Jamie Thingelstad's personal website

Category: Techie (page 1 of 42)

Namecheap Leaks Password in Security Notification

Please make sure to see UPDATE section at end of this post.

This isn’t good at all. I have security notification alerts enabled in Namecheap because I want to know when something is changed related to my domains, just to make sure I’m always the one that initiated it. Today I changed my password and got this:

Activity Notification
Dear Jamie Thingelstad,

There was some activity in your namecheap account. Information on what
type of change occurred is available below.

Notification For     : PASSWORD
Date                 : 9/27/2015 4:15:28 PM  
IP Address           :
Username             : my-username
Domain (if relevant) : N/A

Old Details

New Details
Additional Information



If you no longer wish to receive notifications, you can login to your
Namecheap account and disable notifications in the Modify Profile >
Security Settings page. If you have any questions, please contact us.

I’ve replaced the passwords that were in the email because they were my passwords, sent in plaintext, in email. This is pretty much terrible.

  1. Of course email isn’t encrypted so now anyone that has sniffed that email knows my password, and my username is handily referenced as well (I changed it as well in this copy).
  2. This is evidence that Namecheap is storing my password in plaintext somewhere. They should only be storing the hash of it using something smart to protect it. Double bad!

The only good news is I have the optional two-factor authentication enabled that uses an SMS message to my phone so I at least have that to fall back on but this is a terrible security practice that I’m shocked Namecheap is doing.

Please fix this immediately!

PS: After fixing this, can we get a real two-factor solution instead of SMS?

UPDATE (Sept 28):

Within minutes of sharing this post on Twitter I got a response from @Namecheap.

and 17 minutes after that they confirmed that they fixed this.

Given how fast they fixed it I have to assume that what they fixed was issue #1, that they are suppressing the email notification for “PASSWORD” events. That is good and will keep the password from leaking into email, however I would really like to know if they are storing passwords in plaintext somewhere. It should be impossible for a service to tell you what your password is, they should only know some form of a hash derived from your password.

Google+ Profile Deleted

Was fun to do this one.

See ya Reddit

I’ve never been an active user of Reddit. I have an account because I tend to make accounts at websites I go to. I deleted it today. All the controversy at Reddit got me thinking more about this site. Relevant links:

Apple Watch Arrived

I ordered my Apple Watch on launch day and opted for the stainless steel with link bracelet. It was back ordered 4-6 weeks and yesterday it arrived. Yes, I was pretty excited to play with it!

The initial impression of it was great. I’ve worn a Rolex GMT Master II for about 15 years. I opted for this Apple Watch because it was the most similar in look, weight and feel to that. The heft and feel of the Apple Watch holds every bit as much respect as the substantially more expensive Rolex. As something that feels good on my wrist and looks great it passes.

The rest of this experience is about software and that will take time to have opinions on. I’m going to note some of my hopes here to compare to in a future post.

  1. I hope to check my phone less.
  2. I’m very interested in the better health data.
  3. Eager to use OmniFocus on this; I’m a heavy user of this and having it on my wrist has great potential.
  4. Explore new experiences with apps and glances.

Will be fun to explore this new ecosystem.

Personal Drone Camera

We are absolutely living in the future. Watch this video.

SaneBox Week

A couple of weeks ago I started using SaneBox to help me manage my email. I love the weekly report that it sends me, including the graph of email I’ve received. This is from my personal mailbox.

“New” Cable?

We got rid of cable TV a long time ago. Over 6 years ago actually, and technically we got rid of satellite TV. Every TV we have has an Apple TV attached to it and we still have one OTA TiVo Roamio we use to grab TV for free, the way nature intended it to be.

We do subscribe though to some services. I recently activated the 1-week free trial for HBO NOW. I’m impressed by the programming and it’s appealing to have access to the HBO original programming. We end up buying some of it in iTunes anyway. Maybe I’ll finally catch the Game of Thrones fever.

It feels like the “new” cable is forming.

Netflix + Hulu + HBO NOW

It’s not quiet the ala carte of show-by-show programming, but definitely a whole new world.

I find it notable that my kids can both pick out the Netflix anywhere, but they have no idea what NBC, CBS, ABC or FOX are.

Apple Watch Ordered

Apple Watch Stainless Steel 42mm

After some debate I placed my order at 3:56am CT for the Apple Watch. I’m eagerly looking forward to experiencing a new user experience and brand new category of device. I went with the 42mm Stainless Steel Case with Link Bracelet.

I recently upgraded my Comcast cable modem and for the first time ever it looks like I’m connecting out via IPv6!

Last login: Sun Jan 25 20:07:50 2015 from 2601:2:5e80:491:4454:cac:b1a5:7271

Very cool!

Update: Sure enough, a visit to this IPv6 test site confirms IPv6 capability!

A couple of weeks ago I submitted an account deletion request to Facebook, logged off and erased my Facebook cookies. If you’re looking for me there, trying to tag me, or otherwise wondering why I’m not reading your Facebook posts this is why.

Older posts

© 2015 thingelstad

Theme by Anders NorenUp ↑