After a couple of long years using 1&1 Shared Hosting and Virtual Private Servers, I've completely migrated all of my hosting to Digital Ocean and Heroku, and my domains to Namecheap. And after trying to cancel my 1&1 account, I now have complete justification for doing so.
1&1's experience has always been similar to that of a larger company, with over complicated systems and procedures to do simple things. Contacting their support means waiting through a phone queue, domains sometimes can take forever to switch name servers (though the process in itself takes a while on any provider, 1&1 seems particularly slow), and the various FTP and database account management systems are nightmares.
On March 30th, I navigated to 1&1's dedicated cancelation website and began the longer-than-needed process to terminate my account. At the end, I was greeted with a screen that asked me to call their support to confirm the cancelation.
Being required to call phone support is not the issue. In fact, it's probably better practice to require some sort of confirmation to prevent malicious third parties from terminating your business's website, but there was one line that bugged me:
"Please have your customer ID and password ready"
So, you want me to give my password to a phone support representative? Why not ask for my social security number, too?
There are plenty of other ways of confirming my identity and ability to access the account, such as the last four digits of the billing credit card or address and phone number tied to the account. In the end, after refusing to give the password, the representative was helpful and simply asked for the address and phone number, but it's the mere thought of a company asking for my password that is ridiculous.
While I use 1Password to generate unique passwords for each account I use, the majority of people that use 1&1 (non tech-savvy business owners using tools like 1&1's website builder) do not use unique passwords.
1&1-- asking someone for their password over the phone is extremely bad practice and this issue needs to be resolved immediately. It's as simple as changing the customer support's call script to ask for an address instead. With the many issues surrounding password security present in many websites, we don't need another point of weakness for security.