's even thinking about handling sensitive stuff with their account needs to address.

Of course, just because there shouldn't be any attractive target for the hypothetical dishonest host company employee to steal, doesn't annul your point, and I'm not saying it does.

You associate frequent password changes with the "security conscious administrator or network security consultant". But I meant "passwords everywhere" literally.

Outside the internet, one of my banks has posters next to each teller asking, "How old is YOUR pin?" Cable tv commercials urge parents to change child-safe lockout codes every month; settable padlocks for luggage and bicycle arrive with stickers advising frequent changes; and I've gotten an identical promotional refrigerator magnet from insurance agents and security system companies suggesting in large fluorescent type that "old codes are no codes".

No offense, but nothing in this rant is relevant to the issue at hand. Under no circumstances should I be required to give my password to any employee. There's no reason for it. End of story. You cannot justify the need for a customer to give out their password. Enabling SSH on my account should not require my password. I don't understand why a 3rd party needs to log into my account to make changes which are server side to begin with.

The security issues involving a person giving out their password to HG extends beyond the 1st tier tech support, many of which involve common scams which have plagued the internet. To think this entire issue rests upon the shoulders of honest, hard working HG tech support personal is narrow minded.

Quote:

Originally Posted by txitcs

So answer me this...would you rather have 200+ people with root access to the server you're on, or the few people that handle your trouble tickets have your account password?

I'll make this simple. A tech clicking on a user account and checking off a little box doesn't require my password nor does it require that tech to have root access. I really don't need to argue this point as it's down right stupid, but for some reason people continually think that giving out their password is O-K and act as though it's not a security risk which 99% of major companies have taken measures to avoid.

[txitcs]

Quote:

Originally Posted by GloryImSaved

I'll make this simple. A tech clicking on a user account and checking off a little box doesn't require my password nor does it require that tech to have root access. I really don't need to argue this point as it's down right stupid, but for some reason people continually think that giving out their password is O-K and act as though it's not a security risk which 99% of major companies have taken measures to avoid.

This all depends on what that "little box" is. I don't know what your issue was and I'm just speaking very generically for support requests. If a tech needs to check and/or change something under your account than it is necessary for them to have your account password. The security risk is much higher giving them root access.

As far as the 99% of companies taking measures to avoid....I disagree. I have accounts with around 10 hosting companies which all of them do require your password if you request support. It's not as uncommon as you think.

Honestly you should be more worried if it's being sent over SSL or not than anything. You should trust your web host and if you do not then you shouldn't be there, especially if you're hosting a business. Just think about it...these people have full access to all of your files, and passwords you use in configuration files, your email accounts, etc...If someone at any host really wanted to screw you over...it wouldn't be hard.

Then also take into consideration the way Brent takes care of his employees. Most employees who abuse previledges like you're suggesting are upset about their work enviroment. Brent takes VERY good care of his employees and that helps reduce the chances of anything like that happening.

[Txspaderz]

Quote:

Originally Posted by GloryImSaved

Enabling SSH on my account should not require my password. I don't understand why a 3rd party needs to log into my account to make changes which are server side to begin with.

Would you rather someone else who got into your email account enable SSH and destroy your website? Or would you rather HG have a good belief that since you have the correct password and you are who you say you are?

Quote:

Originally Posted by GloryImSaved

The security issues involving a person giving out their password to HG extends beyond the 1st tier tech support, many of which involve common scams which have plagued the internet. To think this entire issue rests upon the shoulders of honest, hard working HG tech support personal is narrow minded.

cPanel by design doesn't allow root access to phpMyAdmin through WHM and Fantastico through Root. Of course these are always by-passable. It's also most times not practical to diagnose an issue without actually and physically reproducing the error.

Quote:

Originally Posted by GloryImSaved

I'll make this simple. A tech clicking on a user account and checking off a little box doesn't require my password nor does it require that tech to have root access. I really don't need to argue this point as it's down right stupid, but for some reason people continually think that giving out their password is O-K and act as though it's not a security risk which 99% of major companies have taken measures to avoid.

99% of the major companies that have taken those measuers are holding finanical information, insurance information, retirement info, customer info, credit card info, employee and customer credit information, confidential information critical to their success and business practices / plans / information.

While I agree keeping your passwords are safe, there is no reason to get riled up like this because you don't feel like giving out your password. If you are that strong footed against it, change it before giving it to HG, and than change it back after they are done.

Please, calm down. Would you like a cup of coffee?

[striddy]

Quote:

Originally Posted by GloryImSaved

I logged into live chat to have SSH enabled (as the knowledge base states). The tech insisted that I fill out the SSH request form. Low and behold, the form requires my password.

HG has to be able to confirm that you are the account owner, not just somebody randomly entering details into the form. How would you suggest they can improve on that process?

Quote:

Originally Posted by GloryImSaved

I logged into HG's ticket system, opened the ticket, and low and behold... my user name and password were clearly shown in the ticket.

The ticket system uses SSL.

Quote:

Originally Posted by GloryImSaved

Apart from all of this, there are several other forms which require customers to give their passwords.

Forms that use SSL.

Quote:

Originally Posted by GloryImSaved

I understand that you're probably hiring people from India with zero access to any of HG's servers.

You are mistaken.

Quote:

Originally Posted by GloryImSaved

I don't find it necessary to reveal my password to anyone.

How would you prefer HG to verify you are the account owner?

Quote:

Originally Posted by GloryImSaved

They're given my domain and password. All they would need to do is memorize, wait 2-3 months, and access my site. If I run a business this poses a problem as it places my clients at risk as well.

As they have root access this is irrelevant.

Quote:

Originally Posted by GloryImSaved

provide your live support with a different means of upgrading accounts without the use or requirement of my password.

Which would be what?

[dustbuster]

Quote:

Originally Posted by striddy

HG has to be able to confirm that you are the account owner, not just somebody randomly entering details into the form. How would you suggest they can improve on that process?

The issue at hand is that passwords should not be shown in cleartext to anyone, anywhere, support employee or otherwise. It is easy to authenticate against an account without providing the support employee a cleartext password (e.g. using hashing). In addition, Hostgator should not be storing cleartext passwords anywhere, including in the ticket database, because of the increased risk. (Yes, yes, we know that people should change their passwords regularly and use unique passwords, but the reality is that it doesn't always happen.)

There are other places in the HostGator process that this is also a problem, including the forgotten password emails sent from the Ticket system (emails you your password in cleartext) and the initial package registration confirmation (also emails you your password in cleartext). This all adds up to make me nervous about the security of my account.

[kroby]

Quote:

Originally Posted by dustbuster

The issue at hand is that passwords should not be shown in cleartext to anyone, anywhere, support employee or otherwise. It is easy to authenticate against an account without providing the support employee a cleartext password (e.g. using hashing). In addition, Hostgator should not be storing cleartext passwords anywhere, including in the ticket database, because of the increased risk. (Yes, yes, we know that people should change their passwords regularly and use unique passwords, but the reality is that it doesn't always happen.)

There are other places in the HostGator process that this is also a problem, including the forgotten password emails sent from the Ticket system (emails you your password in cleartext) and the initial package registration confirmation (also emails you your password in cleartext). This all adds up to make me nervous about the security of my account.

I could not agree more. No one other than me should ever need to know my password, and passwords should never be stored in plain text. Period.

This really has nothing to do about the trustworthiness of HG staff, and everything to do with security best practices. I am sure that if a HG employee wanted to wreak havoc on my account they could do it easily without my credentials. Passwords need to be kept safe, and that includes keeping them secret. HostGator's mistake was deciding to use passwords as a method of validating account ownership. This is a poor practice, and unfortunately the problem is wide spread across web hosts. Instead, they should verify ownership by asking a series of challenge questions.

When a web host neglects to follow a standard security practice it makes people wonder where else shortcuts may have been taken at the price of security.

[kmaw]

What do other web hosts do?

[kroby]

Quote:

Originally Posted by kmaw

What do other web hosts do?

In my experience, other web hosts require a password to submit a password as well. I usually filled it in with junk like YouDontNeedThis. And it was never a problem. However, I don't know how far that would get me here.

Just because asking for passwords is common in the hosting industry does not mean that it is right.

[cdelsol]

Quote:

Originally Posted by GloryImSaved

.../...

My 2 cents:


I agree, HG should have a system, by which, the customer never has (or very rarely) to communicate their passwords. Especially the way it is done today. Any one from HG or pretending to be from HG can ask the customer for any of their userIDs/passwords. This is a big 'no-no' in the HG process.
　
　
I'm not sure how large HG is, but if you have internal legal people, I would to wise to check if, in the IT world, this practice would not be considered as under standard expectations (i.e. negligence).
　
　
This has nothing to do with the trust with have in HG employees or with the habit of regularly changing passwords. Without even considering a purposeful criminal activity from a staff member, every company of every size does have disgruntled employees...

This isssue should really be considered by the owners/managers of HG (not the staffer doing their best with the tools they are being provided with).

[LiteWebs]

I've always thought it odd that a password was required for certain actions. I don't change my passwords as I use strong types. If I had a regime of changing passwords on a regular basis, I would never get any work done. One password, one account... if someone wants to try and guess the pass, get several lifetimes to burn away; brute force attacks will see me removed from this mortal coil before you even get close.

The company I work for doesn't ask for my network password when I phone up HR. They don't need it, they ask other details instead, like my mothers maiden name (which I have set to a falsehood for security). So indeed, why should HG ask for my password if I want some action done that I don't have access to?

There are plenty ways to manually verify a customers identity. Name, Address, DOB, email address, primary domain name, username... but password? Why?

What's wrong with 'security question & answer'? A password gives access, verification of identity should never give access capability IMO.

The OP has a valid point which should really be addressed, instead of dressed-down.

I don't mean to ignore anyone's specific points, but I can certainly sympathize with a lot of concerns about security.

From my understanding, our intentions are to put all of the forms where you verify passwords inside of GatorBill (the new billing system). So you login securely (HTTPS), and then submit whatever request would normally done requiring a password on our site.

We could potentially introduce flash cookies as a method for verifying your identity at the point of before logging in, similar to how a lot of banks do it now. This is pretty standard to prevent fishing attempts.

In addition to that we aren't going to be verifying by password in general over the phone or chat, but rather a security pin (typical 4-8 digit number) which can be update from the billing system.

It isn't my place to comment on security practices aside from what we intend to do with gatorbill in the future. That being said, I'm more than open to any suggestions you guys have in regards to security going into the future. Since we do intend to be off modernbill in the few months.