> Help me HN. Has anyone else had experiences like this with 1and1? What did they do to get things resolved?
I use 1&1, and I ran into the same situation a couple months ago: I was terminating one of my contracts, and they asked for my password over the phone to verify. To be clear: I was not closing my account, I was only terminating a single contract.
The way I "resolved" the matter was quite simple: as I am not stubborn, I just gave them my password. The person sitting on the other end of the phone call already certainly has godlike access to my account anyway, I am not stupid enough to use the same password for multiple accounts, and barring insanely epic hacks I know they are a real representative as I called them at their phone number; so, there is really very little to lose handing over my password to the customer support person.
In the end, rather than getting morally outraged and posting an article asking a question to an online community in the hope of unblocking your ability to conduct what is fairly simple business, you should just change your password when you are done with the call and move on with your life. It will save yourself a bunch of time and frustration.
Then, afterwards, if you don't like the way 1&1 operates (maybe you believe that this is indicative of a more underlying set of security mistakes, or maybe you simply don't agree with the practice and don't want to support it), you might then consider moving your accounts to a different provider: there are tons of people you can use to host servers, domains, or whatever else you may be using 1&1 for. However, it shouldn't block your ability to make things happen right now.
I totally understand the idea of just giving in and then moving on, but I don't get the apparent dislike of telling the story. Should he not tell people about this bad practice? It may be too late for him, but it's not too late for everybody. It's useful for people to know that a company has a bad policy like this before you get involved with them, and they won't generally tell you themselves.
I know I personally am happy to have read the OP's article. It made me aware of this backwards practice by 1&1, and I also learned that 1&1 stores these user passwords in plaintext. As a consumer of internet services, I will now steer clear of 1&1, and I have the OP to thank for the possible headaches I may have avoided.
I have no problem with someone standing up for what they believe in, taking a stand, and "rallying the HN troops" for what might be a relatively minor issue for most. I'm sure we all have made fusses about more trivial things :)
So, I don't actually disagree with the brunt of what you have said here (that if someone has an issue with something that it might be valuable to tell other people in the communities you are a part of who might care); however, it doesn't really apply to this article: my response is attempting to directly answer the question posed in the bold text at the end about "how to get things resolved".
Now, that said, I actually do believe people "rallying troops" is often knee-jerk and incorrect vigilante justice masquerading as valiant. It isn't always the case, and there may be places where such behavior is legitimate (although I think figuring that out is an interesting and horribly long off-topic discussion). It certainly, though, isn't always positive.
As an example, there person claiming on HN a couple days ago that Apple must be storing passwords in plain text because of a 32-character password length restriction[1]; I doubt that was actually the case, and much more argument and research should have been made before trying to incite such panic.
(edit: Hell, I didn't even notice that you did it yourself here until I saw the response from Fargren, but you just did it, too: there is no reason to believe that 1&1 "stores these user passwords in plaintext". It is much more reasonable to believe that they have a box on their end for "customer password" that verifies it using the same mechanisms the website does. It is not at all reasonable to "rally the troops" over assumptions.)
Again, however: that is not what this article was about; this article was not attempting to "rally troops", this article was asking for help making progress with an account they have at a vendor because the OP "make a point of never, ever, ever giving [his] password out to anyone" (emphasis his).
After all, you can still "rally the troops" after you get your job done: you can change your password afterwards, you can even change your password beforehand as borlak indicates (although that implies your password was important, which is already a mistake), you know this person is a real representative to within any reasonable margin of error; the morale stance here was just stubborn. :(
I'm not trying to "rally the troops" as it were under the assumption that they're storing passwords in plain text. That's not the issue, though it would obviously be an issue if it <were> the case.
I just wanted to make sure people were aware of this kind of practice at 1and1, and hopefully (but probably not) drive some change in the practice.
They don't need to have your password in plaintext to verify it. They could just type it to verify it at their end.
Asking for it is still bad practice, though.
Thanks - glad you understand my point. It's just not good practice and the only way these things get change is if people complain, and HN is great community to do that with. I know online security is something we're all passionate. about.
I am not stupid enough to use the same password for multiple accounts
I don't consider myself stupid and I used to use the same password across multiple accounts. I changed this practice a while ago but I know that for the vast majority of people they do reuse passwords frequently.
Suggesting people are stupid for not following best practice password management is not helpful to the discussion.
I completely understand your point, but I'd like to see things change rather than just abiding by this ridiculously bad practice. As you say, the rep obviously has full access without this so the whole act is pointless.
Even if not for me alone, I'd like to see this resolve as it's just bad form. A company culture that allows this cannot be good for the security of all domains held with 1and1.
I may well move away anyway, as you say, as I'm just so disappointed, but I'd like to see change anyway.
You change the policies by applying economic pressure and moving your accounts to other providers. Seriously it's not worth your time to change other people's behavior. Better to give them incentives or (as in this case) take them away to sway their actions.
If they are asking for your password however, then you have to assume that this is the tip of the iceberg security-incompetence-wise. what else are they screwing up?
But incompetent security by people who should know better is not limited to a few internet hosting providers. A year or two ago, Chase Bank called my wife up (i.e. they called our home) and asked my wife for her credit card number. My wife refused to give it and they suspended her bank account because of it. She had to call them and spend an additional hour on the phone getting that straightened up and shortly after this they abruptly cancelled the account with no explanation.
Any time this sort of thing happens do yourself a favor and do whatever you have to in order to close your account and move somewhere else.
It should be pointed out that this would only be required if you are using this password for other things that are important (as in, you are sharing your password with other accounts) or your password is somehow precious and special (like the name of your favorite dead aunt): you shouldn't have to do this, as your password should already be something "stupid"; changing your random password to something else random when you are fully intending to just change it to something even further random again is a waste of time. ;P
In addition to the responses from others and depending on the password restrictions set by 1and1, there is no gurantee you can use the same/previous password when you try and reset it.
Perhaps I'm misunderstanding the nature of this complaint, but it sounds like this guy is dealing with a service at which:
* Tier 1 customer service people do not have plaintext access to customer passwords, and
* Tier 1 customer service people do not have the ability to manipulate customer accounts without their passwords (and thus consent).
On the scale of security/customer-service interactions at service providers, this sounds like MONUMENTAL EPIC WIN. What exactly am I missing here?
And,
How on earth could you possibly input a password into some random text field in an application that you would not provide to the CEO of the company hosting that text field?
I'm not convinced that the Tier 1 customer support reps do lack access without the password. It just seems to me like a misguided attempt at verifying identity.
As for your second point, all that is based on trust in the company that they're not storing in plain text and opening it to the CEO...which I hope is the case for most companies. I was more trying to give a sense that I'm really not happy giving my password to any person. When it's a web form, you just have to have trust or the whole idea of passwords is broken.
In case you missed it, the subtext of my comment is that neither of those bulleted items are true for most service providers. At most large service providers, you can count on tier 1 CSA's having direct plaintext access to your password and those CSA's being a mouse click away from taking any action on your account you can conceive of.
I'm not sure I understand what the point you're trying to make is. In a hypothetical (but unlikely) world where they <really> did need my password to manage my account, this would be a poor practice to have and it should have some kind of other verification, even if it was character [x] and [y] of my password. The same applies if they don't need it really...this doesn't seem a good idea regardless.
That specific solution doesn't work. If they have access with just characters x and y of your password, then they (as good as) have your password, and access to your account.
Well, yes, but it's expected and somewhat necessary that administrators (that is, people with some kind of administrative responsibility) of online services have access to your account.
So you do not trust them with your password (that you're going to change later anyway), but you do trust them with unpassworded access to your account?
All I'm saying is that you have to have that trust, it's always going to be the basis of how customer support works in businesses like this. Requiring that you give out your password to a person is not acceptable.
Now, having seen some of the alternative systems suggested, I think I agree.
I instinctively do not want to give my password to anyone. And that's a great habit to get into, and we want regular people to get into that habit. That would make phishing less useful.
In this case it seems they're trying really hard to protect your domain from harm. But yes, I've been mostly persuaded.
This doesn't sound good, but it got me thinking.. How do you verify someone is who they say they are in situations like this?
As we've seen with recent breaches, the last 4 digits of your CC # aren't incredibly hard to find out. "Secret" questions and answers are generally quite poor, in that very few of them don't suffer from laughably small keyspaces or rely on semi-public information. Passwords almost seem like the least bad option.
I get that giving a password to a human isn't a very comfortable feeling, but if you don't trust the CSR to not misuse the password, do you also not trust the developers to not have put in something to grab your password one of the various times you enter it into a web application that they control?
1. Login to your account
2. Click on "Request Support"
3. In the dropdown "Grant access to support for:" choose "30 minutes"
4. Submit the form
5. The site displays a phrase such as "banana black puzzle lightbulb"
as well as a phone number to call or a support form to submit.
The words are chosen from a list of 256 common, unambiguous words
making the odds of guessing 1 in 4 billion.
6. The CSR, upon using this phrase, gets 30 minutes access to your
account through their support portal only. All CSR actions are
logged in your account which you can view.
Of course, this takes development time away from features. It's much easier to just ask for the password and login using the same interface users use.
Assuming that all you need to verify is that the person on the phone knows that account name and password, one way that would not be too difficult to implement would be to have a way for support to mark the account with a random 8 digit number. The support person does this, and then tells the customer to log in to their account management page. There should be a link there that shows the random 8 digit number. The customer then reads this to the support person over the phone.
Something like that would certainly work - I was thinking a one-time code could be emailed to the email address on the account, but either way would be fine.
Given the relative simplicity, I wonder why nobody (at least that I know of) has implemented something like this?
This is how PayPal support works: you use the website to get a random six-digit "customer support PIN" which you then dial in when you connect to their system.
Media Temple operates this way, as well. I like this approach, as I can never remember those "4-digit account pins" (looking at you, AT&T), and I'm happier knowing any given pin is only usable for the next hour, anyway.
I think this is the best way actually, and I've thought of it for the startup I work for, it'd be a really good authentication technique which could replace the password for support transactions with less/none of the security implications.
If you call them, you can be almost certain that they're genuine. It's really difficult to hijack a phone number without detection, and then to staff it for random calls suggests a level of dedication difficult to find.
So if they call you, never give anything related to security. Always call them back on a publicly verifiable phone number before giving security or very private info.
an excellent company I used to use for hosting (who were later swallowed by by a not so excellent company) had a great solution to this. You'd log into your account and from there you could generate a single use token that you'd read to the csr.
I absolutely understand your point - but I think this is the worst of many bad solutions. It encourages bad habits and encourages people to think this kind of behaviour on websites is okay.
As for your second point, that is true - we just have to trust that that isn't happening, but that trust is implicit in day-to-day use of the internet.
I don't get it. At all. The only purpose of the password is to authenticate you against your account. Why would you refuse to use it for this? It's the point of a password that you submit it.¹ Oh yeah. Because you don't trust the guy on the telephone. He could easily hijack you account and do nasty stuff. 1) He could do if he wanted if you didn't tell him 2) You're not trusting him/her? Why are you doing any business with a company you don't trust?
Or is the point that somebody could wiretap you? Get off your tin foil hat and think about keyloggers.
¹) Or do a challenge response. It does not matter. It's a shared secret.
The point is simply that established practice is to never share passwords, and this eschews that practice. I can see your point, but they have a variety of other data they could use to verify who you are. This is about the worst idea.
Actually, no it's way above better than other ways they could verify your identity. Did you not read account of the Wired reporter who had his online identity stolen and wiped because companies used easily obtainable information about the person to identify the person's identity? If they had used a password instead it never would have happened.
I don't understand what your issue is with telling them the password? Just change it to something random and change it back after if it's not something you are comfortable sharing or saying out loud. It may personally offend you, but t's certainly not a bad practice.
No, that's not true at all. Every time you log in you share your password. That's the point of a password. (unless it's some fancy public/private key stuff).
I've avoided using 1and1, but I recently made the switch from GoDaddy to Hover.com for my domains and it was like an amazing breath of fresh air followed by a clear mountain spring water chaser.
Seriously. There are way better providers out there.
I hate 1and1. I had to deal with their awful Website interface for a client of mine recently. I had to transfer over 100 GB of stuff on this guys "unlimited" storage account. they capped the speeds around 500KB/s. it seriously took all week. uploading to amazon and rackspace cdn's were a godsend after that.
I have been long time user of 1and1 for domains. Their initial product offering is always sweet (free, 1$ domains) etc. Their renew rates are not bad as well.
But the place where I hated them most was NS change propogation, it took 24 hours to get that done.
Also their admin panel is awfully slow.
If you guys don't already know it, here are some of the links to help
1and1's Control Panel is quite painful to use, but you don't have to go through cancel.1and1.com to transfer a domain - just make sure your domain is unlocked and you have the EPP code handy.
1and1 is a hosting company for the uneducated masses. Those do not care about telling some 1and1 employee their passwords because they think it is safe to do so.
1and1 is a great hosting company for someone who just needs a website. Nothing more. No Dns handling, passwords over the phone. Great advice has already been given: Leave them and make sure your account is terminated. And I mean really terminated.
If you can get your transfer codes from them without having to give your password over the phone then start transferring now. You lose none of your registration period and you can find other registrars that don't suck. Even if you find a way to get what you want done with 1&1 you probably don't want to be doing business with a company that can't follow the most basic of security best practices.
Personally I think it is hilarious to say things like "ampersand" or the "little carrot arrow thing err.. you know shift six" over the phone. I once had to leave my password in a voice-mail to my nurse, she told me "most people just make it something simple like their doctors name you know." I refrained from launching into a tirade about the importance of strong unique passwords.
I had the same experience over the weekend. Wanted to use google apps for one my domains. They wanted me to email .html file which google gives you to a hotmail (really?) address and then give them the password as well to my 1and1 account. #fail
Completely ridiculous. How do they get away with this kind of stuff? I genuinely think the only way to put a stop to it is for an article like to get popular so they're forced to think.
I asked the rep if I could give any other form of identification, guess what - your email address on the 1and1 account would do. I tried sending them the html file from the same email as the one on my 1and1 account and they did what I requested. This boils down to - they really don't need your password.
When you can manage DNS with them you can verify your Google Apps domain with TXT records. Oh wait, they don't allow you to configure TXT records either.
I guess it depends. If you have some kind of odd hosting package (for instance, if you [perhaps misguidedly] used a 1and1 e-Shop), you might not have file system access.
To be honest, I've asked customers for passwords over the phone before. Usually it's because they have called reporting a problem with their email, now about 70% of the time it's because of a problem at their end but I have to humour them anyway.
Now I can of course access their mailbox by going into a shell on the server but the quickest way to check everything and satisfy the customer is to setup their email account on my computer and check I can get it to work.
Since the passwords are securely hashed, the only way I can do this is by asking for the password from the customer.
I see that as a failure of process. Your tools should already be constructed in a way that using them is easier and more reliable than asking for a password. Coupled with auth logging on the server side to diagnose failures on their side, there really should be no reason to ask for a password for this stuff.
I had this with Virgin Media (UK ISP). I called them and the support guy asked for my secret password. I assumed it was a security answer so I went through a couple of obvious ones like mother's maiden name. After a few attempts, he stopped me and said my password was strange because it was just a bunch or random characters. At this point I realised that not only was he expecting my actual account password for verification but it was available in plain text for him to manually verify!
I recall when I first heard of this outfit. I think it was 10 years ago. They wanted you to fax forms over to them. Perhaps early man got his domains that way.
My recollection is that in the bad old days of Network Solutions, you have to fax in domain registration and change forms. I seem to recall someone stealing a big brand's domain name for fun simply by faxing in some instructions on bogus letterhead.
I'm sure 1&1 actually does encrypt the password, otherwise the tech support guy probably would have just opened up tim_rogers.txt and found his password there.
This sounds like 1&1 just doesn't have a real customer support story and should probably just be avoided if possible. Or find somewhere that lets you provide 2 part security (ie, one for personal access and another for support access).
Author of the post said they should have some backend, and maybe they do, but I think the biggest problem was that they wanted him to authenticate himself as genuine with them by providing his password... they should have some other way to verify his identity without that.
(This is my personal opinion as a security professional and not the opinion of my employer)
I agree with your first point, or at least I'd imagine so. I've heard it suggested though that they don't so who knows!
To me, it seems like they just have a badly thought out verification process when they should be doing something else - for instance, they could just the last four digits of your payment card or some other piece of relatively secret information. You have indeed crystallised what my issue is in this situation there!
+1 for Gandi, I've only heard good things about them. I've been with fasthosts.co.uk for 10 years now(with zerigo for as long as I can remember as well), I've currently got 20 domains registered with them and I can't remember having had any problems with them.
All have solid reputations with 123-reg being the elephant in the industry but UKReg and Domainmonster having superb responsiveness and customer support.
while I agree 1&1 shouldn't ask for passwords... why not just temporarily change your password to something stupid, call support, and then change your password again?
I use 1&1, and I ran into the same situation a couple months ago: I was terminating one of my contracts, and they asked for my password over the phone to verify. To be clear: I was not closing my account, I was only terminating a single contract.
The way I "resolved" the matter was quite simple: as I am not stubborn, I just gave them my password. The person sitting on the other end of the phone call already certainly has godlike access to my account anyway, I am not stupid enough to use the same password for multiple accounts, and barring insanely epic hacks I know they are a real representative as I called them at their phone number; so, there is really very little to lose handing over my password to the customer support person.
In the end, rather than getting morally outraged and posting an article asking a question to an online community in the hope of unblocking your ability to conduct what is fairly simple business, you should just change your password when you are done with the call and move on with your life. It will save yourself a bunch of time and frustration.
Then, afterwards, if you don't like the way 1&1 operates (maybe you believe that this is indicative of a more underlying set of security mistakes, or maybe you simply don't agree with the practice and don't want to support it), you might then consider moving your accounts to a different provider: there are tons of people you can use to host servers, domains, or whatever else you may be using 1&1 for. However, it shouldn't block your ability to make things happen right now.