Moments ago, I received the following email from GoDaddy regarding my contract with the registrar for several domains:
Dear Ari Herzog,
In accordance with our terms of service, please be aware that we have made a change in Section 4, Account Security. View details of this policy change.
If you have questions about our updated password policy, visit our Security Center or contact a Customer Service Representative at (480) 505-8877.
Thanks as always for being a Go Daddy customer.
Sincerely,
GoDaddy.com
I clicked the link–and, to my shock, saw the following buried in that section:
For security purposes, You will be required to change Your password and shopper PIN every six (6) months, for every Go Daddy account, subject to Go Daddy’s password and PIN guidelines.
Apparently, GoDaddy is taking its time alerting its members–and a quick scan of the blogosphere confirms nobody is happy. The earliest mentions occurred around March 18 at Webmaster World, DSL Reports’ bulletin board, and Hacker News’ similar discussion.
I wonder if they’re going in alphabetical order or according to customer ID.
What I do know is I’m fed up with the registrar’s high prices in comparison to other registrars, and this requirement by GoDaddy, err, Big Brother, forcing me to change my password is preposterous. If my account is hacked, shouldn’t that be my fault? If I’m liable for my actions, shouldn’t I be liable for irresponsibility and creating hackable passwords?
Apparently not.
I’ll wait it out a few months… and likely look into shifting my GoDaddy-registered accounts elsewhere where I can be in control of my own online real estate and I can make the rules when I want to change my passwords.
Speaking of which, if you’ve made it down this far, please consider clicking to my guide from last fall on the importance of creating a mnemonic password.
About Ari Herzog
I personally believe a password should be changed every *six weeks* if not more. But that’s just my opinion. I do believe they should have told you what the change in policy was, instead of making you hunt for it. But I don’t see why they shouldn’t hand this down, considering that fixing your account if you’re hacked most likely costs them time/money, as well.
Sherry´s last blog post..WordPress Security Upgrade to 2.6.5
I grasp the importance from a corporate security side, but ultimately, if I choose to do have a company register or host my domains, shouldn’t it be my choice what my password is and how secure it is and how often I change it? The company can offer guidelines, but when it FORCES me to do something, that stinks of Big Brother.
Hmmm….I’ve moved all my accounts to godaddy over the last few years. Price is better than most, not the cheapest, but if you move a lot of accounts, I sure appreciate the ease of their process versus others. I got the email a few weeks ago, and agreed it was past time–so I changed my password. No big deal.
“forcing me to change my password is preposterous”
Any good systems administrator forces users on their network to select a new password, generally every 60-90 days. They also enforce rules on how to create a password in terms of length, character requirement, special character requirements, numeral requirements.
The issue is this: Let’s say one has an account with 150 domains, and 75 of those are live sites. Their account gets hacked. Who do they call? GoDaddy, of course. They will blame GoDaddy, maybe even try to sue GoDaddy for the hack saying that GoDaddy didn’t have enough security controls. Meanwhile, their password was their wife’s name and birthdate or some other simple, easy to find out combinatorial type of password that everyone chooses to use. They also used the same username and password they use on every other site they are required to have a user account for.
Now GoDaddy has the burden of reclaiming their account, checking to see if it was just a “brute” force password crack or if it was indeed GoDaddy’s infrastructure that allowed the hack. That is quite a bit of time and resources given the shear amount of customers GoDaddy has, their infrastructure and more.
Sure, you might not care if people want to have simplicity and such, but how many dollars to you think GoDaddy spends per year recovering hacked accounts due to poor password choices by their customers? Big Brother? Not so much, when you think in terms of lawsuits, investigations into infrastructure and time spent resetting accounts.
On the flip side, if one has 75 live sites, that all of a sudden point to a porn site, and it is because they chose a simple password – there is a fallout that may not be able to be recovered from. Sure, many will blame GoDaddy and all GoDaddy is trying to do is put the burden where it should rightfully be on this subject – with the account owner. Basically GoDaddy is saying, if one does their part with their account and follows good security practices it will help all involved – while still protecting themselves which is a necessity of every business entity.
One last thought – what if the account uses not only GoDaddy as the registrar, but also as their host? The account is not only subject to DNS changes, domain info changes, but now the entire site contents can be changed. Thus, after the hack is determined, of course even though it was the customer’s fault for using a poor password, they will expect GoDaddy to have backups with which the customer will expect a database or site restore operation to be performed from. For free.
Just my view on it.
Bill´s last blog post..Interview: Mainstream Media Using Twitter
Changing passwords every six months is stupid. I’ve used the same password for over a decade on many, many sites and it has yet to be cracked.
Michael´s last blog post..Holy Pascha
I guess I should read my email more thoroughly. I haven’t heard of this, but if they don’t notify me I need to do it, I probably won’t even remember. It’s kind of like forcing people to wear seat belts. Yes we know it is good for us and can save our @ss, but we’re all adults who can make our own decisions in terms of what we will and won’t do for ourselves.
Speaking of GoDaddy, have you had anyone from China say your website is blocked because it is hosted by them?
~ Kristi
Kikolani´s last blog post..Vacation Proofing Blogs and Social Networks
Ari,
Another example of companies doing what is best for them rather than for customers. I’m not suggesting good IT security policy is bad, but not aligning it with what works for customers, or incorporating it in a way that painlessly adds more value for customers is the fail here. I’m also a GoDaddy customer and will be watching how this unfolds along with you, hoping I don’t have to migrate yet again.
Ken Burbary´s last blog post..What the F**K is a Tweetup?
Twitter Comment
jquery`s Livequery Rocks [link to post] use it for complete site AJAX in one load
– Posted using Chat Catcher
I’m straddling the fence on how I feel on this issue. As an IT guy, I definitely understand the desire for increased security. On the other hand, the inconvenience, seemingly small for one individual, is massive and highly risky.
The risk is multifaceted. In one case you have folks changing their passwords, but the downside is they’ll likely choose equally easy to remember passwords, often just changing one digit or letter. Compounded with that, some significant percentage will forget they changed it and lock themselves out. This equals very unhappy customers tying up phone lines and forums, and trashing GoDaddy online.
Additionally, just for the inconvenience, they risk losing folks that aren’t deeply committed to GoDaddy for registrar purposes. Likely also a large number of users.
Me? I’m not a GoDaddy user in any right. That said, I see what’s going to happen next. My favorite hosts and registrars will follow suit.
Todd Jordan´s last blog post..Internet Famous – Twitterlebrity