I was a huge fan of Namecheap, and I have like 25 clients using them.
But... I haven't been a fan of them lately.
I've got a password manager and 2FA on all my accounts, and I went to sign in. I kept getting an incorrect password response. Reset, tried again. Just kept getting the same error. Freaked me out as I couldn't sign in.
Fast forward, came to find out because I was on my company VPN they were blocking me. Rather than just show a message, "We don't accept users on a VPN..." they let me think my password was wrong and go through the panic of not being able to sign in. And, even thought they thought I was some sort of spammer / hacker for using a VPN, they were more than happy to discuss my sign in details over live chat.
I sort of get "security" here, but they shouldn't be heavy handed with just saying who can and can't sign in, and if you are going to block me, tell me why -- at least send an email letting me know what's up if you don't want to display a browser message. 2FA was enabled, at that point... just leave it up to the user where they want to sign in from, don't put in secret rules around who can and can't sign in.
Anyway, I moved everyone over to Amazon Route 53 and haven't had any more issues.
Unfortunately that's what many companies do. IIRC, this includes connecting with OVH ips to mojang (minecraft) login servers. It's becoming a popular practice that is not good in UX terms at all
Sounds like a great practice. You don't let the spammer know they're found out, and if you call customer support about it they are able to tell you what's wrong after you've verified extra info. Would you rather they give hackers access to lock you out or unlimited access to keep trying?
Security by obscurity is none at all, the customer/hacker can call up and provide information/pretext no problem - plus the information is available on public sources (such as this one) on why the issue occurs - a smart enough attacker can just use other proxies until it finds one you didnt ban, whereas legit users are probably SOL.
Blocking known source of brute force attempts and attacks is not security by obscurity and it should be a mandatory practice.
Run a website of any importance and you will quickly be shocked at the amount of malicious traffic that keep coming from Tor/DigitalOcean/VPN/openproxy and a few other sources.
Just to clarify something, I was a legitimate user with a strong password (100 character) and 2FA enabled.
And they blocked me.
They didn't tell me why, I figured it out on my own inadvertently.
I wasn't on a junky free VPN, I was on a corporate VPN service.
And I was blocked, worse I was given false information about my password being incorrect... and worse still, given that they assumed someone was trying to enter a fake password, they never emailed me to let me know -- I had to contact them.
Plenty of legit reasons for someone to use a VPN. I'm relatively certain nobody from the telco in Australia who set up the VPN had been trying to hack Namecheap, looks more just like someone found a way to classify that IP as a VPN and blocked it.
And look, to put the nail in the coffin, they were more that willing to tell me the email address to check for the reset password via live chat.
Anyway I tend to be the guy harping about security, but when they start banning VPNs just for being a VPN I don't think that's secure, I think it's obnoxious. We should encourage people to use VPNs, not make it annoying for them.
Proper procedure would be to let the bad guy try, block the IP (or better yet, browser finger print), let them know why they were blocked (in case they aren't a bad guy), and (if the owner didn't have 2FA) send the owner an email saying someone was trying to get access but wasn't successful.
For users with 2FA, all you'd ever really have to do is send an email to the owner, and / or access distribution list, letting them know when a certain user signed in. I wish more people offered this service, getting access notifications when any admin signed in would be key for helping me figure out what task broke something if I have to go fix it.
I have had so many problems with 2FA and Namecheap. I use 2FA on any service that will let me. Needless to say, I am very confident in using it. All my 2FA are set up in my Authy app, and i use it many times a day without issue.
But then comes namecheap. They are literally the only service on the internet where I will get locked out with 2FA. It will keep claiming it is the wrong password, when I know its not. I don't ever have a problem with any other online service, but the 2FA on namecheap is a constant problem.
I have been locked out on Namecheap for no reason now 5+ times that I have now just turned it off.
Now that I read your comment, I wonder if I have the same problem. I am sometimes logged in via VPN and I wonder now if that is why it was rejecting me. Its frustrating because i know the password is correct and the app is set up correctly, but it will keep claiming I have the wrong password. Like i said, I now just have it turned off, because I am terrified of losing access to my domains. But I am also terrified of not having 2FA protecting my domains. So its made me consider transferring elsewhere.
I also considered just using Amazon. Most of my domains are already using Route53 as a premium DNS instead of relying on Namecheap as a DNS anyway. So I am considering just having them be the registrar too.
I've been trying to move away from Network Solutions (now web dot com) for years and NameCheap was the closest to a halfway decent registrar I could find. That said, I don't like them or any of the other registrars. Most of the registrars have been bought up and their backend wrapped with some other companies junk UX. I also tried name dot com. They don't even have the capability to set apex DNS names as NS records. Black Knight closed my account with no reason at all. The only halfway decent registrar is Mark Monitor and they are too expensive for my hobby sites. I always move corporate DNS and Cert management to Mark Monitor, but for personal use, all the popular registrars are just garbage, in my strong jaded opinion. MM is just a reseller of certs and they don't even offer all the capabilities of the vendors they resell.
I am purposefully staying away from AWS. They are super popular right now and developer friendly, but I know how their business operates and that popularity will subside in a few years. I predict many of their users will feel betrayed at some point in the future after enough people have moved to their DNS.
But... I haven't been a fan of them lately.
I've got a password manager and 2FA on all my accounts, and I went to sign in. I kept getting an incorrect password response. Reset, tried again. Just kept getting the same error. Freaked me out as I couldn't sign in.
Fast forward, came to find out because I was on my company VPN they were blocking me. Rather than just show a message, "We don't accept users on a VPN..." they let me think my password was wrong and go through the panic of not being able to sign in. And, even thought they thought I was some sort of spammer / hacker for using a VPN, they were more than happy to discuss my sign in details over live chat.
I sort of get "security" here, but they shouldn't be heavy handed with just saying who can and can't sign in, and if you are going to block me, tell me why -- at least send an email letting me know what's up if you don't want to display a browser message. 2FA was enabled, at that point... just leave it up to the user where they want to sign in from, don't put in secret rules around who can and can't sign in.
Anyway, I moved everyone over to Amazon Route 53 and haven't had any more issues.