Somehow, a file got stuck in my webspace that I can't delete, rename, move, etc. I recognise the filename - I assume it's just a glitch of some kind, but I think it's fouling up my backups, because I can't even copy it (and I think the backup process is probably finding the same).

I raised a call to ask them to get one of their admins to delete the file. Their first response was:
Thank you for contacting us.

Regarding your concern, we need to verify your account information before we request our Administrators to remove the file for security purposes. Please contact us via phone at this number [snipped] anytime. We are open 24/7.

If you have any further questions please do not hesitate to contact us.
OK, this seemed slightly unnecessary, as I had to log into my account just to raise the request, but still, it didn't seem terribly unreasonable to reconfirm my identity before proceeding.

So I made the phone call - and they asked me a bunch of security questions. One of these was the password to my account - which seemed an odd request, but I complied - I changed it to something else ten minutes after the phone call, just in case.

Then I got another email:
Thank you for contacting us.

This is in line with your pending query which is to be escalated to our Administrators.

We forgot to get the password for your ftp account [snipped].

ftp username: [snipped]
ftp password:

We need to have those details so we can forward it to our Admins after. Thank you so much for your patience.

If you have any further questions please do not hesitate to contact us.

They want MY FTP account details so their admins can access the account?? WTF?

So I replied:
You want my user password for FTP? Why would you need that? (anyway, if your admins log in to the server as me, they won't be able to delete the file, because I can't)

They replied:
Thank you for contacting us.

Basically, verification of FTP Username and Password is a standard procedure in Technical Support Department before a concern is raised to a higher level. Anyhow, I had coordinated this concern with a higher level and since you had done verified your account details beforehand, we can place this under "one-tme courtesy" flag since the required informations was missed verified by previous agent.

This case will now be escalated for the said request. Please bear with us for a little while.

If you have any further questions please do not hesitate to contact us.

This just smells like complete bullshit to me. My concern isn't about account security, it's about professionalism. I was enough taken aback that they asked me to tell them my account password on the phone, but subsequently asking me for my FTP password by email just seems terrible practice. Especially as I had already authenticated by confirming name, last 3 digits of my debit card, account number and support call reference on the phone. What say you?

Damn. I mean web host, not ISP.

Well, if they *do* want to log in as you, they probably need you to tell them your password. It's not at all uncommon to store passwords encrypted, so that even the Admins can't easily look them up.

If it concerns you, change your password for the duration of the support issue, then change it back.

Which company are you with? Or do you prefer not to say?

That response reads a bit like Indian English, so my theory is that they're a call centre in Bangalore that isn't given enough rights to fulfil anything other than standard requests, but they're trying to be helpful and work around the restrictions imposed on them by the company.

But yeah, very unprofessional.

It seems strange. Passwords are not normally used for verification.

If you are on a shared web host (which you most likely are), they have sa privileges and can delete any file. If you are on a dedicated web host, they would need the password.

Which company are you with? Or do you prefer not to say?

It's 1and1. The call centre was hard to place - didn't sound like the UK, but didn't sound like India either.

It seems strange. Passwords are not normally used for verification.That was pretty much my feeling on the matter. It just seems strange.

If you are on a shared web host (which you most likely are), they have sa privileges and can delete any file. If you are on a dedicated web host, they would need the password.Yes, it's a shared host - I don't have shell access at all - only FTP and a file explorer interface via the web admin tools.

It's 1and1. The call centre was hard to place - didn't sound like the UK, but didn't sound like India either.

I've never had that happen, the admins of the webhost should have super user rights or root access for your site and the others on that host.

Its not encrypted is it ?

Declan

I've never had that happen, the admins of the webhost should have super user rights or root access for your site and the others on that host.

Its not encrypted is it ?

Declan

The password is probably encrypted wherever it's stored, but there's nothing unusual about the web hosting.

The password is probably encrypted wherever it's stored, but there's nothing unusual about the web hosting.

Then it sounds like the people who want your password and so forth, do not have root or superuser access to your site. For me and my host, its a separate set of passwords to get into the client section and the cpanel on the website, and they have never asked for any site admin passwords, they just go and do what ever I asked them about, when I open a ticket.

Mine has tech support on site, so I can't comment on webhosts if they have outsourced their support to a third party and any authentication issues that would require.

Declan

1and1 doesn't need FTP access. You can access your files through and online version of your account. It's a LOT slower than FTP access but if you can do it through your web browser they certainly should be able to.

1and1 doesn't need FTP access. You can access your files through and online version of your account. It's a LOT slower than FTP access but if you can do it through your web browser they certainly should be able to.

Their explanation is that they need me to divulge the passwords for verification. Ultimately, I have to trust them with a lot more - as they could very easily muck about with my files without ever asking me, or for that matter, abuse my personal data, but if this really is part of their verification policy, it just seems wrong.

If you have your page backed up, and it is possible to change your password if you've forgotten it, I'm not sure what risk there'd be.

That said, I also see a possible coverup: you didn't need to give your password, but they don't want to admit that, so they make it sound like they gave you a special deal. Otherwise, they just really don't get that a password is not a good way to verify someone's account.

Part of the problem is that the broken file can't be copied, so I can't properly backup the sitep (I do have manual backups I created piecemeal, but I'm not sure they would be so easy to restore as a single archive that was zipped on the server)

I think I'll wait until they close the call, then try to voice my concerns to someone other than first line support. I'm not really worried about the practicalities of giving them my password - I just think it's something they should never ask for, as a rule, because users should be habitually ingrained not to divulge them

It's 1and1.Oh God, they're awful. An ex-client of mine uses them and they suck bigtime. My client didn't back up his mail - he only used the webmail interface (yes, he's a complete dumbass) - and an entire year's worth of email disappeared - trade enquiries, etc. etc. He called them, and they told him that they didn't know what he was talking about, and he had never had any mail there in the first place. Then, a fortnight ago his site reset and restored half the files from last year's version, so the shop is now full of products that he no longer sells... and he is now blaming ME for the cockup (he doesn't understand my explanation, due to being a dumbass). I have fired him as a client for other reasons (including not thinking he had to pay me - did I mention he's a dumbass?), but half of his problems to date have been caused by the damn webhost.

I deal with A-Plus here in California and they constantly require passwords to do the most menial tasks. I am continually re-setting my password and they also completely deleted an entire email account from one of the shared servers.

Ironically, I spent the weekend moving all of my stuff to a new web host and am looking forward to canceling my account...

Oh God, they're awful.

I know you deal with this stuff on a daily basis, so I'd be pleased to hear your recommendations for alternative hosts.

I'm only paying a fiver a month for my current package, which has 'unlimited' bandwidth (which I know isn't really unlimited, but for my purposes, is sufficient), 5gb webspace, PHP, etc, but no databases.

The call centre was hard to place - didn't sound like the UK, but didn't sound like India either....since you had done verified your account details beforehand...I'm guessing Alabama.

I would bail on that host in a heartbeat. Firstly, they should have other ways to verify the account. Secondly, this means they're either hashing the password you give them and comparing it to the hash in their password stores(where you really have no legitimate business going 99% of the time), or they have a decrypt function they're using on your real password to compare the plaintext. The former is unprofessional, the latter is a security risk.

Ultimately you're right that you're trusting them with more already, but if they're accessing plain text versions of your password(even the ones you're sending them) then it's like leaving the door open and the lights on using the justification that anyone who wants can just kick the door down anyway. Technically true, but why let your security be some thief's low-hanging fruit?

Enjoy,
Steven

I know you deal with this stuff on a daily basis, so I'd be pleased to hear your recommendations for alternative hosts.

I'm only paying a fiver a month for my current package, which has 'unlimited' bandwidth (which I know isn't really unlimited, but for my purposes, is sufficient), 5gb webspace, PHP, etc, but no databases.Several years ago Kal recommended DreamHost to me, and I've never looked back. The charge is maybe £6 a month (it's ~$8.95 if you pay in annual installments) and the amount of stuff they give you is unreal. PHP, multiple SQL databases, dozens of one-click plugins including photo galleries, messageboards, streaming media including Flash, blogs, wikis, etc. Have a look at what they throw in! (http://www.dreamhost.com/hosting.html) I don't know much about Linux but I believe the level of access is pretty high if you know what you're doing.

They will also tie your domain in with a free Google Mail account hooked to your domain. You can hang multiple domains off the same hosting account, too - seven of my clients are hosted on a single hosting contract. Reasonably simple panel too.

But best of all their customer service is superlative. It's based on the US West Coast and not 24/7 [ETA: I tell a lie, they've now gone 24/7], but it's incredibly attentive and helpful. I've never had a problem that they couldn't fix immediately; that said, I've hardly had any problems either.

I don't get commission: just seriously impressed with what they offer and how they treat their customers. Funniest corporate newsletter I've ever read too.

Thanks for that - I may look at migrating. Next bill doesn't come from 1and1 until Feb, so that gives me enough breathing space to do it without rushing, I think.

In addition to the webhosting, I've got three domains for which they handle the registration (1 free with the account - two additional, but I don't think there are any transfer away fees). How do I go about seamlessly moving the domain registration? It's really important to me that I don't lose the domain names.

In addition to the webhosting, I've got three domains for which they handle the registration (1 free with the account - two additional, but I don't think there are any transfer away fees). How do I go about seamlessly moving the domain registration? It's really important to me that I don't lose the domain names.

It is always recommended to keep your domain registration separate from your web host so these kind of issues don't arise.

I use hostgator.com for shared hosting and moniker.com for domain registration but there are many good alternatives.

Thanks for that - I may look at migrating. Next bill doesn't come from 1and1 until Feb, so that gives me enough breathing space to do it without rushing, I think.

In addition to the webhosting, I've got three domains for which they handle the registration (1 free with the account - two additional, but I don't think there are any transfer away fees). How do I go about seamlessly moving the domain registration? It's really important to me that I don't lose the domain names.AnalogSignal is probably right. However, if you do want do a seamless transfer of hosting and have your registration with the same people who do the hosting (I certainly have my URLs registered with DreamHost):

1. Rent the new hosting account.
2. Replicate the sites on your new webhost, assigning the relevant domain name to each site (this won't have a public effect, but prepares the webhost for where to point the incoming domains). There's a way of viewing and testing them through a browser that I can't remember - you won't have a static IP address though so I can't remember how to do it, but I'm sure DreamHost support will tell you.
3. Inform your old registrar that there's a transfer about to happen.
4. Use the DreamHost panel to instruct DH to initiate a transfer of such-and-such domains, providing the old registrar's details.
5. New registrar will contact old registar. Old registrar will contact you and ask you to verify the transfer (in the old days this was often by fax; these days there's either email confirmation or a secure verification form online).
6. Domain transfer will happen in about 24 hours if 1and1 are playing ball.
7. At this point both sites - and email - may be live at the same URL depending on the speed of DNS propagation and where a visitor is in the world. (That said, I've had it happen instantaneously - DH may have a good relationship with one of the top-level DNS servers.) But just in case it's vital to keep both sites on the go simultaneously. You may have to check two mailboxes too to make sure you don't lose any email.
9. After about 48 hours, to be completely safe, during which time you should archive email from your old host, you can then close down the old hosting account.
10. Then play with the goodies on the new site!

By the way, the Google Mail at your domain part is optional. Personally my new clients get it, with POP3 enabled, as it's such a good interface, but you don't have to - DH have their own webmail/POP client too, though it's fairly primitive.

It is always recommended to keep your domain registration separate from your web host so these kind of issues don't arise.

I've heard that, and understand the reasons, however, there's also something to be said for having a single person to whip when something goes awry - there's no way they can deflect responsibility.

Also, many hosting packages come with free domain registration. It seems a waste not to take advantage of that, although I suppose it could be used to register something other than the primary domain.

I've heard that, and understand the reasons, however, there's also something to be said for having a single person to whip when something goes awry - there's no way they can deflect responsibility.

But if the web host is unscrupulous or incompetent they can make your life difficult and delay transferring the domain. If my web host gets flaky, I would simply upload my site to a new host and redirect the domain to the new host. There is nothing the old host could do to stop this.

There are reasons they might need your account or FTP passwords.

None of those reasons are the slightest bit legitimate.

If for some stupid reason their system really does require them to ask users for passwords, it's a huge neon sign their system is stupidly designed and badly run.

Flee.

I've been on the other side of the fence, sort of. I do web development, but the place I work at has the web server across the country in a colo facility. I only have cPanel reseller access and cPanel can be wonky with what it lets you access as the superuser (it won't let me access phpMyAdmin from the reseller account, which I find stupid) . But if I was the tech support in the OP, I would always reset your password, tell you why I needed to do so, and the instructions for you to change it again.

Heh. A week on, nothing had happened - the problem file was still there. I emailed them: (replying to, and quoting their previous message - the one about the 'one time courtesty')
Hi there
Please can you give me an update on when this problem might be resolved? The problem file is still there.
Thanks

They replied:
Thank you for contacting us.

We have checked your case and found out that backup request was not processed because you did not provide us your ftp password. We could not request backup unless we verified the ftp password.

If you have any further questions please do not hesitate to contact us.

So I went back with:
Three things:

This is not a backup request. It's a request to delete a file which I cannot delete myself either through the webspace explorer, or in my FTP client.
*Please would you confirm that you actually understand the request I made here?*

Your support people already authenticated me on the phone, and stated that they would process the request without me needing to give you my FTP password (it's right there in the email from [operative name] quoted below)

I find it highly irregular that you're asking for my passwords to verify my identity. And asking me to send this by email is even worse.

They have now deleted the file, saying:
Dear Customer,

Thank you for contacting us.

In connection to your concern, we check this file name [the file name] and it is no longer exist. Could you check on your end if the said file is still there? Hoping for your quick response.

If you have any further questions please do not hesitate to contact us.

Following the closure of this case, I did get a standard survey invitation to rate their service. As you can imagine, they did not score well - and I added comments to this effect. I'll also be writing to them separately to discuss this matter further, however, I can't really see any way they can restore my trust now. Time to start moving to a new host.