I've signed up for a hosting plan due to the Anandtech hot deals forum. Here are some things that really bother me off the bat.

1. Please don't include passwords in emails! I received both an order receipt and a webadmin email and both contain my username/email and password. This is a big security concern for me due to network snoops and the fact that I can't keep these emails as receipts unless I change my password. This is an inconvience to me. A better way is to emphasis that users need to remember the password they give at signup. Also provide a way for users to reset or get their password emailed to them via a form or email address.

2. Helpdesk also sends me my password when I registered for them. Grrr!

3. My webadmin login was given to me and derived off my domain. Please allow us to choose our own logins. It's easier for us remember and it's an identity thing.

4. Better integration between the pieces. Have the same username and password for components, secure.hostpc.com, helpdesk and forum. Username and password doesn't have to be centralized itself, but why not automatically create helpdesk and forum accounts for customers using the same username and password they picked at signup. These to my knowledge are the main source of service and support and should be a standard part of signing up. It's also a convenience issue, having to sign-up for each separately and having to remember the different usernames and passwords.

5. Secure webadmin.

6. Secure forums would be nice too.


Here's an example of a signup email I would have liked to received:

====
Dear <first name>,

Thank you for chosing our service to meet your web hosting needs.

Your account has been created with the following details:

Domain: yourdomain.com
Username: loginUpicked
Password: (blocked for your proctection)

If you've forgetton the password you've signe up with, you can have it emailed to you via this link (linked).

For your convenience, accounts with the same login and password have been created for you at our forums (linked) and helpdesk (linked) and on your servers (FTP,POP,SMTP).

Your site can be accessed at
http://1.2.3.4/~loginUpicked

and your control panel at
http://1.2.3.4:2222

Once your domain resolves (within 1 to 3 days), you may use
http://www.yourdomain.com
and
http://www.yourdomain.com:2222

Here are the dns server settings you must use for your domain. These are set at your domain registrar. If you've registared your hostname through us, go here (linked).

NS1: ns23a.hostpc.com
NS1 IP: 199.237.53.84
NS2: ns23b.hostpc.com
NS2 IP: 199.237.53.85

Below are the details of your service:

Bandwidth: 10000 Megabytes
Disk Space: 400 Megabytes

Virtual Domains: 6
Subdomains: unlimited

POP Email Accounts: unlimited
Email Forwarders: unlimited
Email Autoresponders: unlimited
Email Mailing Lists: unlimited
POP Server: mail.yourdomain.com
SMTP Server: mail.yourdomain.com
FTP accounts: unlimited
Anonymous FTP: OFF
FTP Server: ftp.yourdomain.com

MySQL Databases: unlimited
Domain Pointers: unlimited
SSH Access: OFF
Secure Socket Layer: ON
CGI: ON
PHP: ON
DNS control: ON

Once again, thank you for choosing our hosting service.
Please don't hesitate to contact us at support@hostpc.com if you have any questions. Our forums (linked) and helpdesk (linked) are also available to you.

====

Originally posted by cybertoothe@Oct 1 2004, 02:51 PM
I've signed up for a hosting plan due to the Anandtech hot deals forum. Here are some things that really bother me off the bat.

1. Please don't include passwords in emails! I received both an order receipt and a webadmin email and both contain my username/email and password. This is a big security concern for me due to network snoops and the fact that I can't keep these emails as receipts unless I change my password. This is an inconvience to me. A better way is to emphasis that users need to remember the password they give at signup. Also provide a way for users to reset or get their password emailed to them via a form or email address.

2. Helpdesk also sends me my password when I registered for them. Grrr!

3. My webadmin login was given to me and derived off my domain. Please allow us to choose our own logins. It's easier for us remember and it's an identity thing.

4. Better integration between the pieces. Have the same username and password for components, secure.hostpc.com, helpdesk and forum. Username and password doesn't have to be centralized itself, but why not automatically create helpdesk and forum accounts for customers using the same username and password they picked at signup. These to my knowledge are the main source of service and support and should be a standard part of signing up. It's also a convenience issue, having to sign-up for each separately and having to remember the different usernames and passwords.

5. Secure webadmin.

6. Secure forums would be nice too.

Quoted post

1. The billing script and credit card script are setup to do that because most of our customer base can't remember their passwords and we can't retrieve them from the system because they are encrypted.

2. the Helpdesk is a script that joe bought and the authors setup the script to do that. Modifying it to not send passwords is a large project and is not time-feasable.

3. The reason that is done is because every master login name has to be unique and the only way for the setup script to ensure that is to make them based on the name. If you want your login changed put in a ticket for an account recreate and we will do this if possible.

4. all the products have different user storage system and making a script to do this while nice forces users into usernames that they may not want. Allowing them to signup themselves allows them the freedom to choose how they want to appear.

5. It was tried once and our customer base had so many problems with it we had to turn it off. DA is setup to either use http or https and not both, so we had to make a choice.

6. I don't understand what you mean by secure forums?

Hope That helps.

Dan

This is a great topic and I'd have to agree at least about the DA login name, for two reasons:

1) It's easily guessable, at least in my case. If you're a current or former HostPC member, then you can probably guess most other HostPC member usernames. This is a slight security concern, but a concern none the less...for more on why this is a security concern see #2.

2) Because an email address is also generated with that username automatically, which can not be deleted mind you because it's the default. You then open yourself up to even more security concerns...see below.

-- 2a) This can be a target of SPAM.

-- 2b) With the username being easily guessable an attacker now has TWO points of access (i.e. DA login and default email account login) to attempt a brute force or other type of attack.

-- 2c) It opens us up to targeted attacks by mail bombing with large attachments to the default address which would quickly push us over quota.

Just my 2 cents, and I now I tend to really push the security issue from every angle, but I'm a computer scientist and I have to think like one.

You'd have to speak with the authors of
whoiscart - http://www.whoiscart.com
directadmin - http://www.directadmin
Invision Forums - http://www.invisionboard.com


We dont control what information is sent out - but including username and passwords in registration confirmations is pretty standard across the net...

Originally posted by cybertoothe@Oct 1 2004, 01:51 PM
I've signed up for a hosting plan due to the Anandtech hot deals forum. Here are some things that really bother me off the bat.

1. Please don't include passwords in emails! I received both an order receipt and a webadmin email and both contain my username/email and password.====

Quoted post


You'd be surprised at how many people come to the helpdesk, or email me because they've forgotten their passwords, just DAYS after they signed up and selected their own password.

Originally posted by cybertoothe
A better way is to emphasis that users need to remember the password they give at signup. Also provide a way for users to reset or get their password emailed to them via a form or email address.



you're not making sense...

The simplest solution for those who are troubled by receiving passwords in email is to simply CHANGE the password immediately after it is sent via email.

When I do password resets for customers, I always recommend that they change the password on their initial login.

changing a password is very simply, after you get the email from HostPC, simply login and change your password. The username should really be a moot point, as they need both to login. Granted, knowing the username is half the battle, but anyone with common sense can put together an easily memorable password that is still hard to crack. Use upper and lowercase letters, one or 2 numbers and a special character. Combining those makes a pretty good and pretty secure password. I almost always change passwords immediately upon registering for anything, I have a dummy password I use to get the account then a "real" password I change it to after the fact.

I can't say anything for the apps HostPC uses, but I can say that myself, I build all my password functions in my scripts around an encryption hash algorhythm, so, yes, the password is sent to you in plain text, but presumably is stored in the database as a random string of characters, so, after you go in and change your password, not even the administrator can get it back because not even they can see it in plain text.

The concept:

to emphasis that users need to remember the password they give at signup
is completely without merit. If you have ever worked a help desk at a host, or any IT related business, you are well aware that people just aren't very organized, not very tech savvy and expect you are there to cater to them. In a perfect world they should know what there login is and what server they are on, but they don't and they never will.

Securing webadmin and the forum...well, the forum I see no sense in that at all, the control panel, well, I can see that,.

Integration would be very cool, I am currently building such a product for hosting companies actually, and darn it, you just gave me an idea to make it better...add a forum to it...hmmmm....