There was a recent survey that we did on our servers. We checked our passwords. Well, we have never mentioned anywhere in our TOS that we will never look at your passwords. Well, we had to. To check the strength of the passwords. And what we found was overwhelming from a hackers point of view.
Though we have strengthened the server considerably, there will be no more server wide hack attacks, but the induvidual sites may be hacked, and hackers might try to put scamming pages on the sites of cleints. With passwords so simple, anyone can do anything. So, I managed to compose a mail and sent it to my clients this morning. It is pasted below.
On a recent survey that we ran on our servers, we found that most clients, resellers and clients of resellers have been using completely insecure passwords for their sites. A short summary of the results are below.
1 Many sites have been using the word password, pass1234 etc as their passwords.
2. Many have been using their domain names without the tld as the password.
3. Many have been using passwords such as abcd1234 etc.
4. Many have been using their inbox id as their passwords for example if your email id registered in your domain is ajay@gmail.com, the password that we found them to be using is ajay.
This makes things very simple for hackers who want to hack into your ftp and put up content of their own. Recently we found that there have been alarmingly large quantities of fake phishing pages put up on unsuspecting domain names. We manage to remove them in time and that way the client is saved, otherwise, if there is a serious issue, as per our terms of service, we forward any information that we hold of the clients to the authorities, and you will be put into grave trouble for no mistake of yours.
Therefore we request or clients, and ask our resellers to advise their clients that even if they think that their site is not important, it is a web presense, and a space on a web server that can be accessed by anyone in the world, and that they have to keep it well protected. Here are a few points of advise that we can give you
1. Always use a password generator software to generate secure passwords.
2. Though we provide unlimited email ids, never have unwanted main ids, or leave an inbox unchecked for a long period of time, a hacker might be using it and you may never know. Its your domain name that is beingused to send out emails.
3. Keep your FTP passwords ultra secure. If there is 1 unwanted file, that is being propagated, that could put you in very big trouble.
4. If you are not running PHP or ASP, remember to keep them switched off from your control panel.
5. Never use passwords as mentioned above, like using your name, domain name or email id.
We urge that all passwords be reset immediately to something more complex. Please treat passwords as important as keys to your house.
There are Brute Force Protection installed on our servers, but simple passwords like these are easy to pass thru. cpanel/whm has a password generator built in them, while plesk doesnt. However, Plesk and cPanel and webmail services on our servers have SSLcertificates  installed and are secure so any password you use on them are secured.
We request all to make the necessary changes for your ftp, mail and domain name control panels at the earliest.
