Something alarming happened to me yesterday.
I’ve been hosting my web sites with 1&1 for years. They offer some very low rates for monthly web hosting– particularly for people like me who don’t get a lot of traffic– and they seem to be as reliable as anyone else for small-time hosting. (Mind you, I refuse to use GoDaddy based on their their initial SOPA stance, and you should too.)
Yesterday, I called 1&1’s cancellation department because there was something in my contract that wasn’t appearing correctly. I had recently purchased a new package, done some domain transfers, and otherwise shifted things around in a confusing way, so I was just making sure that everything was showing up where expected before I attempted to cancel the obsolete package(s). The customer service representative (CSR) in the cancellation department couldn’t explain to me why things weren’t showing up as I expected, but he offered to perform my cancellation over the phone… he’d just need my password.
“My password?!” I asked incredulously. “People can overhear me right now, so I’m not at liberty to disclose that over the phone. Why do you need my password?”
“We need your password to perform a cancellation sir,” he replied.
I kindly explained that I didn’t actually need a cancellation yet, as I was just trying to understand the situation. He suggested that Tech Support could offer better assistance on that, so he transferred me to a female CSR in that department.
The female CSR couldn’t answer my question either, so she offered to escalate. Again, same story:
CSR: “What’s your account password, sir? I’ll need that to escalate a case.”
Are you f*cking kidding me? You want me to supply my password over the phone just to log a help desk ticket? Unfortunately, I didn’t have much choice, so I gave her the password and eventually got my question answered via email.
BUT… the real question/issue is this:
WHY is 1&1 storing my passwords in the clear? WHY can a CSR verify the plain text of my password over the phone? WHY on Earth is my ACCOUNT PASSWORD not encrypted/hashed into a garbled unreadable mess?!
Sure, it’s possible that the CSR typed my password into a hashing program (or the site itself) to validate what I gave her, but I sincerely doubt it. And even so, would that be any excuse for forcing me to give my password over the phone?
More likely though, they’re not encrypting my password, and she compared the password I gave her on the phone to the plain text in front of her. And that makes me nervous.
Considering high profile hacks like the one that happened PlentyOfFish a few years ago, you’d think sites would wise up and start encrypting their passwords. Especially a web host that’s “Proud to be the Best in the World” at “12 million customer contracts strong.”
I think it’s time to find a new web host.