I just discovered a HUGE security issue with HawaiianTel’s email system. Instead of keeping quiet I think disclosure is the best route so folks don’t get caught in this problem.
If you set-up sub-accounts for your HawaiianTel account (http://inov.hawaiiantel.net/selfcare/) you can create extra email addresses for @hawaiiantel.net
If you’ve forgotten the password for a sub-account you can hit a ‘reset password’ link in selfcare.
The password will be reset to ‘password’
Yup, the weakest password you could ever ask for is forced upon the email sub-account. If that wasn’t bad enough once you log into the sub-account THERE’S NO WAY TO CHANGE THE PASSWORD. The password will be stuck as ‘password’ for the account. The webmail help menu says a password change option will show-up if you hit the ‘Settings’ menu but that option is missing. I’ve checked using both Mac and Windows.
I’ve checked all the sub-menus in the Settings preferences and there is no way to change the password, it’s stuck at ‘password’
I’ve sent in a trouble-ticket to HawaiianTel to let them know about this issue so hopefully they will get this fixed pronto. In the meantime I would refrain from resetting passwords via selfcare and if you’re using ‘password’ as your password for any account you should change it immediately anyway.
I don’t normally use my HawaiianTel email account but with a HawaiianTel email account you can log into their Wi-Fi hotspots for free at places like The Coffee Bean and Tea Leaf shops, I think Hilo Seaside Hotel has Skywave hotspots along with a few other places.
By the way, HawaiianTel if you’re reading this please update your Wi-Fi hotspots list.
UPDATE – SOLUTION
There’s a solution on how to change the password from the default ‘password’ for your @hawaiiantel.net email account.
- Go to selfcare at http://inov.hawaiiantel.net/selfcare/
- Login with the email address and password for the account you want to update.
- Choose the Manage Your Account Information option as seen below.
- Change your password.
So ignore the help instructions built into their webmail system, selfcare is the only place you can change your password.
Technically HawaiianTel should create a CNAME Record (Canonical Name record) to redirect webmail.hawaiiantel.net and mail.hawaiiantel.net to selfcare which would steer folks to the account options. Of course they need to fix the Roundcube webmail system they’re using with the corrected options as noted in the help file or put the Change Password link in the sidebar where it’s supposed to be and link it to selfcare. Using a random generator when resetting passwords would be good too.
HawaiianTel’s response to my trouble ticket
Thank you for contacting the Hawaiian Telcom Support Center. We apologize for the inconvenience.
After you are in the master account and reset the password for the child or sub accounts, please log in to the child or sub accounts. To change your password, please go to http://www.hawaiiantel.net/ and click “Manage Hawaiian Telcom Services” at the top of the page and log in with your child or sub account email address and current password. Click “Manage Your Account Information” and type a New Password and Confirm Password and choose a different secret question and answer and click Save Mailbox Changes Go at the bottom. Also note that the password rules are on the side. The most common problem with creating a new password with our email system is it must start with a lower case letter.
If you have any other questions or concerns, please let us know.
HawaiianTel has added a random character generator to the password reset function so the password will no longer be ‘password’. They also have a link to selfcare next to the newly generated reset password.
The webmail system itself still has erroneous help instructions telling users to go to Settings then Password to reset their password. That option still does not exist.