My ISP asked me to tell them my account and FTP passwords - does that seem reasonable to you?

Somehow, a file got stuck in my webspace that I can’t delete, rename, move, etc. I recognise the filename - I assume it’s just a glitch of some kind, but I think it’s fouling up my backups, because I can’t even copy it (and I think the backup process is probably finding the same).

I raised a call to ask them to get one of their admins to delete the file. Their first response was:

OK, this seemed slightly unnecessary, as I had to log into my account just to raise the request, but still, it didn’t seem terribly unreasonable to reconfirm my identity before proceeding.

So I made the phone call - and they asked me a bunch of security questions. One of these was the password to my account - which seemed an odd request, but I complied - I changed it to something else ten minutes after the phone call, just in case.

Then I got another email:

They want MY FTP account details so their admins can access the account?? WTF?

So I replied:

They replied:

This just smells like complete bullshit to me. My concern isn’t about account security, it’s about professionalism. I was enough taken aback that they asked me to tell them my account password on the phone, but subsequently asking me for my FTP password by email just seems terrible practice. Especially as I had already authenticated by confirming name, last 3 digits of my debit card, account number and support call reference on the phone. What say you?

Damn. I mean web host, not ISP.

Well, if they do want to log in as you, they probably need you to tell them your password. It’s not at all uncommon to store passwords encrypted, so that even the Admins can’t easily look them up.

If it concerns you, change your password for the duration of the support issue, then change it back.

Which company are you with? Or do you prefer not to say?

That response reads a bit like Indian English, so my theory is that they’re a call centre in Bangalore that isn’t given enough rights to fulfil anything other than standard requests, but they’re trying to be helpful and work around the restrictions imposed on them by the company.

But yeah, very unprofessional.

It seems strange. Passwords are not normally used for verification.

If you are on a shared web host (which you most likely are), they have sa privileges and can delete any file. If you are on a dedicated web host, they would need the password.

It’s 1and1. The call centre was hard to place - didn’t sound like the UK, but didn’t sound like India either.

That was pretty much my feeling on the matter. It just seems strange.

Yes, it’s a shared host - I don’t have shell access at all - only FTP and a file explorer interface via the web admin tools.

I’ve never had that happen, the admins of the webhost should have super user rights or root access for your site and the others on that host.

Its not encrypted is it ?


The password is probably encrypted wherever it’s stored, but there’s nothing unusual about the web hosting.

Then it sounds like the people who want your password and so forth, do not have root or superuser access to your site. For me and my host, its a separate set of passwords to get into the client section and the cpanel on the website, and they have never asked for any site admin passwords, they just go and do what ever I asked them about, when I open a ticket.

Mine has tech support on site, so I can’t comment on webhosts if they have outsourced their support to a third party and any authentication issues that would require.


1and1 doesn’t need FTP access. You can access your files through and online version of your account. It’s a LOT slower than FTP access but if you can do it through your web browser they certainly should be able to.

Their explanation is that they need me to divulge the passwords for verification. Ultimately, I have to trust them with a lot more - as they could very easily muck about with my files without ever asking me, or for that matter, abuse my personal data, but if this really is part of their verification policy, it just seems wrong.

If you have your page backed up, and it is possible to change your password if you’ve forgotten it, I’m not sure what risk there’d be.

That said, I also see a possible coverup: you didn’t need to give your password, but they don’t want to admit that, so they make it sound like they gave you a special deal. Otherwise, they just really don’t get that a password is not a good way to verify someone’s account.

Part of the problem is that the broken file can’t be copied, so I can’t properly backup the sitep (I do have manual backups I created piecemeal, but I’m not sure they would be so easy to restore as a single archive that was zipped on the server)

I think I’ll wait until they close the call, then try to voice my concerns to someone other than first line support. I’m not really worried about the practicalities of giving them my password - I just think it’s something they should never ask for, as a rule, because users should be habitually ingrained not to divulge them

Oh God, they’re awful. An ex-client of mine uses them and they suck bigtime. My client didn’t back up his mail - he only used the webmail interface (yes, he’s a complete dumbass) - and an entire year’s worth of email disappeared - trade enquiries, etc. etc. He called them, and they told him that they didn’t know what he was talking about, and he had never had any mail there in the first place. Then, a fortnight ago his site reset and restored half the files from last year’s version, so the shop is now full of products that he no longer sells… and he is now blaming ME for the cockup (he doesn’t understand my explanation, due to being a dumbass). I have fired him as a client for other reasons (including not thinking he had to pay me - did I mention he’s a dumbass?), but half of his problems to date have been caused by the damn webhost.

I deal with A-Plus here in California and they constantly require passwords to do the most menial tasks. I am continually re-setting my password and they also completely deleted an entire email account from one of the shared servers.

Ironically, I spent the weekend moving all of my stuff to a new web host and am looking forward to canceling my account…

I know you deal with this stuff on a daily basis, so I’d be pleased to hear your recommendations for alternative hosts.

I’m only paying a fiver a month for my current package, which has ‘unlimited’ bandwidth (which I know isn’t really unlimited, but for my purposes, is sufficient), 5gb webspace, PHP, etc, but no databases.

I’m guessing Alabama.

I would bail on that host in a heartbeat. Firstly, they should have other ways to verify the account. Secondly, this means they’re either hashing the password you give them and comparing it to the hash in their password stores(where you really have no legitimate business going 99% of the time), or they have a decrypt function they’re using on your real password to compare the plaintext. The former is unprofessional, the latter is a security risk.

Ultimately you’re right that you’re trusting them with more already, but if they’re accessing plain text versions of your password(even the ones you’re sending them) then it’s like leaving the door open and the lights on using the justification that anyone who wants can just kick the door down anyway. Technically true, but why let your security be some thief’s low-hanging fruit?


Several years ago Kal recommended DreamHost to me, and I’ve never looked back. The charge is maybe £6 a month (it’s ~$8.95 if you pay in annual installments) and the amount of stuff they give you is unreal. PHP, multiple SQL databases, dozens of one-click plugins including photo galleries, messageboards, streaming media including Flash, blogs, wikis, etc. Have a look at what they throw in! I don’t know much about Linux but I believe the level of access is pretty high if you know what you’re doing.

They will also tie your domain in with a free Google Mail account hooked to your domain. You can hang multiple domains off the same hosting account, too - seven of my clients are hosted on a single hosting contract. Reasonably simple panel too.

But best of all their customer service is superlative. It’s based on the US West Coast and not 24/7 [ETA: I tell a lie, they’ve now gone 24/7], but it’s incredibly attentive and helpful. I’ve never had a problem that they couldn’t fix immediately; that said, I’ve hardly had any problems either.

I don’t get commission: just seriously impressed with what they offer and how they treat their customers. Funniest corporate newsletter I’ve ever read too.