Password change notice

Received an email from support telling me that I needed to change the password on one of my VPSs because it was old. First one of these that I have gotten and at first I thought maybe it was a scam. Honestly, this is a game I don't want to play. If your server is properly secured and firewalled, an old password is no more vulnerable than a new one. Take the feedback for what it's worth. I think you are overstepping.


Active Member
Old passwords are more vulnerable than new ones. It's the reason there's standard password policies in enterprise environments that by default expire user's passwords every 30 days. It's also why your credit/debit cards are expired and replaced every few years. Granted, as you said, there are things in place to reduce the chance of attacks being successful, but they're even less successful when you change your password from time to time. I'm confident KH has a secure site, but any time I have to provide a password to allow even temporary access to my server, I change it, it's just due diligence.

There's dozens of reasons it makes sense to regularly change your passwords, everywhere not just on your server, but besides convenience there are few reasons to not regularly change them. I recall a large organization, *cough*yahoo*, and many others, that got hacked and so many user's passwords were leaked, then two years later, "uh' oh' yea sorry we were hacked a couple years ago". Guess who wasn't at risk when that happened? Everyone that already changed their password after they were compromised. I doubt something like that could ever happen to cPanel, or Apache, or clam, or Exim, or ftpd, or mysql, or ConfigServer, or ssh,...

It's just a friendly recommendation to increase your servers security. Even if it just takes your server from being 99.9999998% secure to 99.9999999%, isn't it worth a simple password change?