Results 1 to 25 of 31
-
08-30-2009, 05:05 PM #1Newbie
- Join Date
- May 2006
- Posts
- 24
Unhappy with NameCheap after one day
So I got with Namecheap yesterday, everything looked great.
Then I initiated a support chat with a domain support representative because my whois privacy e-mail forward does not work. And guess what? They asked me for my username, ok as for the username...
But then! Yes, you won't expect this. The person in question asked me for the last 4 digits of my password! So obviously? They save our passwords in plain text, I do not accept this! I know they might do the same over at other hosts.. but seriously? How is it safe? And I really don't want their support staff to know my password, what if they decide to try and steal my domain name?
I asked if I could file a complaint, they told me to e-mail their support and would forward it to their management. I wanted to file a complaint on the staff who asked me for this information, as for the part where they save the password in plain text.. I do not wish to stay with Namecheap much longer.
I will most definitely transfer my domains to another company in 3 months, I believe this is the time required to move to a new registrar again.
Thanks for reading.
~Phantium
-
08-30-2009, 05:52 PM #2Junior Guru
- Join Date
- Jan 2002
- Location
- Tennessee
- Posts
- 227
Scary, but I've used namecheap.com for years (including the live chat a number of times) and I've never been asked for my password or any portion of it. Hopefully it isn't a new trend.
Phillip
-
08-30-2009, 06:04 PM #3Newbie
- Join Date
- May 2006
- Posts
- 24
Exactly, I don't feel safe with any company asking for even a part of my password. If they didn't do this I would have had nothing to complain about and would have pleasantly stayed with them. But they have broken my trust now.
-
08-30-2009, 07:24 PM #4Aspiring Evangelist
- Join Date
- Jan 2008
- Posts
- 384
i really bad if they can see your password, many of us use same password for many services. This is not against privacy?
-
08-30-2009, 07:35 PM #5Junior Guru
- Join Date
- May 2006
- Location
- Gary, IN
- Posts
- 209
-
08-30-2009, 07:38 PM #6Web Hosting Master
- Join Date
- Jan 2008
- Location
- St. John's, NL
- Posts
- 2,201
Are you sure they didn't mean the last 4 digits of the credit card you used with them?
Regardless, I doubt they would be so careless as to store passwords in plain text. There are ways to make passwords that are stored encrypted, but can be decrypted using a specific algorithm.
Maybe NameCheap will comment soon.Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
LCWSoft - Canada web hosting (based in Newfoundland) since 2007
Servers based in the US and Canada (Uptime Report)
-
08-30-2009, 07:44 PM #7Aspiring Evangelist
- Join Date
- Jan 2008
- Posts
- 384
yes mostly companies company ask for last 4 digit of CC for verification, but 4 digit of password i never heard.
If its tru what if we don;t have 4 digit
-
08-30-2009, 08:39 PM #8Aspiring Evangelist
- Join Date
- Feb 2009
- Location
- United States
- Posts
- 379
I can confirm that Namecheap requests the last 4 characters of your password for anything regarding account changes or personal information, but I cannot say for sure how passwords are stored.
Victor Lugo
Systems Administrator
-
08-31-2009, 01:12 AM #9New Member
- Join Date
- Jul 2008
- Posts
- 2
Hello All,
Rest assured, passwords are encrypted. We do have one-way password hashes for certain combination to make it possible for CS to validate the authenticity of the customer. The support representative is not shown the full password.
To make it even more secure, we too have plans to implement an option to specify a 'Support Security Code' that can be provided for communication with CS instead.
Thanks,
Mohan
Namecheap.com
-
08-31-2009, 01:29 AM #10Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 956
I would also like to add that in most cases we do not require this information. It is only necessary when a client asks us to make changes to their domains or their account on their behalf. We like to have our staff be as empowered as possible to help the client as much and as quickly as possible. Without this we would have to limit what our support providers could and could not do.
This is our way of validating that the user in our live chat is the actual owner of the account.
As Mohan mentioned, we will soon be implementing a security code feature that will allow client to provide this to the support rep as validation. This code will be a unique code assigned to each user's account and separate from their regular password. The account owner will also have the option of re-generating this code at any time or scheduling an automatic re-generation.Richard Kirkendall
NameCheap.com
-
08-31-2009, 05:42 AM #11WHT Addict
- Join Date
- Apr 2009
- Posts
- 123
-
08-31-2009, 01:31 PM #12Newbie
- Join Date
- May 2006
- Posts
- 24
enetwork, please.. let me file a complaint with you.
I will not post the name of the person here, but this is part of the chat log.
support staff: Hello, you've contacted NameCheap Live Support! How can I help you today?
me: Hello I have a concern, I have WhoisGuard for my *** domain and the whoisguard e-mail does not seem to work, I do not receive e-mail sent to it.
support staff: Please provide me with your username and the last 4 symbols of your password <---- !!!!!
Do YOU realize how unsafe I felt once this was sent to me??? This is the worst kind of support I have ever had, I felt insecure with NameCheap. After reading the above posts it's a bit better... but still.Last edited by Phantium; 08-31-2009 at 01:36 PM.
-
08-31-2009, 01:41 PM #13Disabled
- Join Date
- Apr 2009
- Posts
- 3,262
Namecheap needs to use a PIN system instead. When you sign up or log in your account the first time, you pick 4 numbers. You present those numbers to staff to prove that its you. Seems pretty simple eh? No password revealing at all. If somebody has the last 4 digits, they could guess the beginning of the password. I see what OP means for sure.
-
08-31-2009, 07:26 PM #14Web Hosting Master
- Join Date
- May 2004
- Posts
- 4,076
-
08-31-2009, 08:42 PM #15Web Hosting Master
- Join Date
- Jun 2009
- Location
- Manila
- Posts
- 958
I don't like their panel. but I love the free private whois and ssl.
I still prefer GoDaddy.
-
08-31-2009, 08:47 PM #16Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 695
about the pin option
i have a godaddy account since 2001 or 2002, i realized godaddy has a PIN this year.
and i realized it because in other forum, a member needed it to recover stolen password, other forum members also didn't know anything about that pin.
All those people entered their accounts and noted their pins.
People use to forget things that doesn't use.Mousa: [as Rambo prepares to play Afghan game 'buzkashi'] God must love crazy people.
Rambo: [getting on horse] Why?
Mousa: He make so many of them!
-
09-01-2009, 01:11 PM #17Newbie
- Join Date
- May 2006
- Posts
- 24
-
09-01-2009, 01:12 PM #18Newbie
- Join Date
- Dec 2007
- Location
- Netherlands
- Posts
- 8
I am not a fan of namecheap either. I go with domainsite nowadays! They are not always as fast as they should be though, but are reliable
-
09-01-2009, 01:14 PM #19Newbie
- Join Date
- May 2006
- Posts
- 24
-
09-01-2009, 01:30 PM #20Web Hosting Master
- Join Date
- Jan 2004
- Posts
- 593
Umm... SO WHAT?!?!?! They ask for the last four of your password and you freak out. God forbid your identity get stolen or you would be hospitalized for self inflicted trauma.
NameCheap just stated that the password is hashed. Now you know it's safe, but your picking something to still complain about, their support. Their employee did exactly what they are required to do. You can blame NameCheap for requiring this information, but how dare you blame the support tech for doing their job.Check out my new Chrome Extension - Server Admin Tool
frustratedtech.com - Helpful Server Tech Advice
-
09-01-2009, 01:33 PM #21Newbie
- Join Date
- May 2006
- Posts
- 24
-
09-01-2009, 03:31 PM #22Aspiring Evangelist
- Join Date
- Feb 2009
- Location
- United States
- Posts
- 379
Try again. NameCheap logs and archives all live chat sessions and support tickets.
If you're about to tell me that these too are hashed, you don't know what you're talking about.
There are many security concerns which NameCheap has yet to address.
The staff panel is publicly accessible and located here: https://support.namecheap.com/staff/
The admin panel is publicly accessible and located here: https://support.namecheap.com/admin/
Now, both URL's are SSL-secured (https://). Does this mean your personal information is secure? Not at all.Victor Lugo
Systems Administrator
-
09-01-2009, 08:13 PM #23Web Hosting Master
- Join Date
- May 2004
- Posts
- 4,076
Well, so does everyone else. And we're all free to post our opinions here, even if we don't agree with one another.
Truth is, we all have the risk of possibly losing our domain names with a registrar employee. Someone can always reset it, change email, etc., although nothing's untraceable as you said.
Oh, and just send your complaint to enetwork or whoever at NameCheap. They'll consider it, but it's solely up to them to decide how to address that, how soon, etc.
Meanwhile, good luck with whoever registrar you seek. You can always be a reseller or even a registrar if you want more control, albeit it can be a bit more costly.
-
09-01-2009, 11:36 PM #24Web Hosting Evangelist
- Join Date
- Jan 2008
- Posts
- 519
Well are you here to bitch and complain?
Or are you here to have a discussion?
Sounds like you have stated a fact by saying that you already have an opinion, and not willing to change it.
Therefore, you must be here to bitch and complain as well.
So, while you are critical of what you perceive to be someone's bitching and complaining, you are kind of just bitching and complaining yourself.
Would you like a mirror to go with your next post?Mike
-
09-01-2009, 11:45 PM #25******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
Any organisation asked to do something on behalf of an account needs *some* form of confirmation that you are who you say you are.
Using the last 4 digits of the password is quite reasonable. The customer is more likely to remember the last 4 symbols of his password than some PIN that he never uses, but is sure has it stored somewhere safe. He just isn't sure where.
The only better system is the one used by paypal. A one time pin valid for one hour is issued by the control panel. The customer is asked for that pin on the phone.
As has been emphasised several times above, having 4 symbols is not the same as having the whole thing. Since it is always the last 4 symbols, it is always the same part that is being handled. It's not as if they could ask for this part one time, the other part another time, and recreate the password as a whole.
If having 4 symbols leaked threatens the security of your password, it is too short. That would not be namecheaps fault.
Furthermore, namecheap has asserted that the four digits are one way hashed so that the resulting hash can be compared.
The only more secure way to do it is to ask you to hash the four digits + salt and then you read the resulting 40 hexadecimal characters to them without error. Make an error, start all over again.
If all this is too risky for you, you can always forget about domain names altogether and use ip addresses. In theory, the internet works fine using ip addresses. Somewhat inconvenient, but you won't have to worry about any domains at all.edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
Similar Threads
-
Very Unhappy
By Spunkyasp in forum WHT Announcements, Feedback and QuestionsReplies: 3Last Post: 12-09-2008, 05:57 PM -
Unhappy with Infinitie.net
By zimmerwham in forum VPS HostingReplies: 9Last Post: 08-20-2008, 06:18 PM -
help! very unhappy with managed.com
By techforce in forum Dedicated ServerReplies: 31Last Post: 03-03-2005, 10:31 AM -
Unhappy with unhappy business
By WCHost in forum Web Hosting LoungeReplies: 9Last Post: 02-22-2004, 01:57 PM -
Now unhappy with Namezero
By Sin in forum Domain NamesReplies: 2Last Post: 08-18-2003, 11:46 AM