> Help me HN. Has anyone else had experiences like this with 1and1? What did they do to get things resolved?
I use 1&1, and I ran into the same situation a couple months ago: I was terminating one of my contracts, and they asked for my password over the phone to verify. To be clear: I was not closing my account, I was only terminating a single contract.
The way I "resolved" the matter was quite simple: as I am not stubborn, I just gave them my password. The person sitting on the other end of the phone call already certainly has godlike access to my account anyway, I am not stupid enough to use the same password for multiple accounts, and barring insanely epic hacks I know they are a real representative as I called them at their phone number; so, there is really very little to lose handing over my password to the customer support person.
In the end, rather than getting morally outraged and posting an article asking a question to an online community in the hope of unblocking your ability to conduct what is fairly simple business, you should just change your password when you are done with the call and move on with your life. It will save yourself a bunch of time and frustration.
Then, afterwards, if you don't like the way 1&1 operates (maybe you believe that this is indicative of a more underlying set of security mistakes, or maybe you simply don't agree with the practice and don't want to support it), you might then consider moving your accounts to a different provider: there are tons of people you can use to host servers, domains, or whatever else you may be using 1&1 for. However, it shouldn't block your ability to make things happen right now.
I know I personally am happy to have read the OP's article. It made me aware of this backwards practice by 1&1, and I also learned that 1&1 stores these user passwords in plaintext. As a consumer of internet services, I will now steer clear of 1&1, and I have the OP to thank for the possible headaches I may have avoided.
I have no problem with someone standing up for what they believe in, taking a stand, and "rallying the HN troops" for what might be a relatively minor issue for most. I'm sure we all have made fusses about more trivial things :)
I am not stupid enough to use the same password for multiple accounts
I don't consider myself stupid and I used to use the same password across multiple accounts. I changed this practice a while ago but I know that for the vast majority of people they do reuse passwords frequently.
Suggesting people are stupid for not following best practice password management is not helpful to the discussion.
I completely understand your point, but I'd like to see things change rather than just abiding by this ridiculously bad practice. As you say, the rep obviously has full access without this so the whole act is pointless.
Even if not for me alone, I'd like to see this resolve as it's just bad form. A company culture that allows this cannot be good for the security of all domains held with 1and1.
I may well move away anyway, as you say, as I'm just so disappointed, but I'd like to see change anyway.
If they are asking for your password however, then you have to assume that this is the tip of the iceberg security-incompetence-wise. what else are they screwing up?
But incompetent security by people who should know better is not limited to a few internet hosting providers. A year or two ago, Chase Bank called my wife up (i.e. they called our home) and asked my wife for her credit card number. My wife refused to give it and they suspended her bank account because of it. She had to call them and spend an additional hour on the phone getting that straightened up and shortly after this they abruptly cancelled the account with no explanation.
Any time this sort of thing happens do yourself a favor and do whatever you have to in order to close your account and move somewhere else.
I totally understand the idea of just giving in and then moving on, but I don't get the apparent dislike of telling the story. Should he not tell people about this bad practice? It may be too late for him, but it's not too late for everybody. It's useful for people to know that a company has a bad policy like this before you get involved with them, and they won't generally tell you themselves.
Perhaps I'm misunderstanding the nature of this complaint, but it sounds like this guy is dealing with a service at which:
* Tier 1 customer service people do not have plaintext access to customer passwords, and
* Tier 1 customer service people do not have the ability to manipulate customer accounts without their passwords (and thus consent).
On the scale of security/customer-service interactions at service providers, this sounds like MONUMENTAL EPIC WIN. What exactly am I missing here?
And,
How on earth could you possibly input a password into some random text field in an application that you would not provide to the CEO of the company hosting that text field?
I'm not convinced that the Tier 1 customer support reps do lack access without the password. It just seems to me like a misguided attempt at verifying identity.
As for your second point, all that is based on trust in the company that they're not storing in plain text and opening it to the CEO...which I hope is the case for most companies. I was more trying to give a sense that I'm really not happy giving my password to any person. When it's a web form, you just have to have trust or the whole idea of passwords is broken.
This doesn't sound good, but it got me thinking.. How do you verify someone is who they say they are in situations like this?
As we've seen with recent breaches, the last 4 digits of your CC # aren't incredibly hard to find out. "Secret" questions and answers are generally quite poor, in that very few of them don't suffer from laughably small keyspaces or rely on semi-public information. Passwords almost seem like the least bad option.
I get that giving a password to a human isn't a very comfortable feeling, but if you don't trust the CSR to not misuse the password, do you also not trust the developers to not have put in something to grab your password one of the various times you enter it into a web application that they control?
1. Login to your account
2. Click on "Request Support"
3. In the dropdown "Grant access to support for:" choose "30 minutes"
4. Submit the form
5. The site displays a phrase such as "banana black puzzle lightbulb"
as well as a phone number to call or a support form to submit.
The words are chosen from a list of 256 common, unambiguous words
making the odds of guessing 1 in 4 billion.
6. The CSR, upon using this phrase, gets 30 minutes access to your
account through their support portal only. All CSR actions are
logged in your account which you can view.
Of course, this takes development time away from features. It's much easier to just ask for the password and login using the same interface users use.
Assuming that all you need to verify is that the person on the phone knows that account name and password, one way that would not be too difficult to implement would be to have a way for support to mark the account with a random 8 digit number. The support person does this, and then tells the customer to log in to their account management page. There should be a link there that shows the random 8 digit number. The customer then reads this to the support person over the phone.
If you call them, you can be almost certain that they're genuine. It's really difficult to hijack a phone number without detection, and then to staff it for random calls suggests a level of dedication difficult to find.
So if they call you, never give anything related to security. Always call them back on a publicly verifiable phone number before giving security or very private info.
an excellent company I used to use for hosting (who were later swallowed by by a not so excellent company) had a great solution to this. You'd log into your account and from there you could generate a single use token that you'd read to the csr.
I absolutely understand your point - but I think this is the worst of many bad solutions. It encourages bad habits and encourages people to think this kind of behaviour on websites is okay.
As for your second point, that is true - we just have to trust that that isn't happening, but that trust is implicit in day-to-day use of the internet.
I don't get it. At all. The only purpose of the password is to authenticate you against your account. Why would you refuse to use it for this? It's the point of a password that you submit it.¹ Oh yeah. Because you don't trust the guy on the telephone. He could easily hijack you account and do nasty stuff. 1) He could do if he wanted if you didn't tell him 2) You're not trusting him/her? Why are you doing any business with a company you don't trust?
Or is the point that somebody could wiretap you? Get off your tin foil hat and think about keyloggers.
¹) Or do a challenge response. It does not matter. It's a shared secret.
The point is simply that established practice is to never share passwords, and this eschews that practice. I can see your point, but they have a variety of other data they could use to verify who you are. This is about the worst idea.
I've avoided using 1and1, but I recently made the switch from GoDaddy to Hover.com for my domains and it was like an amazing breath of fresh air followed by a clear mountain spring water chaser.
Seriously. There are way better providers out there.
I hate 1and1. I had to deal with their awful Website interface for a client of mine recently. I had to transfer over 100 GB of stuff on this guys "unlimited" storage account. they capped the speeds around 500KB/s. it seriously took all week. uploading to amazon and rackspace cdn's were a godsend after that.
I have been long time user of 1and1 for domains. Their initial product offering is always sweet (free, 1$ domains) etc. Their renew rates are not bad as well.
But the place where I hated them most was NS change propogation, it took 24 hours to get that done.
Also their admin panel is awfully slow.
If you guys don't already know it, here are some of the links to help
1and1's Control Panel is quite painful to use, but you don't have to go through cancel.1and1.com to transfer a domain - just make sure your domain is unlocked and you have the EPP code handy.
1and1 is a hosting company for the uneducated masses. Those do not care about telling some 1and1 employee their passwords because they think it is safe to do so.
1and1 is a great hosting company for someone who just needs a website. Nothing more. No Dns handling, passwords over the phone. Great advice has already been given: Leave them and make sure your account is terminated. And I mean really terminated.
If you can get your transfer codes from them without having to give your password over the phone then start transferring now. You lose none of your registration period and you can find other registrars that don't suck. Even if you find a way to get what you want done with 1&1 you probably don't want to be doing business with a company that can't follow the most basic of security best practices.
Personally I think it is hilarious to say things like "ampersand" or the "little carrot arrow thing err.. you know shift six" over the phone. I once had to leave my password in a voice-mail to my nurse, she told me "most people just make it something simple like their doctors name you know." I refrained from launching into a tirade about the importance of strong unique passwords.
I had the same experience over the weekend. Wanted to use google apps for one my domains. They wanted me to email .html file which google gives you to a hotmail (really?) address and then give them the password as well to my 1and1 account. #fail
Completely ridiculous. How do they get away with this kind of stuff? I genuinely think the only way to put a stop to it is for an article like to get popular so they're forced to think.
When you can manage DNS with them you can verify your Google Apps domain with TXT records. Oh wait, they don't allow you to configure TXT records either.
To be honest, I've asked customers for passwords over the phone before. Usually it's because they have called reporting a problem with their email, now about 70% of the time it's because of a problem at their end but I have to humour them anyway.
Now I can of course access their mailbox by going into a shell on the server but the quickest way to check everything and satisfy the customer is to setup their email account on my computer and check I can get it to work.
Since the passwords are securely hashed, the only way I can do this is by asking for the password from the customer.
I see that as a failure of process. Your tools should already be constructed in a way that using them is easier and more reliable than asking for a password. Coupled with auth logging on the server side to diagnose failures on their side, there really should be no reason to ask for a password for this stuff.
I had this with Virgin Media (UK ISP). I called them and the support guy asked for my secret password. I assumed it was a security answer so I went through a couple of obvious ones like mother's maiden name. After a few attempts, he stopped me and said my password was strange because it was just a bunch or random characters. At this point I realised that not only was he expecting my actual account password for verification but it was available in plain text for him to manually verify!
I recall when I first heard of this outfit. I think it was 10 years ago. They wanted you to fax forms over to them. Perhaps early man got his domains that way.
My recollection is that in the bad old days of Network Solutions, you have to fax in domain registration and change forms. I seem to recall someone stealing a big brand's domain name for fun simply by faxing in some instructions on bogus letterhead.
[+] [-] saurik|13 years ago|reply
I use 1&1, and I ran into the same situation a couple months ago: I was terminating one of my contracts, and they asked for my password over the phone to verify. To be clear: I was not closing my account, I was only terminating a single contract.
The way I "resolved" the matter was quite simple: as I am not stubborn, I just gave them my password. The person sitting on the other end of the phone call already certainly has godlike access to my account anyway, I am not stupid enough to use the same password for multiple accounts, and barring insanely epic hacks I know they are a real representative as I called them at their phone number; so, there is really very little to lose handing over my password to the customer support person.
In the end, rather than getting morally outraged and posting an article asking a question to an online community in the hope of unblocking your ability to conduct what is fairly simple business, you should just change your password when you are done with the call and move on with your life. It will save yourself a bunch of time and frustration.
Then, afterwards, if you don't like the way 1&1 operates (maybe you believe that this is indicative of a more underlying set of security mistakes, or maybe you simply don't agree with the practice and don't want to support it), you might then consider moving your accounts to a different provider: there are tons of people you can use to host servers, domains, or whatever else you may be using 1&1 for. However, it shouldn't block your ability to make things happen right now.
[+] [-] pattern|13 years ago|reply
I have no problem with someone standing up for what they believe in, taking a stand, and "rallying the HN troops" for what might be a relatively minor issue for most. I'm sure we all have made fusses about more trivial things :)
[+] [-] zizee|13 years ago|reply
I don't consider myself stupid and I used to use the same password across multiple accounts. I changed this practice a while ago but I know that for the vast majority of people they do reuse passwords frequently.
Suggesting people are stupid for not following best practice password management is not helpful to the discussion.
[+] [-] timrogers|13 years ago|reply
Even if not for me alone, I'd like to see this resolve as it's just bad form. A company culture that allows this cannot be good for the security of all domains held with 1and1.
I may well move away anyway, as you say, as I'm just so disappointed, but I'd like to see change anyway.
[+] [-] einhverfr|13 years ago|reply
But incompetent security by people who should know better is not limited to a few internet hosting providers. A year or two ago, Chase Bank called my wife up (i.e. they called our home) and asked my wife for her credit card number. My wife refused to give it and they suspended her bank account because of it. She had to call them and spend an additional hour on the phone getting that straightened up and shortly after this they abruptly cancelled the account with no explanation.
Any time this sort of thing happens do yourself a favor and do whatever you have to in order to close your account and move somewhere else.
[+] [-] borlak|13 years ago|reply
1) change current password to some stupid password
2) give password
3) reset password back to my normal password
4) move on with life
[+] [-] mikeash|13 years ago|reply
[+] [-] tptacek|13 years ago|reply
* Tier 1 customer service people do not have plaintext access to customer passwords, and
* Tier 1 customer service people do not have the ability to manipulate customer accounts without their passwords (and thus consent).
On the scale of security/customer-service interactions at service providers, this sounds like MONUMENTAL EPIC WIN. What exactly am I missing here?
And,
How on earth could you possibly input a password into some random text field in an application that you would not provide to the CEO of the company hosting that text field?
[+] [-] timrogers|13 years ago|reply
As for your second point, all that is based on trust in the company that they're not storing in plain text and opening it to the CEO...which I hope is the case for most companies. I was more trying to give a sense that I'm really not happy giving my password to any person. When it's a web form, you just have to have trust or the whole idea of passwords is broken.
[+] [-] suresk|13 years ago|reply
As we've seen with recent breaches, the last 4 digits of your CC # aren't incredibly hard to find out. "Secret" questions and answers are generally quite poor, in that very few of them don't suffer from laughably small keyspaces or rely on semi-public information. Passwords almost seem like the least bad option.
I get that giving a password to a human isn't a very comfortable feeling, but if you don't trust the CSR to not misuse the password, do you also not trust the developers to not have put in something to grab your password one of the various times you enter it into a web application that they control?
[+] [-] biot|13 years ago|reply
[+] [-] tzs|13 years ago|reply
[+] [-] vacri|13 years ago|reply
So if they call you, never give anything related to security. Always call them back on a publicly verifiable phone number before giving security or very private info.
[+] [-] cubicle67|13 years ago|reply
[+] [-] SeanDav|13 years ago|reply
[+] [-] timrogers|13 years ago|reply
As for your second point, that is true - we just have to trust that that isn't happening, but that trust is implicit in day-to-day use of the internet.
[+] [-] fosap|13 years ago|reply
Or is the point that somebody could wiretap you? Get off your tin foil hat and think about keyloggers.
¹) Or do a challenge response. It does not matter. It's a shared secret.
[+] [-] timrogers|13 years ago|reply
[+] [-] Rudism|13 years ago|reply
Seriously. There are way better providers out there.
[+] [-] timrogers|13 years ago|reply
[+] [-] circa|13 years ago|reply
[+] [-] VMG|13 years ago|reply
[+] [-] IndianGuy79|13 years ago|reply
But the place where I hated them most was NS change propogation, it took 24 hours to get that done.
Also their admin panel is awfully slow.
If you guys don't already know it, here are some of the links to help
To transfer/cancel domains you must go through : http://cancel.1and1.com
Admin: http://admin.1and1.com
[+] [-] pjl|13 years ago|reply
[+] [-] stripe|13 years ago|reply
[+] [-] aeden|13 years ago|reply
[+] [-] timrogers|13 years ago|reply
[+] [-] crisnoble|13 years ago|reply
[+] [-] unam|13 years ago|reply
[+] [-] timrogers|13 years ago|reply
[+] [-] carstendv|13 years ago|reply
[+] [-] brechin|13 years ago|reply
[+] [-] degenerate|13 years ago|reply
[+] [-] jiggy2011|13 years ago|reply
Now I can of course access their mailbox by going into a shell on the server but the quickest way to check everything and satisfy the customer is to setup their email account on my computer and check I can get it to work.
Since the passwords are securely hashed, the only way I can do this is by asking for the password from the customer.
[+] [-] rhizome|13 years ago|reply
[+] [-] JSadowski|13 years ago|reply
[+] [-] dave1010uk|13 years ago|reply
[+] [-] stretchwithme|13 years ago|reply
[+] [-] eli|13 years ago|reply
[+] [-] wkonkel|13 years ago|reply
[+] [-] ceejayoz|13 years ago|reply
[+] [-] timrogers|13 years ago|reply
[+] [-] brechin|13 years ago|reply
[+] [-] manaskarekar|13 years ago|reply
[+] [-] axusgrad|13 years ago|reply