New Password Requirements

[woody24]

OK, im not happy about the new requirements. This makes it less safe than what I previously used before. I now have to have this new password written down because it is different than 99% of the other passwords I use. So I will never remember this password. And I'm sure I'll need to use the "forgot password" feature.

My old password was secure enough, now it becomes less secure. Thanks BlueHost.

At least they arnt like the Unemployment site. Making you change your password every few weeks, and it cant be the same as the previous 5 passwords. That was the worst.

[felgall]

At least they arnt like the Unemployment site. Making you change your password every few weeks, and it cant be the same as the previous 5 passwords. That was the worst.

That one is actually the safest.

It is far more secure for you to write passwords down than it is to use one that are easy to remember everywhere.

[woody24]

13 years using my own random lettered password, and i havent had a problem. I just dont like to be forced to change the way i handle my own password.

Took me 20 minutes last night of trying to figure out my ftp info for a new machine, before i checked my email to see that it was my email that was changed without my permission, and not me forgetting the path to the server.

[WyomingPBS]

I'm with Woody here. If you want to have an optional "let us advise you of your password strength" feature that we can opt in to, great. Otherwise let me use the password styles that have worked for me for over 20 years without a breach. Making that change without giving us either any choice in the matter or even any advance warning before you did it was extremely frustrating. If I wanted someone else to tell me how to think, I'd let the government run my website.

Just because it's easy for me to remember doesn't mean it would be recognizable by anyone who isn't me. My own wife could never guess my passwords, and she knows how I think.

At least they aren't requiring us to change the password every {x} months. That's just security theater; there is NO evidence it actually defeats intrusion. Who's to say you aren't changing it from something that never would have been guessed to something that will?

It's not worth the hassle of shopping for another provider, but it sure doesn't make me happy.

[TwistedLincoln]

I agree completely. The new password requirements are much more strict than any other online login I interact with - even my bank and credit card providers have less stringent requirements...

[redsox9]

Just remember, guys, that BH uses a shared server environment and each server has several hundred accounts on it. As secure as your passwords might be, there are more than a few account owners who are going to use something that is simple enough to crack and then, when the server gets compromised, EVERYONE will be unhappy. The way I see it, this change will mitigate that chance better than before.

[arnb]

While I agree with redsox9 that a poor password choice by one user on a shared server has the potential to impact other users on the server should that user account become compromised, that does not release BH from their very customer unfriendly implementation of their more secure password requirement.

Like woody24 I also spent about 20 minutes trying to figure out what went wrong with my FTP program, followed by concern that my account was compromised since I could also not sign in to the BH control panel, only to eventually find an email time stamped after my problems started stating my password was changed without my permission. That was very annoying to say the least and made me wonder if BH itself was compromised. After some initial frustration and having to get a second temp password, I was able to use my prior password without a problem.

It would have been so much more customer friendly if:

1. Only customers with vulnerable passwords were informed to change them.
2. Followed in two weeks by an automatic password update and email if they were not changed.

If there was an active attack on BH servers I realize that BH may have been forced to change non-secure passwords, but only the non-secure passwords should have been changed.

[ditchner]

Just remember, guys, that BH uses a shared server environment and each server has several hundred accounts on it. As secure as your passwords might be, there are more than a few account owners who are going to use something that is simple enough to crack and then, when the server gets compromised, EVERYONE will be unhappy. The way I see it, this change will mitigate that chance better than before.

If that were true then all shared servers like Bluehost would already be toast. If a hacker gains access to my (or your) account he may destroy/mangle/whatever the content of that account but he would not have the access to do harm to other accounts unless he is able to gain access to administrative rights (superuser) to the system.

I, too, protest the draconian changes.

[farcaster]

If that were true then all shared servers like Bluehost would already be toast. If a hacker gains access to my (or your) account he may destroy/mangle/whatever the content of that account but he would not have the access to do harm to other accounts unless he is able to gain access to administrative rights (superuser) to the system.

I, too, protest the draconian changes.

I have removed an offensive comment here. We are not "admins" of this system, we are moderators - unpaid volunteers to make sure that those that post here adhere to the forums rules in addition to answering questions about various other items.

[squash]

I am not a fan either of these new passwords. I am running simple websites, not a nuclear submarine. Also you have to keep clicking the "forgot" password links. I assume hackers have sniffers that can intercept mail with "temporary password" in it. That seems far less secure .