ARCHIVE: Please don't lock me out
I hate how my /tech 'blog has somehow become a rant against big tech companies' ridiculous policies. Today's star is surprisingly my favorite domain registrar: GoDaddy. I have two accounts and over fifty different active domains registered via them and I love the price, the ease, and the service. Many complain about their service but I've called them over 10 times in last six months and I've had nothing short of a stellar experience and great help each time.
So obviously my rant is towards something else: Namely, their lock-out policy. It is common for OSes, software, and websites to lock your account for about 30-minutes to a few hours if someone tries to log in using incorrect password repeatedly. It sounds like an ideal protection against dictionary attacks and brute force methods. If you forget your password, you have about 3-5 attempts to get it right. If you still can't recall it, it doesn't make a difference if you have to wait for 30-minutes due to lock-out because you need to contact a sys-admin anyway to help reset your password. You have nothing to lose because of a lock-out. After all you forget your password in the first place. If someone else is trying to log into your account by randomly guessing passwords, they will be locked out in just a few attempts and will have to try again later. If this happens, say at your workplace, account locks might even help find who was trying to log in as you. Good security measure.
Where's the problem you ask? When it's a website that anyone in the world can access and in addition to (or instead of) usernames, it uses serial numbers for Customer IDs that anyone can guess. Like GoDaddy. If my username is 'mycompany' and someone wants to login as me, they need to know TWO pieces of information - my username and my password. If they know my username but not my password, they will lock me out for 30-mins to 24hrs by failed login attempts. That's ok. My username is not published anywhere. However, if they can also login using my Customer ID (which happens to be a simple 7-8 digit number), the thieves can unknowingly lock me out with absolutely no prior information. With ZERO pieces of information, they can cause harm to paying customers of a company! Think about the disservice to the real paying customers.
Once a month for the last 3-4 months, someone randomly tries to log in to my GoDaddy account. I doubt whoever it is knows my username or email. Chances are they just make a random 7-8 digit number and try a bunch of different passwords. They fail (thankfully) and GoDaddy locks me out (unfortunately). Now I'm prevented from buying a new domain for next few hours through no fault of mine. I have to call GoDaddy, go through the Reset-My-Password process, and come up with a new strong password each time just to log into my own account. I am now mad at GoDaddy because of some script kiddie in Indonesia. If this persists, I will consider switching registrars. With over $1500/year of my money going to GoDaddy for domain registrations, domain transfers, and SSL certificates, I expect 24/7/365 access to my accounts at my fingertips.
Dear Bob Parsons, I love reading your 'blog. Keep it up. However, make it so that nobody else in the world can lock my account just by guessing random numbers. I can go to GoDaddy right now and lock out whoever Customer ID 4294659 (or 50301231 or 89412123) is by trying to log in a few times with that ID# and password "HAHA!" If the poor schmuck that has that Customer ID tries to buy www.new-special-domain.com in the next 24-hours, GoDaddy won't let him even login. Business lost. Paying customer angry.
Solution is to require a strong password (and GoDaddy already does when you have a credit-card on file) and stop locking accounts when a Customer ID is entered. Keep locking if invalid username/passwords are entered if you want, but never if invalid customer#/password is entered. Thanks.
So obviously my rant is towards something else: Namely, their lock-out policy. It is common for OSes, software, and websites to lock your account for about 30-minutes to a few hours if someone tries to log in using incorrect password repeatedly. It sounds like an ideal protection against dictionary attacks and brute force methods. If you forget your password, you have about 3-5 attempts to get it right. If you still can't recall it, it doesn't make a difference if you have to wait for 30-minutes due to lock-out because you need to contact a sys-admin anyway to help reset your password. You have nothing to lose because of a lock-out. After all you forget your password in the first place. If someone else is trying to log into your account by randomly guessing passwords, they will be locked out in just a few attempts and will have to try again later. If this happens, say at your workplace, account locks might even help find who was trying to log in as you. Good security measure.
Where's the problem you ask? When it's a website that anyone in the world can access and in addition to (or instead of) usernames, it uses serial numbers for Customer IDs that anyone can guess. Like GoDaddy. If my username is 'mycompany' and someone wants to login as me, they need to know TWO pieces of information - my username and my password. If they know my username but not my password, they will lock me out for 30-mins to 24hrs by failed login attempts. That's ok. My username is not published anywhere. However, if they can also login using my Customer ID (which happens to be a simple 7-8 digit number), the thieves can unknowingly lock me out with absolutely no prior information. With ZERO pieces of information, they can cause harm to paying customers of a company! Think about the disservice to the real paying customers.
Once a month for the last 3-4 months, someone randomly tries to log in to my GoDaddy account. I doubt whoever it is knows my username or email. Chances are they just make a random 7-8 digit number and try a bunch of different passwords. They fail (thankfully) and GoDaddy locks me out (unfortunately). Now I'm prevented from buying a new domain for next few hours through no fault of mine. I have to call GoDaddy, go through the Reset-My-Password process, and come up with a new strong password each time just to log into my own account. I am now mad at GoDaddy because of some script kiddie in Indonesia. If this persists, I will consider switching registrars. With over $1500/year of my money going to GoDaddy for domain registrations, domain transfers, and SSL certificates, I expect 24/7/365 access to my accounts at my fingertips.
Dear Bob Parsons, I love reading your 'blog. Keep it up. However, make it so that nobody else in the world can lock my account just by guessing random numbers. I can go to GoDaddy right now and lock out whoever Customer ID 4294659 (or 50301231 or 89412123) is by trying to log in a few times with that ID# and password "HAHA!" If the poor schmuck that has that Customer ID tries to buy www.new-special-domain.com in the next 24-hours, GoDaddy won't let him even login. Business lost. Paying customer angry.
Solution is to require a strong password (and GoDaddy already does when you have a credit-card on file) and stop locking accounts when a Customer ID is entered. Keep locking if invalid username/passwords are entered if you want, but never if invalid customer#/password is entered. Thanks.