So I got with Namecheap yesterday, everything looked great.

Then I initiated a support chat with a domain support representative because my whois privacy e-mail forward does not work. And guess what? They asked me for my username, ok as for the username...

But then! Yes, you won't expect this. The person in question asked me for the last 4 digits of my password! So obviously? They save our passwords in plain text, I do not accept this! I know they might do the same over at other hosts.. but seriously? How is it safe? And I really don't want their support staff to know my password, what if they decide to try and steal my domain name?

I asked if I could file a complaint, they told me to e-mail their support and would forward it to their management. I wanted to file a complaint on the staff who asked me for this information, as for the part where they save the password in plain text.. I do not wish to stay with Namecheap much longer.

I will most definitely transfer my domains to another company in 3 months, I believe this is the time required to move to a new registrar again.

Thanks for reading.

~Phantium

Scary, but I've used namecheap.com for years (including the live chat a number of times) and I've never been asked for my password or any portion of it. Hopefully it isn't a new trend.

Exactly, I don't feel safe with any company asking for even a part of my password. If they didn't do this I would have had nothing to complain about and would have pleasantly stayed with them. But they have broken my trust now.

i really bad if they can see your password, many of us use same password for many services. This is not against privacy?

Scary, but I've used namecheap.com for years (including the live chat a number of times) and I've never been asked for my password or any portion of it. Hopefully it isn't a new trend.

Ditto. I love NameCheap.

Are you sure they didn't mean the last 4 digits of the credit card you used with them?

Regardless, I doubt they would be so careless as to store passwords in plain text. There are ways to make passwords that are stored encrypted, but can be decrypted using a specific algorithm.

Maybe NameCheap will comment soon.

yes mostly companies company ask for last 4 digit of CC for verification, but 4 digit of password i never heard.

If its tru what if we don;t have 4 digit ;)

I can confirm that Namecheap requests the last 4 characters of your password for anything regarding account changes or personal information, but I cannot say for sure how passwords are stored.

Hello All,

Rest assured, passwords are encrypted. We do have one-way password hashes for certain combination to make it possible for CS to validate the authenticity of the customer. The support representative is not shown the full password.

To make it even more secure, we too have plans to implement an option to specify a 'Support Security Code' that can be provided for communication with CS instead.

Thanks,
Mohan
Namecheap.com

I would also like to add that in most cases we do not require this information. It is only necessary when a client asks us to make changes to their domains or their account on their behalf. We like to have our staff be as empowered as possible to help the client as much and as quickly as possible. Without this we would have to limit what our support providers could and could not do.

This is our way of validating that the user in our live chat is the actual owner of the account.

As Mohan mentioned, we will soon be implementing a security code feature that will allow client to provide this to the support rep as validation. This code will be a unique code assigned to each user's account and separate from their regular password. The account owner will also have the option of re-generating this code at any time or scheduling an automatic re-generation.

I would also like to add .......

Thanks for your quick clarification. I have some domains with you guys and was worried after I read the first post.

enetwork, please.. let me file a complaint with you.

I will not post the name of the person here, but this is part of the chat log.

support staff: Hello, you've contacted NameCheap Live Support! How can I help you today?
me: Hello I have a concern, I have WhoisGuard for my *** domain and the whoisguard e-mail does not seem to work, I do not receive e-mail sent to it.
support staff: Please provide me with your username and the last 4 symbols of your password <---- !!!!!

Do YOU realize how unsafe I felt once this was sent to me??? This is the worst kind of support I have ever had, I felt insecure with NameCheap. After reading the above posts it's a bit better... but still.

Namecheap needs to use a PIN system instead. When you sign up or log in your account the first time, you pick 4 numbers. You present those numbers to staff to prove that its you. Seems pretty simple eh? No password revealing at all. If somebody has the last 4 digits, they could guess the beginning of the password. I see what OP means for sure. ;)

enetwork, please.. let me file a complaint with you.

I will not post the name of the person here, but this is part of the chat log.

support staff: Hello, you've contacted NameCheap Live Support! How can I help you today?
me: Hello I have a concern, I have WhoisGuard for my *** domain and the whoisguard e-mail does not seem to work, I do not receive e-mail sent to it.
support staff: Please provide me with your username and the last 4 symbols of your password <---- !!!!!

Do YOU realize how unsafe I felt once this was sent to me??? This is the worst kind of support I have ever had, I felt insecure with NameCheap. After reading the above posts it's a bit better... but still.

You probably didn't notice this, but their chat support starts with https. IIRC that means that site is on a secure server, and that encrypts any data entered into it.

I don't like their panel. but I love the free private whois and ssl.

I still prefer GoDaddy.

about the pin option

i have a godaddy account since 2001 or 2002, i realized godaddy has a PIN this year.
and i realized it because in other forum, a member needed it to recover stolen password, other forum members also didn't know anything about that pin.

All those people entered their accounts and noted their pins.

People use to forget things that doesn't use.

You probably didn't notice this, but their chat support starts with https. IIRC that means that site is on a secure server, and that encrypts any data entered into it.

This is completely irrelevant to them seeing part of my password.
And no, it doesn't mean that it is on a secure server. It only means the connection is encrypted with a certificate, and no it doesn't mean the information can't be leaked.
Nothing is untraceable.

I am not a fan of namecheap either. I go with domainsite nowadays! They are not always as fast as they should be though, but are reliable

I am not a fan of namecheap either. I go with domainsite nowadays! They are not always as fast as they should be though, but are reliable

May I ask why you are not a "fan" of namecheap?

Umm... SO WHAT?!?!?! They ask for the last four of your password and you freak out. God forbid your identity get stolen or you would be hospitalized for self inflicted trauma.

NameCheap just stated that the password is hashed. Now you know it's safe, but your picking something to still complain about, their support. Their employee did exactly what they are required to do. You can blame NameCheap for requiring this information, but how dare you blame the support tech for doing their job.

Umm... SO WHAT?!?!?! They ask for the last four of your password and you freak out. God forbid your identity get stolen or you would be hospitalized for self inflicted trauma.

NameCheap just stated that the password is hashed. Now you know it's safe, but your picking something to still complain about, their support. Their employee did exactly what they are required to do. You can blame NameCheap for requiring this information, but how dare you blame the support tech for doing their job.

If you're just here to bitch and moan about my complaints, then don't post at all. I have an opinion. And I'm not changing it, saving even part of my password could mean fully revealing it.

NameCheap just stated that the password is hashed. Now you know it's safe, <snip>

Try again. NameCheap logs and archives all live chat sessions and support tickets.
If you're about to tell me that these too are hashed, you don't know what you're talking about.

There are many security concerns which NameCheap has yet to address.

The staff panel is publicly accessible and located here: https://support.namecheap.com/staff/
The admin panel is publicly accessible and located here: https://support.namecheap.com/admin/

Now, both URL's are SSL-secured (https://). Does this mean your personal information is secure? Not at all.

I have an opinion.

Well, so does everyone else. And we're all free to post our opinions here, even if we don't agree with one another.

Truth is, we all have the risk of possibly losing our domain names with a registrar employee. Someone can always reset it, change email, etc., although nothing's untraceable as you said.

Oh, and just send your complaint to enetwork or whoever at NameCheap. They'll consider it, but it's solely up to them to decide how to address that, how soon, etc.

Meanwhile, good luck with whoever registrar you seek. You can always be a reseller or even a registrar if you want more control, albeit it can be a bit more costly.

If you're just here to bitch and moan about my complaints, then don't post at all. I have an opinion. And I'm not changing it, saving even part of my password could mean fully revealing it.

Well are you here to bitch and complain?

Or are you here to have a discussion?

Sounds like you have stated a fact by saying that you already have an opinion, and not willing to change it.

Therefore, you must be here to bitch and complain as well.

So, while you are critical of what you perceive to be someone's bitching and complaining, you are kind of just bitching and complaining yourself.

Would you like a mirror to go with your next post? :D

If you're just here to bitch and moan about my complaints, then don't post at all. I have an opinion. And I'm not changing it, saving even part of my password could mean fully revealing it.

Any organisation asked to do something on behalf of an account needs *some* form of confirmation that you are who you say you are.

Using the last 4 digits of the password is quite reasonable. The customer is more likely to remember the last 4 symbols of his password than some PIN that he never uses, but is sure has it stored somewhere safe. He just isn't sure where.

The only better system is the one used by paypal. A one time pin valid for one hour is issued by the control panel. The customer is asked for that pin on the phone.

As has been emphasised several times above, having 4 symbols is not the same as having the whole thing. Since it is always the last 4 symbols, it is always the same part that is being handled. It's not as if they could ask for this part one time, the other part another time, and recreate the password as a whole.

If having 4 symbols leaked threatens the security of your password, it is too short. That would not be namecheaps fault.

Furthermore, namecheap has asserted that the four digits are one way hashed so that the resulting hash can be compared.

The only more secure way to do it is to ask you to hash the four digits + salt and then you read the resulting 40 hexadecimal characters to them without error. Make an error, start all over again.

If all this is too risky for you, you can always forget about domain names altogether and use ip addresses. In theory, the internet works fine using ip addresses. Somewhat inconvenient, but you won't have to worry about any domains at all.

If having 4 symbols leaked threatens the security of your password, it is too short. That would not be namecheaps fault.

That is what I have thought myself. Your password, if it is so very easily guessed from the last four symbols, is obviously way too insecure.

You need to change your password ASAP or the next time we'll be seeing your posts it will be a complaint that your domain was hacked.

Am I being harsh? Maybe. But I see no reason to fault namecheap on this. And I really have never heard of their support stealing domains. :rolleyes: Not to say it couldn't ever happen, but that could happen at any registrar.

what if they decide to try and steal my domain name?
If they want to, they can steal your domain without your password or even the last 4 characters of your password.
If we start thinking about security in extreme, even if they do not decrypt the last 4 characters of their customer's passowrd, even if they store all customer's data on a local publicly inaccessible server with strict firewall rules for only selected hosts. If they get compromised an attacker can just modify their web panel/api to log all passwords, chat sessions, credit card information before they get encrypted/stored.
So it's a just question of trust not about security since security on the internet is basically an oxymoron.

Kayako Support Suite does log chats.

You need to make sure that you lock your domain and choose a complex password.

SSL is free at namecheap.com but privacy protection is not free after the first year.

Ok well, my password is not easy to guess but I was not only talking about myself.
I wouldn't want anyone else to get their password revealed. I personally already decided on a new registrar, surely I hope that they do improve on things.

Why not ask an order number as confirmation? It's what was done eventually after telling them I did not wish to give part of my password. The way it was brought to me made me feel insecure, why? Because asking for a password, or even part of it can be a very sensitive thing.

And I'm sorry if I sounded a bit harsh in my posts, yes I did bitch and moan myself. But personally.. I believe forums are made for this, it's all I ever see on forums.. bitching and moaning. Or.. maybe I just visit the wrong forums. :) Hmm, well.

I'm not saying that I'm all the way unhappy with NameCheap, for one they do their best with support and help you pretty fast. Just that one time experience had me creeped out.

However I'm dissapointed with their slow domain transfers, while normally it would all be automated with namecheap I had to contact support to have it activated for my control panel. But besides that, no complaints. :)

never been asked for my password by them at all and i with them for months I hope they are safe

Ah. Last night I too needed to recover the password.

i asked the chat support because I changed my password succesfully but the account was still locked. He needed the first 3 symbols. he also said that he could see the password in clear text.

Then later, he said he couldn't.

So I dont know..

http://www.webhostingtalk.com/showthread.php?t=932708