Page 1 of 2 12 LastLast
Results 1 to 25 of 31
  1. #1

    Unhappy with NameCheap after one day

    So I got with Namecheap yesterday, everything looked great.

    Then I initiated a support chat with a domain support representative because my whois privacy e-mail forward does not work. And guess what? They asked me for my username, ok as for the username...

    But then! Yes, you won't expect this. The person in question asked me for the last 4 digits of my password! So obviously? They save our passwords in plain text, I do not accept this! I know they might do the same over at other hosts.. but seriously? How is it safe? And I really don't want their support staff to know my password, what if they decide to try and steal my domain name?

    I asked if I could file a complaint, they told me to e-mail their support and would forward it to their management. I wanted to file a complaint on the staff who asked me for this information, as for the part where they save the password in plain text.. I do not wish to stay with Namecheap much longer.

    I will most definitely transfer my domains to another company in 3 months, I believe this is the time required to move to a new registrar again.

    Thanks for reading.

    ~Phantium

  2. #2
    Join Date
    Jan 2002
    Location
    Tennessee
    Posts
    227
    Scary, but I've used namecheap.com for years (including the live chat a number of times) and I've never been asked for my password or any portion of it. Hopefully it isn't a new trend.
    Phillip

  3. #3
    Exactly, I don't feel safe with any company asking for even a part of my password. If they didn't do this I would have had nothing to complain about and would have pleasantly stayed with them. But they have broken my trust now.

  4. #4
    Join Date
    Jan 2008
    Posts
    384
    i really bad if they can see your password, many of us use same password for many services. This is not against privacy?

  5. #5
    Join Date
    May 2006
    Location
    Gary, IN
    Posts
    209
    Quote Originally Posted by parawing742 View Post
    Scary, but I've used namecheap.com for years (including the live chat a number of times) and I've never been asked for my password or any portion of it. Hopefully it isn't a new trend.
    Ditto. I love NameCheap.

  6. #6
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,201
    Are you sure they didn't mean the last 4 digits of the credit card you used with them?

    Regardless, I doubt they would be so careless as to store passwords in plain text. There are ways to make passwords that are stored encrypted, but can be decrypted using a specific algorithm.

    Maybe NameCheap will comment soon.
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  7. #7
    Join Date
    Jan 2008
    Posts
    384
    yes mostly companies company ask for last 4 digit of CC for verification, but 4 digit of password i never heard.

    If its tru what if we don;t have 4 digit

  8. #8
    Join Date
    Feb 2009
    Location
    United States
    Posts
    379
    I can confirm that Namecheap requests the last 4 characters of your password for anything regarding account changes or personal information, but I cannot say for sure how passwords are stored.
    Victor Lugo
    Systems Administrator

  9. #9
    Hello All,

    Rest assured, passwords are encrypted. We do have one-way password hashes for certain combination to make it possible for CS to validate the authenticity of the customer. The support representative is not shown the full password.

    To make it even more secure, we too have plans to implement an option to specify a 'Support Security Code' that can be provided for communication with CS instead.

    Thanks,
    Mohan
    Namecheap.com

  10. #10
    Join Date
    Jul 2002
    Posts
    956
    I would also like to add that in most cases we do not require this information. It is only necessary when a client asks us to make changes to their domains or their account on their behalf. We like to have our staff be as empowered as possible to help the client as much and as quickly as possible. Without this we would have to limit what our support providers could and could not do.

    This is our way of validating that the user in our live chat is the actual owner of the account.

    As Mohan mentioned, we will soon be implementing a security code feature that will allow client to provide this to the support rep as validation. This code will be a unique code assigned to each user's account and separate from their regular password. The account owner will also have the option of re-generating this code at any time or scheduling an automatic re-generation.
    Richard Kirkendall
    NameCheap.com

  11. #11
    Join Date
    Apr 2009
    Posts
    123

    Smile

    Quote Originally Posted by enetwork View Post
    I would also like to add .......
    Thanks for your quick clarification. I have some domains with you guys and was worried after I read the first post.

  12. #12
    enetwork, please.. let me file a complaint with you.

    I will not post the name of the person here, but this is part of the chat log.

    support staff: Hello, you've contacted NameCheap Live Support! How can I help you today?
    me: Hello I have a concern, I have WhoisGuard for my *** domain and the whoisguard e-mail does not seem to work, I do not receive e-mail sent to it.
    support staff: Please provide me with your username and the last 4 symbols of your password <---- !!!!!

    Do YOU realize how unsafe I felt once this was sent to me??? This is the worst kind of support I have ever had, I felt insecure with NameCheap. After reading the above posts it's a bit better... but still.
    Last edited by Phantium; 08-31-2009 at 01:36 PM.

  13. #13
    Namecheap needs to use a PIN system instead. When you sign up or log in your account the first time, you pick 4 numbers. You present those numbers to staff to prove that its you. Seems pretty simple eh? No password revealing at all. If somebody has the last 4 digits, they could guess the beginning of the password. I see what OP means for sure.

  14. #14
    Quote Originally Posted by Phantium View Post
    enetwork, please.. let me file a complaint with you.

    I will not post the name of the person here, but this is part of the chat log.

    support staff: Hello, you've contacted NameCheap Live Support! How can I help you today?
    me: Hello I have a concern, I have WhoisGuard for my *** domain and the whoisguard e-mail does not seem to work, I do not receive e-mail sent to it.
    support staff: Please provide me with your username and the last 4 symbols of your password <---- !!!!!

    Do YOU realize how unsafe I felt once this was sent to me??? This is the worst kind of support I have ever had, I felt insecure with NameCheap. After reading the above posts it's a bit better... but still.
    You probably didn't notice this, but their chat support starts with https. IIRC that means that site is on a secure server, and that encrypts any data entered into it.

  15. #15
    Join Date
    Jun 2009
    Location
    Manila
    Posts
    958
    I don't like their panel. but I love the free private whois and ssl.

    I still prefer GoDaddy.

  16. #16
    Join Date
    Mar 2004
    Posts
    695
    about the pin option

    i have a godaddy account since 2001 or 2002, i realized godaddy has a PIN this year.
    and i realized it because in other forum, a member needed it to recover stolen password, other forum members also didn't know anything about that pin.

    All those people entered their accounts and noted their pins.

    People use to forget things that doesn't use.
    Mousa: [as Rambo prepares to play Afghan game 'buzkashi'] God must love crazy people.
    Rambo: [getting on horse] Why?
    Mousa: He make so many of them!

  17. #17
    Quote Originally Posted by Dave Zan View Post
    You probably didn't notice this, but their chat support starts with https. IIRC that means that site is on a secure server, and that encrypts any data entered into it.
    This is completely irrelevant to them seeing part of my password.
    And no, it doesn't mean that it is on a secure server. It only means the connection is encrypted with a certificate, and no it doesn't mean the information can't be leaked.
    Nothing is untraceable.

  18. #18
    Join Date
    Dec 2007
    Location
    Netherlands
    Posts
    8
    I am not a fan of namecheap either. I go with domainsite nowadays! They are not always as fast as they should be though, but are reliable

  19. #19
    Quote Originally Posted by nomar86 View Post
    I am not a fan of namecheap either. I go with domainsite nowadays! They are not always as fast as they should be though, but are reliable
    May I ask why you are not a "fan" of namecheap?

  20. #20
    Join Date
    Jan 2004
    Posts
    593
    Umm... SO WHAT?!?!?! They ask for the last four of your password and you freak out. God forbid your identity get stolen or you would be hospitalized for self inflicted trauma.

    NameCheap just stated that the password is hashed. Now you know it's safe, but your picking something to still complain about, their support. Their employee did exactly what they are required to do. You can blame NameCheap for requiring this information, but how dare you blame the support tech for doing their job.
    Check out my new Chrome Extension - Server Admin Tool
    frustratedtech.com - Helpful Server Tech Advice

  21. #21
    Quote Originally Posted by Internet54 View Post
    Umm... SO WHAT?!?!?! They ask for the last four of your password and you freak out. God forbid your identity get stolen or you would be hospitalized for self inflicted trauma.

    NameCheap just stated that the password is hashed. Now you know it's safe, but your picking something to still complain about, their support. Their employee did exactly what they are required to do. You can blame NameCheap for requiring this information, but how dare you blame the support tech for doing their job.
    If you're just here to bitch and moan about my complaints, then don't post at all. I have an opinion. And I'm not changing it, saving even part of my password could mean fully revealing it.

  22. #22
    Join Date
    Feb 2009
    Location
    United States
    Posts
    379
    Quote Originally Posted by Internet54 View Post
    NameCheap just stated that the password is hashed. Now you know it's safe, <snip>
    Try again. NameCheap logs and archives all live chat sessions and support tickets.
    If you're about to tell me that these too are hashed, you don't know what you're talking about.

    There are many security concerns which NameCheap has yet to address.

    The staff panel is publicly accessible and located here: https://support.namecheap.com/staff/
    The admin panel is publicly accessible and located here: https://support.namecheap.com/admin/

    Now, both URL's are SSL-secured (https://). Does this mean your personal information is secure? Not at all.
    Victor Lugo
    Systems Administrator

  23. #23
    Quote Originally Posted by Phantium View Post
    I have an opinion.
    Well, so does everyone else. And we're all free to post our opinions here, even if we don't agree with one another.

    Truth is, we all have the risk of possibly losing our domain names with a registrar employee. Someone can always reset it, change email, etc., although nothing's untraceable as you said.

    Oh, and just send your complaint to enetwork or whoever at NameCheap. They'll consider it, but it's solely up to them to decide how to address that, how soon, etc.

    Meanwhile, good luck with whoever registrar you seek. You can always be a reseller or even a registrar if you want more control, albeit it can be a bit more costly.

  24. #24
    Join Date
    Jan 2008
    Posts
    519
    Quote Originally Posted by Phantium View Post
    If you're just here to bitch and moan about my complaints, then don't post at all. I have an opinion. And I'm not changing it, saving even part of my password could mean fully revealing it.
    Well are you here to bitch and complain?

    Or are you here to have a discussion?

    Sounds like you have stated a fact by saying that you already have an opinion, and not willing to change it.

    Therefore, you must be here to bitch and complain as well.

    So, while you are critical of what you perceive to be someone's bitching and complaining, you are kind of just bitching and complaining yourself.

    Would you like a mirror to go with your next post?
    Mike

  25. #25
    Quote Originally Posted by Phantium View Post
    If you're just here to bitch and moan about my complaints, then don't post at all. I have an opinion. And I'm not changing it, saving even part of my password could mean fully revealing it.
    Any organisation asked to do something on behalf of an account needs *some* form of confirmation that you are who you say you are.

    Using the last 4 digits of the password is quite reasonable. The customer is more likely to remember the last 4 symbols of his password than some PIN that he never uses, but is sure has it stored somewhere safe. He just isn't sure where.

    The only better system is the one used by paypal. A one time pin valid for one hour is issued by the control panel. The customer is asked for that pin on the phone.

    As has been emphasised several times above, having 4 symbols is not the same as having the whole thing. Since it is always the last 4 symbols, it is always the same part that is being handled. It's not as if they could ask for this part one time, the other part another time, and recreate the password as a whole.

    If having 4 symbols leaked threatens the security of your password, it is too short. That would not be namecheaps fault.

    Furthermore, namecheap has asserted that the four digits are one way hashed so that the resulting hash can be compared.

    The only more secure way to do it is to ask you to hash the four digits + salt and then you read the resulting 40 hexadecimal characters to them without error. Make an error, start all over again.

    If all this is too risky for you, you can always forget about domain names altogether and use ip addresses. In theory, the internet works fine using ip addresses. Somewhat inconvenient, but you won't have to worry about any domains at all.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

Page 1 of 2 12 LastLast

Similar Threads

  1. Very Unhappy
    By Spunkyasp in forum WHT Announcements, Feedback and Questions
    Replies: 3
    Last Post: 12-09-2008, 05:57 PM
  2. Unhappy with Infinitie.net
    By zimmerwham in forum VPS Hosting
    Replies: 9
    Last Post: 08-20-2008, 06:18 PM
  3. help! very unhappy with managed.com
    By techforce in forum Dedicated Server
    Replies: 31
    Last Post: 03-03-2005, 10:31 AM
  4. Unhappy with unhappy business
    By WCHost in forum Web Hosting Lounge
    Replies: 9
    Last Post: 02-22-2004, 01:57 PM
  5. Now unhappy with Namezero
    By Sin in forum Domain Names
    Replies: 2
    Last Post: 08-18-2003, 11:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •