Is this a huge security issue with GoDaddy?

[digit-al]

Ps if you're not familiar with a dictionary based brute force password lookup kind of hacking attack, its kinda central to this post, you may wanna google it ..

I just registered some domains with GoDaddy. During the registration I entered a long password, about 30 characters - the domains we're generated I got a success email, but I couldn't login. After a while I rang customer support, they reset the domain, and I checked the max length .. the guy says 7-14 characters . and my jaw drops ... hits the floor more like it .. so i ask him if theres a way to make it longer .. because reverse compiled dictionary attacks can very quickly break passwords of normal length, and 14 characters is the *minimum* for a secure password, according to my security understanding from a few years ago .. I generally opt for 20 + to ensure a bit of future time safety

Maybe I'm expected to trust that GoDaddy will detect and allow it, go the extra mile on their end with a sophisticated detect and deny strategy, but it would be so very simple to also extend the password length.

To sweeten it, the customer service rep absolutely would not log an issue internally, he agreed with me about the issue, but when I asked him to do something internally and let me know about what seems to be their big security hole, all he would do was recommend I send an email to suggestions.

I think, given the theme of not doing simple basic things for the customer, I wanted to get some community perspective here .. check if my assumptions are correct .. and what the best thing to do is .. so what do you guys think

 

[maxeaus]

IMO a 30 character password is ridiculous, you are also assuming someone has your account number also.

Seriously if you cant create a safe password in 7 to 14 characters you may as well not use the internet at all.

Most people who hack into a godaddy account do so through phising, so a 30 character password makes 0% difference.

Why should the rep waste everyones time logging "the issue", just because you join up and want them to change their policy on your behalf?

 

[DubDubDubDot]

It would be a security risk if there was no brute force attack detection in place.

 

[Domagon]

7+ characters is plenty for services that require strong passwords and block / throttle brute attacks.

With that said, one's security is only as strong as the weakest link...

Many services have "recover password" feature that utilizes "security questions", which can often be weak and easily guessed ... ie. What is your Mother's maiden name?, What is your pets name?, Where were you born?, etc. Barring that, hacking the whois email, social engineering / registrar employee, etc.

In my view, strong password / strong security answers is good, but not enough for protecting highly valuable domain names. Utilize 3rd party whois / dns monitoring services, such as DomainTools. At minimum, login into your registrar accounts every so often and check for any unexpected changes / push-out notices, etc.

Ron

 

[Kate]

Why should the rep waste everyones time logging "the issue", just because you join up and want them to change their policy on your behalf?

If I read this right, he was allowed to choose a password of a length higher than what can be stored in their system.

This is a UI bug then.


Actually, they shouldn't be storing passwords in plain text but password hashes instead. Hashes have a fixed length (32 chars for MD5, 40 chars for SHA1). So it should not matter whether the password has 4 or 30 characters. Not sure what to think of it.

 

[DU]

How do you remember 30 character password? I mean EVERY site would have to have a different password. Take 10 sites.. thats a lot of characters.. and they are a mixture of UPPER lower Numbers and Symbols.

Must be recorded somewhere externally....