Moniker tries to improve security, but…
Moniker just sent an email to all of its customers notifying them that their passwords were reset in the name of better security.
Requiring stronger passwords at Moniker is a good idea. It has historically had weak password requirements, including password character composition and reset requirements.
Yet the way Moniker made the change was probably counterproductive to security.
The email to each customer included the login username and new password in plain text.
Which means you should definitely take Moniker’s advice to “Please reset your passwords to one of your own choosing that meets the new password requirements at your earliest convenience.”
Earliest convenience should be “five minutes ago”!
The email is also addressed to “Dear Valued Client” rather than the customer’s name. This is a security no-no because it trains customers to think that official communications won’t be addressed directly to them, making it easier for phishers to exploit customers in the future.
The email does include an account number. But I doubt many people know their account number off the top of their head. In fact, I’ve always used a username (not account number) to log in, and it appears this username no longer works!
At least there’s some good news from Moniker on the security front: two-factor authentication is coming soon.
Digital Address says
Username works with newly provided password but password cannot be updated!
Andrew Allemann says
I was able to change my password but my username doesn’t work. I’m forced to use the account number to log in.
Scott Wolpow says
It is the same poor management that lead to the worthless new interface. When I saw the email I assumed it was phishing.
Richard Kershaw says
I could reset it under Manage Account Users, but not under Change Password. Either way – I cannot believe they are sending out passwords in plain text emails.
Just another reason to continue transferring my domains out of Moniker! They also changed “account numbers” because mine started with 247 prior and is totally different now.
How many dumb things can one company keep doing. Really! Who resets passwords and just sends full login detail in a plain email with no personal name attached to the account/email. Man oh man!
Andrew Allemann says
Interesting. My guess is Moniker has had a number of different options for username/account number over the years, and they might not even be fully aware of this.
You know they suck when they can’t spell or use correct grammar. “Your password has been reseted” LOL
Your password has been reseted. You will receive an email with the new password according to your customer id.
Andrew, many thanks for posting this. When I saw plaintext passwords sitting in the email this morning, I thought for sure that it was some type of weird phishing attempt or your typical spam filter poisoning. Especially since there was no warning whatsoever that the reset was coming.
I’m locked out of my account now because of confusion over account #s/usernames (i.e. the changed password didn’t work with usernames). But at least the password was successfully changed away from the one exposed in the email.
Kind of wondering how many Moniker customers use the same email for their account and for their publically exposed whois contact. Feels like there’s an attack vector somehow given that the reset password is just sitting there in plaintext. Worse, if the email account was already silently compromised.
nice, i didn’t even get any emails for all 3 of my moniker accounts…what the hell? old passwords don’t work. i can only hope i can get them via ‘forgot password’ link otherwise i guess iwill be forced to endure to the torture of calling them.
well no emails from moniker telling about this in the first place and when i try to reset the password via the forgot password link, it says its “reseted’ but i get no email….
Apparently I jumped the gun on this. I called them and said i never received an email about the pass change. They said there is a lag and passwords are still be generated. I have now received one to one of my accounts and they verified the others should be on their way so if you didn’t receive an email yet, don’t bother doing the reset password, it should be on its way.
Stupid is, as Stupid does.
Moniker has learn NOTHING from their software interface fiasco. What does it take to fire incompetent employees, especially CEO Bonnie Wittenburg? CEO’s are responsible for what happens under their command. Why is she not being held accountable?
Allow me to add more *%$# on the pile…..
your transaction history it GONE!
Anything…. transactions, receipts, transfer info, etc…. prior to the new interface release does not exist anywhere!
Last week, when I could not find my receipts from last year, I sent an email asking about my transaction history.
Here is Moniker’s reply:
“We apologize for the inconvenience, and appreciate your patronage. Unfortunately, when the Moniker migrated to the new platform on 5/31/2014, access to the invoices prior to that day was discontinued. To view invoices after 5/31/2014, you can click on the Invoices link from the User Profile section of your account, and enter 2014-05-31 where it shows Date is greater, then click on Submit Filter. The title is part of the new platform, and is necessary. Should you have any further questions, please do not hesitate to contact us.”
need I say more?
WOW! A company couldn’t telegraph their incompetency in a more public way if they tried.
Important note for everyone:
It looks like what happened when Moniker changed to their new system they created 2 user accounts per account. 1 was your login name, and another login with the username being just your old account id from the old system. If you look closely in the emails they sent out today you will see the new passwords for both logins. So you actually have to update your password twice for each account. There does not seem to be a way to simply delete one of the two logins per account.
I’m fortunate in that my old account number is in the low 4 digits. That’s what I’ve always used to log in anyway.
Also note, you cannot change both passwords from 1 login. Once you finish fixing one, you have to log out, then login as the other user and change that one logged in as that user.
So far, I’m good. Chris phoned me back from an email I sent to Marti Johnson, Customer Service Supervisor. My one account turned into a secondary account, but I was able to log in and change the psswds of both. A charge appeared on my balance of $4.65, but Moniker will credit it. Probably, because I have a low-value portfolio of hand registrations, not even the hackers want my domain names! Maybe some of them . . .
Moniker is making improvements and progress in its dashboard. You can now transfer domain names out in bulk, not just in, and I noticed the Export button, which allows you to download a list of your names, with expiration date in one cell, in a CSV document onto your desktop. I like that feature. Seems like all of my domain names are accounted for at this time, and I transferred a handful of them to a couple different registrars, no issue. The problems from June, disturbing as they were, were solved in June, for me, and everything is fine, now.
On the topic of transactions – I loved that feature! But I created a unique email box for all my Moniker correspondence, and have every email ever sent to me, and the ones I sent, saved from 2009 – thank God! Thank Fluidhosting, my hosting.
Actually, studying my ip record, I see on September 18th, 22.214.171.124, mentioned in the comments on Acro’s article,
Moniker password reset points to apparent mass hacking of accounts
so, I guess my account was hacked, too! He took a look around, and said, “I’m not bothering with these domain names!” lol
The password change worked for me fine but I am not stuck usingthe account number as oppose to my username I have had for over a decade…there goes logging in easily by memory to reg a new name lol
I have 3 account users on my one account:
My new account number – primary
my old account number
my old user name
what a mess….
don’t forget to change passwords for these other logins or set them to inactive as well.
Hitoshi Anatomi says
2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.
At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Well whoever still kept his domain names at Moniker had it comming. And it will be getting worse, so if you still have domains there, run the fcuk off, ’cause next time it will be YOU affected, losing everything…so get the fcuk out while you can!
Domo Sapiens says
Andrew, Thanks for being the first to alert…
You must use the new account number to update the password.
Moniker: from the most secure and respected registrar to one of the worst…
Another recent and significant issue is that during the last site update/migration they forgot to include the Transaction history on each account ( pre migration)
Andrew Allemann says
I’m not sure it’s fair to say Moniker was ever the most secure. I’ve always been suspect about their security given poor password requirements, no password change requirements, and lack of two factor authentication.
But you’re right, this certainly didn’t improve security!
Domo Sapiens says
I should have said ” allegedly” …
Been trying to get in for about a WEEK now, reset several times with each combination sent and NOTHING WORKS.