I'm curious. I have VPS's with two companies that have managed/semi-managed support (depending on how you define it) and rely on them for a fair amount.
Whenever submitting a support request, I have to submit my root and cPanel passwords. Do people in my situation leave their root password as they would normally and just changing it however often they would if it wasn't given to support? Or, do you change your root/cpanel passwords before making a support request, and then change it back after the ticket is closed?
No offense intended to either of the VPS companies or their personell (that monitor WHT), both have been great. But, the reality is that I take it everyone at the company that has access to submitted tickets now have access to the root password, and since as a customer, I don't know when there has been employee turnover, that seems a security risk.
So, I am curious how others handle this. Not really sure if this belongs here or in the VPS forum, but since it could apply to any type of server/hosting account, I figured it belonged here.
I think it depends on how often you are submitting tickets to them.
If you are only submitting tickets to them very rarely, maybe once or twice a month, then I would adopt the policy of either changing the root password before you open the ticket and give them that password, or give them the current root password and change it after their work is completed.
If you submit tickets on a fairly regular basis then I would look into adopting a policy where you change your server passwords every week or every two weeks, or on some interval that you are comfortable with.
Other things to bear in mind are how many servers you have. If you have one or two servers, its a lot easier to change the root passwords. If you have 20 servers then this becomes a bit more difficult (though no less important).
It also just depends on how much value you put on server security. Security is going to come at the cost of convenience, there's no question. You have to decide where you fall on this line. I think the datacenters and the management team will tell you that for ultimate security you should change the password after having a ticket resolved with them. The less people that know the active password for your server, the less likely that the password can be compromised. If this is done, this basically takes away the finger pointing at the datacenter or management team when the password is compromised. Is it less convenient? You bet. This means that the datacenter or management team won't be able to access your servers to assist with any problem without notifying you before hand. (I suppose SSH keys is one alternative, but just to keep everything in context I am sticking with password based authentication, plus if you are dealing with a large management team or datacenter they probably have the keys and passphrases stored just like they would have the passwords stored, which still could be potentially compromised).
Its probably a good idea to look into SSH keys, just for yourself. Then you can SSH into the server without having to know the root password, just a passphrase to authenticate the key. This way if you forget the root password, you can still SSH into the server and reset the password.
Alternatively, a dedicated server datacenter can reset the root password by rebooting the server into single user mode and then resetting the password. Single user mode doesn't require a password, but requires that you physically be at the console of the machine. They might charge for this, and they might not do it all. It might be a bit of a hassle for the datacenter, but if you do forget your root password the datacenter should be able to reset it using this method (assuming they do this service).
For VPS servers, it probably depends on what virtualization software is being used. I would think that most VPS datacenters would not need the root password for your VPS as they could just enter the VPS through the main controlling node. With that they should also be able to reset your root password in case you forget it.
You may need to provide some type of credentials to prove that you are who you say you are with the datacenter. I know I'd be a little annoyed if they just reset the password to a server for anyone that wrote in asking about it.
You can change password from WHM follow this path in WHM Main >> Server Configuration >> Change Root Password
Usually support companies ask root password, nothing to worry about it they required it to investigate the issues. You can also change the password after the issue rectified. Changing the root password of your server frequently will increase security.