
1and1 ask for passwords over the phone - timrogers
http://blog.tim-rogers.co.uk/posts/1and1-ask-for-passwords-over-the-phone
======
saurik
> Help me HN. Has anyone else had experiences like this with 1and1? What did
> they do to get things resolved?

I use 1&1, and I ran into the same situation a couple months ago: I was
terminating one of my contracts, and they asked for my password over the phone
to verify. To be clear: I was not closing my account, I was only terminating a
single contract.

The way I "resolved" the matter was quite simple: as I am not stubborn, I just
gave them my password. The person sitting on the other end of the phone call
already certainly has godlike access to my account anyway, I am not stupid
enough to use the same password for multiple accounts, and barring insanely
epic hacks I know they are a real representative as I called them at their
phone number; so, there is really very little to lose handing over my password
to the customer support person.

In the end, rather than getting morally outraged and posting an article asking
a question to an online community in the hope of unblocking your ability to
conduct what is fairly simple business, you should just change your password
when you are done with the call and move on with your life. It will save
yourself a bunch of time and frustration.

Then, afterwards, if you don't like the way 1&1 operates (maybe you believe
that this is indicative of a more underlying set of security mistakes, or
maybe you simply don't agree with the practice and don't want to support it),
you might then consider moving your accounts to a different provider: there
are tons of people you can use to host servers, domains, or whatever else you
may be using 1&1 for. However, it shouldn't block your ability to make things
happen right now.

~~~
pattern
I know I personally am happy to have read the OP's article. It made me aware
of this backwards practice by 1&1, and I also learned that 1&1 stores these
user passwords in plaintext. As a consumer of internet services, I will now
steer clear of 1&1, and I have the OP to thank for the possible headaches I
may have avoided.

I have no problem with someone standing up for what they believe in, taking a
stand, and "rallying the HN troops" for what might be a relatively minor issue
for most. I'm sure we all have made fusses about more trivial things :)

~~~
saurik
So, I don't actually disagree with the brunt of what you have said here (that
if someone has an issue with something that it might be valuable to tell other
people in the communities you are a part of who might care); however, it
doesn't really apply to this article: my response is attempting to directly
answer the question posed in the bold text at the end about "how to get things
resolved".

Now, that said, I actually do believe people "rallying troops" is often knee-
jerk and incorrect vigilante justice masquerading as valiant. It isn't always
the case, and there may be places where such behavior is legitimate (although
I think figuring that out is an interesting and horribly long off-topic
discussion). It certainly, though, isn't always positive.

As an example, there person claiming on HN a couple days ago that Apple must
be storing passwords in plain text because of a 32-character password length
restriction[1]; I doubt that was actually the case, and much more argument and
research should have been made before trying to incite such panic.

(edit: Hell, I didn't even notice that you did it yourself here until I saw
the response from Fargren, but you just did it, too: there is no reason to
believe that 1&1 "stores these user passwords in plaintext". It is much more
reasonable to believe that they have a box on their end for "customer
password" that verifies it using the same mechanisms the website does. It is
not at all reasonable to "rally the troops" over assumptions.)

Again, however: that is not what this article was about; this article was not
attempting to "rally troops", this article was asking for help making progress
with an account they have at a vendor because the OP "make a point of _never,
ever, ever_ giving [his] password out to anyone" (emphasis his).

After all, you can still "rally the troops" after you get your job done: you
can change your password afterwards, you can even change your password
beforehand as borlak indicates (although that implies your password was
important, which is already a mistake), you know this person is a real
representative to within any reasonable margin of error; the morale stance
here was just stubborn. :(

[1] <http://news.ycombinator.com/item?id=4376029>

~~~
timrogers
I'm not trying to "rally the troops" as it were under the assumption that
they're storing passwords in plain text. That's not the issue, though it would
obviously be an issue if it <were> the case.

I just wanted to make sure people were aware of this kind of practice at
1and1, and hopefully (but probably not) drive some change in the practice.

------
tptacek
Perhaps I'm misunderstanding the nature of this complaint, but it sounds like
this guy is dealing with a service at which:

* Tier 1 customer service people do not have plaintext access to customer passwords, _and_

* Tier 1 customer service people do not have the ability to manipulate customer accounts without their passwords (and thus consent).

On the scale of security/customer-service interactions at service providers,
this sounds like MONUMENTAL EPIC WIN. What exactly am I missing here?

And,

How on earth could you possibly input a password into some random text field
in an application that you would not provide to the CEO of the company hosting
that text field?

~~~
timrogers
I'm not convinced that the Tier 1 customer support reps _do_ lack access
without the password. It just seems to me like a misguided attempt at
verifying identity.

As for your second point, all that is based on trust in the company that
they're not storing in plain text and opening it to the CEO...which I hope is
the case for most companies. I was more trying to give a sense that I'm really
not happy giving my password to any person. When it's a web form, you just
have to have trust or the whole idea of passwords is broken.

~~~
tptacek
In case you missed it, the subtext of my comment is that neither of those
bulleted items are true for most service providers. At most large service
providers, you can count on tier 1 CSA's having direct plaintext access to
your password and those CSA's being a mouse click away from taking any action
on your account you can conceive of.

Your first point is just innuendo, right?

~~~
timrogers
I'm not sure I understand what the point you're trying to make is. In a
hypothetical (but unlikely) world where they <really> did need my password to
manage my account, this would be a poor practice to have and it should have
some kind of other verification, even if it was character [x] and [y] of my
password. The same applies if they don't need it really...this doesn't seem a
good idea regardless.

~~~
philh
That specific solution doesn't work. If they have access with just characters
x and y of your password, then they (as good as) have your password, and
access to your account.

~~~
timrogers
Well, yes, but it's expected and somewhat necessary that administrators (that
is, people with some kind of administrative responsibility) of online services
have access to your account.

~~~
DanBC
So you do not trust them with your password (that you're going to change later
anyway), but you do trust them with unpassworded access to your account?

~~~
timrogers
All I'm saying is that you have to have that trust, it's always going to be
the basis of how customer support works in businesses like this. Requiring
that you give out your password to a person is not acceptable.

~~~
DanBC
I've had a few days to think about this.

Now, having seen some of the alternative systems suggested, I think I agree.

I instinctively do not want to give my password to anyone. And that's a great
habit to get into, and we want regular people to get into that habit. That
would make phishing less useful.

In this case it seems they're trying really hard to protect your domain from
harm. But yes, I've been mostly persuaded.

------
suresk
This doesn't sound good, but it got me thinking.. How do you verify someone is
who they say they are in situations like this?

As we've seen with recent breaches, the last 4 digits of your CC # aren't
incredibly hard to find out. "Secret" questions and answers are generally
quite poor, in that very few of them don't suffer from laughably small
keyspaces or rely on semi-public information. Passwords almost seem like the
least bad option.

I get that giving a password to a human isn't a very comfortable feeling, but
if you don't trust the CSR to not misuse the password, do you also not trust
the developers to not have put in something to grab your password one of the
various times you enter it into a web application that they control?

~~~
tzs
Assuming that all you need to verify is that the person on the phone knows
that account name and password, one way that would not be too difficult to
implement would be to have a way for support to mark the account with a random
8 digit number. The support person does this, and then tells the customer to
log in to their account management page. There should be a link there that
shows the random 8 digit number. The customer then reads this to the support
person over the phone.

~~~
suresk
Something like that would certainly work - I was thinking a one-time code
could be emailed to the email address on the account, but either way would be
fine.

Given the relative simplicity, I wonder why nobody (at least that I know of)
has implemented something like this?

~~~
saurik
This is how PayPal support works: you use the website to get a random six-
digit "customer support PIN" which you then dial in when you connect to their
system.

~~~
nthj
Media Temple operates this way, as well. I like this approach, as I can never
remember those "4-digit account pins" (looking at you, AT&T), and I'm happier
knowing any given pin is only usable for the next hour, anyway.

------
fosap
I don't get it. At all. The only purpose of the password is to authenticate
you against your account. Why would you refuse to use it for this? It's __the
point __of a password that you submit it.¹ Oh yeah. Because you don't trust
the guy on the telephone. He could easily hijack you account and do nasty
stuff. 1) He could do if he wanted if you didn't tell him 2) You're not
trusting him/her? Why are you doing any business with a company you don't
trust?

Or is the point that somebody could wiretap you? Get off your tin foil hat and
think about keyloggers.

¹) Or do a challenge response. It does not matter. It's a _shared_ secret.

~~~
timrogers
The point is simply that established practice is to never share passwords, and
this eschews that practice. I can see your point, but they have a variety of
other data they could use to verify who you are. This is about the worst idea.

~~~
nowarninglabel
Actually, no it's way above better than other ways they could verify your
identity. Did you not read account of the Wired reporter who had his online
identity stolen and wiped because companies used easily obtainable information
about the person to identify the person's identity? If they had used a
password instead it never would have happened.

I don't understand what your issue is with telling them the password? Just
change it to something random and change it back after if it's not something
you are comfortable sharing or saying out loud. It may personally offend you,
but t's certainly not a bad practice.

------
Rudism
I've avoided using 1and1, but I recently made the switch from GoDaddy to
Hover.com for my domains and it was like an amazing breath of fresh air
followed by a clear mountain spring water chaser.

Seriously. There are way better providers out there.

~~~
timrogers
I probably will do, I just want to make sure that people know about this bad
practice, and hopefully encourage 1and1 to sort this out.

------
circa
I hate 1and1. I had to deal with their awful Website interface for a client of
mine recently. I had to transfer over 100 GB of stuff on this guys "unlimited"
storage account. they capped the speeds around 500KB/s. it seriously took all
week. uploading to amazon and rackspace cdn's were a godsend after that.

~~~
VMG
As a long customer in Germany, I can only agree. They have a lot of shady
practices and I wouldn't recommend them to anyone.

------
IndianGuy79
I have been long time user of 1and1 for domains. Their initial product
offering is always sweet (free, 1$ domains) etc. Their renew rates are not bad
as well.

But the place where I hated them most was NS change propogation, it took 24
hours to get that done.

Also their admin panel is awfully slow.

If you guys don't already know it, here are some of the links to help

To transfer/cancel domains you must go through : <http://cancel.1and1.com>

Admin: <http://admin.1and1.com>

~~~
pjl
1and1's Control Panel is quite painful to use, but you don't have to go
through cancel.1and1.com to transfer a domain - just make sure your domain is
unlocked and you have the EPP code handy.

------
stripe
1and1 is a hosting company for the uneducated masses. Those do not care about
telling some 1and1 employee their passwords because they think it is safe to
do so. 1and1 is a great hosting company for someone who just needs a website.
Nothing more. No Dns handling, passwords over the phone. Great advice has
already been given: Leave them and make sure your account is terminated. And I
mean really terminated.

------
aeden
If you can get your transfer codes from them without having to give your
password over the phone then start transferring now. You lose none of your
registration period and you can find other registrars that don't suck. Even if
you find a way to get what you want done with 1&1 you probably don't want to
be doing business with a company that can't follow the most basic of security
best practices.

~~~
timrogers
I probably will!

------
crisnoble
Personally I think it is hilarious to say things like "ampersand" or the
"little carrot arrow thing err.. you know shift six" over the phone. I once
had to leave my password in a voice-mail to my nurse, she told me "most people
just make it something simple like their doctors name you know." I refrained
from launching into a tirade about the importance of strong unique passwords.

------
unam
I had the same experience over the weekend. Wanted to use google apps for one
my domains. They wanted me to email .html file which google gives you to a
hotmail (really?) address and then give them the password as well to my 1and1
account. #fail

~~~
timrogers
Completely ridiculous. How do they get away with this kind of stuff? I
genuinely think the only way to put a stop to it is for an article like to get
popular so they're forced to think.

~~~
unam
I asked the rep if I could give any other form of identification, guess what -
your email address on the 1and1 account would do. I tried sending them the
html file from the same email as the one on my 1and1 account and they did what
I requested. This boils down to - they really don't need your password.

------
degenerate
Thanks for reminding me I have an expiring domain to transfer away from them!

------
jiggy2011
To be honest, I've asked customers for passwords over the phone before.
Usually it's because they have called reporting a problem with their email,
now about 70% of the time it's because of a problem at their end but I have to
humour them anyway.

Now I can of course access their mailbox by going into a shell on the server
but the quickest way to check everything and satisfy the customer is to setup
their email account on my computer and check I can get it to work.

Since the passwords are securely hashed, the only way I can do this is by
asking for the password from the customer.

~~~
rhizome
I see that as a failure of process. Your tools should already be constructed
in a way that using them is easier and more reliable than asking for a
password. Coupled with auth logging on the server side to diagnose failures on
their side, there really should be no reason to ask for a password for this
stuff.

------
JSadowski
1and1 is horrible anyhow, leave, fast!

------
dave1010uk
I had this with Virgin Media (UK ISP). I called them and the support guy asked
for my secret password. I assumed it was a security answer so I went through a
couple of obvious ones like mother's maiden name. After a few attempts, he
stopped me and said my password was strange because it was just a bunch or
random characters. At this point I realised that not only was he expecting my
actual account password for verification but it was available in plain text
for him to manually verify!

------
stretchwithme
I recall when I first heard of this outfit. I think it was 10 years ago. They
wanted you to fax forms over to them. Perhaps early man got his domains that
way.

~~~
eli
My recollection is that in the bad old days of Network Solutions, you have to
fax in domain registration and change forms. I seem to recall someone stealing
a big brand's domain name for fun simply by faxing in some instructions on
bogus letterhead.

------
wkonkel
Give Badger a try... we salt and hash passwords. <http://badger.com/>

~~~
ceejayoz
That doesn't (technologically) stop you from asking for a password to verify,
though.

~~~
dromidas
I'm sure 1&1 actually does encrypt the password, otherwise the tech support
guy probably would have just opened up tim_rogers.txt and found his password
there.

This sounds like 1&1 just doesn't have a real customer support story and
should probably just be avoided if possible. Or find somewhere that lets you
provide 2 part security (ie, one for personal access and another for support
access).

Author of the post said they should have some backend, and maybe they do, but
I think the biggest problem was that they wanted him to authenticate himself
as genuine with them by providing his password... they should have some other
way to verify his identity without that.

(This is my personal opinion as a security professional and not the opinion of
my employer)

~~~
timrogers
I agree with your first point, or at least I'd imagine so. I've heard it
suggested though that they don't so who knows!

To me, it seems like they just have a badly thought out verification process
when they should be doing something else - for instance, they could just the
last four digits of your payment card or some other piece of relatively secret
information. You have indeed crystallised what my issue is in this situation
there!

------
brechin
Perhaps it's time to consider another host? I've been happy with Dreamhost as
a bargain-priced hosting provider.

------
manaskarekar
FYI: So does Citicards.

------
axusgrad
Change the password to 1and1sucks, call back, and give them that. Oh wait, now
everyone knows your new password.

------
timrogers
What registrars are good who support *.uk domains? I've had good experiences
with Gandi previously.

~~~
ollysb
+1 for Gandi, I've only heard good things about them. I've been with
fasthosts.co.uk for 10 years now(with zerigo for as long as I can remember as
well), I've currently got 20 domains registered with them and I can't remember
having had any problems with them.

~~~
timrogers
I do like Gandi, they're quite pricey though. Shall have to compare prices
across the board! Zerigo seem good though.

------
alternize
while I agree 1&1 shouldn't ask for passwords... why not just temporarily
change your password to something stupid, call support, and then change your
password again?

~~~
timrogers
I could (and may well) do that, but my issue is more one of principle. I could
do this, but it shouldn't be necessary.

------
timrogers
In this situation, I don't think emailing their complaints department is going
to help - I need the force of HN!

