Password Change Emails, and a Password Generator

December 6, 2007

You have until December 13th to change the email passwords on your account, otherwise Fasthosts will scramble them.  If you have customers with email hosted with you, and their passwords are scrambled, you will receive a phone call for each email address, and will have to change these manually and talk your customers through changing the password in their email client.

Bear in mind that you won’t be able to send your customers an email after this time, because they can’t retrieve it without their passwords.

When the major password reset took place last Thursday, even people who had already changed passwords on their account were affected.  This suggests that if one or two passwords have not yet been changed on an account, Fasthosts technology may not be clever enough to scramble only those that have not been changed, and instead scramble every email address that is associated with the account.  No comment has been published by Fasthosts to explain this, so we have to be aware that there is a real possibility that the passwords could be scrambled anyway.

You will find new tools on your account to help with this.  Only one is working at the moment, this one gives you a list of the affected email addresses and the new scrambled password that will be effective after Thursday 13th.

Our advice is send an email now to each address you have responsibility for.  If you are happy to do so, include the Fasthosts offered password in the email and explain that this password will become effective on 13th December.  Suggest that it would be better if they changed their passwords themselves using the MCP and include a guide on how to do so. (See link below)

If you have a lot of customers calling in this could mean a lot of work for you, so make sure you set Thursday and Friday aside, and it might be a good idea to mention in the email that you will have to charge a nominal fee to change their passwords manually.  This will usually encourage people who are able to help themselves.

You can find a guide to changing passwords that you can send to customers & staff at: http://www.supportguides.co.uk/emailpasswords/changing-email-passwords.pdf

If you do find yourself having to reset the passwords again, here is a tool that will help you quickly generate a good replacement: http://www.pctools.com/guides/password/.

Finally, make sure you make it clear to customers that they should not attempt to change their passwords back to the one they currently use.  This has not been made clear by Fasthosts, but essentially, this is what they mean when they say:

Under no circumstances should you reuse old email passwords.

We believe that they will run their password checker a few times, and if they spot an old password in use, it will be scrambled.  Either this, or their checker is only clever enough to compare the current password with the one they have on file from November 30th, or October 18th.  So if your customer changes their password twice in order to restore their old password, they are likely to fall foul of the scramble on December 13th and/or checks in the following days.  It’s not like Fasthosts are going to tell you this beforehand.

UPDATE [1]: We already know that Fasthosts store all passwords in plain text.  Hopefully this will be rectified soon.  You should probably not use the generated passwords offered by Fasthosts as these are likely to be easy to read somewhere on the system.  It’s doubtful that they will have had time in the last week to come up with some effective way to protect the newly generated passwords, and the script that delivers them in your control panel may be susceptible to attack.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: