Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Help me HN. Has anyone else had experiences like this with 1and1? What did they do to get things resolved?

I use 1&1, and I ran into the same situation a couple months ago: I was terminating one of my contracts, and they asked for my password over the phone to verify. To be clear: I was not closing my account, I was only terminating a single contract.

The way I "resolved" the matter was quite simple: as I am not stubborn, I just gave them my password. The person sitting on the other end of the phone call already certainly has godlike access to my account anyway, I am not stupid enough to use the same password for multiple accounts, and barring insanely epic hacks I know they are a real representative as I called them at their phone number; so, there is really very little to lose handing over my password to the customer support person.

In the end, rather than getting morally outraged and posting an article asking a question to an online community in the hope of unblocking your ability to conduct what is fairly simple business, you should just change your password when you are done with the call and move on with your life. It will save yourself a bunch of time and frustration.

Then, afterwards, if you don't like the way 1&1 operates (maybe you believe that this is indicative of a more underlying set of security mistakes, or maybe you simply don't agree with the practice and don't want to support it), you might then consider moving your accounts to a different provider: there are tons of people you can use to host servers, domains, or whatever else you may be using 1&1 for. However, it shouldn't block your ability to make things happen right now.



I totally understand the idea of just giving in and then moving on, but I don't get the apparent dislike of telling the story. Should he not tell people about this bad practice? It may be too late for him, but it's not too late for everybody. It's useful for people to know that a company has a bad policy like this before you get involved with them, and they won't generally tell you themselves.


I know I personally am happy to have read the OP's article. It made me aware of this backwards practice by 1&1, and I also learned that 1&1 stores these user passwords in plaintext. As a consumer of internet services, I will now steer clear of 1&1, and I have the OP to thank for the possible headaches I may have avoided.

I have no problem with someone standing up for what they believe in, taking a stand, and "rallying the HN troops" for what might be a relatively minor issue for most. I'm sure we all have made fusses about more trivial things :)


So, I don't actually disagree with the brunt of what you have said here (that if someone has an issue with something that it might be valuable to tell other people in the communities you are a part of who might care); however, it doesn't really apply to this article: my response is attempting to directly answer the question posed in the bold text at the end about "how to get things resolved".

Now, that said, I actually do believe people "rallying troops" is often knee-jerk and incorrect vigilante justice masquerading as valiant. It isn't always the case, and there may be places where such behavior is legitimate (although I think figuring that out is an interesting and horribly long off-topic discussion). It certainly, though, isn't always positive.

As an example, there person claiming on HN a couple days ago that Apple must be storing passwords in plain text because of a 32-character password length restriction[1]; I doubt that was actually the case, and much more argument and research should have been made before trying to incite such panic.

(edit: Hell, I didn't even notice that you did it yourself here until I saw the response from Fargren, but you just did it, too: there is no reason to believe that 1&1 "stores these user passwords in plaintext". It is much more reasonable to believe that they have a box on their end for "customer password" that verifies it using the same mechanisms the website does. It is not at all reasonable to "rally the troops" over assumptions.)

Again, however: that is not what this article was about; this article was not attempting to "rally troops", this article was asking for help making progress with an account they have at a vendor because the OP "make a point of never, ever, ever giving [his] password out to anyone" (emphasis his).

After all, you can still "rally the troops" after you get your job done: you can change your password afterwards, you can even change your password beforehand as borlak indicates (although that implies your password was important, which is already a mistake), you know this person is a real representative to within any reasonable margin of error; the morale stance here was just stubborn. :(

[1] http://news.ycombinator.com/item?id=4376029


I'm not trying to "rally the troops" as it were under the assumption that they're storing passwords in plain text. That's not the issue, though it would obviously be an issue if it <were> the case.

I just wanted to make sure people were aware of this kind of practice at 1and1, and hopefully (but probably not) drive some change in the practice.


All your points are duly taken! The reason I said this article was trying to "Rally the HN troops" is due to the second sentence of the post:

  Upvotes on Hacker News would be greatly appreciated to help me beat Goliath!
I took that to be a rallying cry :)


They don't need to have your password in plaintext to verify it. They could just type it to verify it at their end. Asking for it is still bad practice, though.


Agreed. They may or may not store in plain text, that remains to be seen. Regardless, this is bad practice.


Thanks - glad you understand my point. It's just not good practice and the only way these things get change is if people complain, and HN is great community to do that with. I know online security is something we're all passionate. about.


I am not stupid enough to use the same password for multiple accounts

I don't consider myself stupid and I used to use the same password across multiple accounts. I changed this practice a while ago but I know that for the vast majority of people they do reuse passwords frequently.

Suggesting people are stupid for not following best practice password management is not helpful to the discussion.


I completely understand your point, but I'd like to see things change rather than just abiding by this ridiculously bad practice. As you say, the rep obviously has full access without this so the whole act is pointless.

Even if not for me alone, I'd like to see this resolve as it's just bad form. A company culture that allows this cannot be good for the security of all domains held with 1and1.

I may well move away anyway, as you say, as I'm just so disappointed, but I'd like to see change anyway.


You change the policies by applying economic pressure and moving your accounts to other providers. Seriously it's not worth your time to change other people's behavior. Better to give them incentives or (as in this case) take them away to sway their actions.


Disagree. Calling them out like this can massively multiply the economic pressure applicable.

It's likely I and many other readers of this article will now never use 1and1 if it's possible to avoid them. A sort of passive boycott if you will.


Indeed - the economic pressure of my ~10 domains alone is not enough. The economic pressure of some portion of HN users is more significant.


I will do - my only concern is that my economic pressure alone won't be enough.

This post seeks to address information failure, if you will.


If they are asking for your password however, then you have to assume that this is the tip of the iceberg security-incompetence-wise. what else are they screwing up?

But incompetent security by people who should know better is not limited to a few internet hosting providers. A year or two ago, Chase Bank called my wife up (i.e. they called our home) and asked my wife for her credit card number. My wife refused to give it and they suspended her bank account because of it. She had to call them and spend an additional hour on the phone getting that straightened up and shortly after this they abruptly cancelled the account with no explanation.

Any time this sort of thing happens do yourself a favor and do whatever you have to in order to close your account and move somewhere else.


I don't use 1and1, so I don't know if this is possible, but why not:

1) change current password to some stupid password

2) give password

3) reset password back to my normal password

4) move on with life


It should be pointed out that this would only be required if you are using this password for other things that are important (as in, you are sharing your password with other accounts) or your password is somehow precious and special (like the name of your favorite dead aunt): you shouldn't have to do this, as your password should already be something "stupid"; changing your random password to something else random when you are fully intending to just change it to something even further random again is a waste of time. ;P


I agree. But perhaps OP doesn't trust all support employees working for 1&1? This seems a reasonable stance.

So, he should give them his password, but he should then change it.


In addition to the responses from others and depending on the password restrictions set by 1and1, there is no gurantee you can use the same/previous password when you try and reset it.


You can, but see below for my thoughts on that...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: