They offer low costs hosting options, which is what initially attracted me to their service. If your needs are fairly basic, and you need only the most basic support, this might make 1&1 a good option. However, I quickly encountered a number of issues with their service, not the least of which was simply how they treated me as a customer.
When I first signed up, they took a strong password that I selected and silently truncated it. Rather than informing me that the password was too long (And you really shouldn't restrict password length that much as longer passwords are more secure) , they cut it short. This guaranteed that I could not know what my password was, and would have to get it reset. Their password reset feature was also poorly implemented as it sent me the original password (Truncated in this case) in an email. This should never be done. As they rightly pointed out, email is not really secure and someone could have intercepted that password. Imagine if I had given them the password I use for online banking.In general, it is a good practice not to even store the user's password on your servers, but to use a salted hash. A competent it professional should know how to implement these additional security precautions. Instead of emailing the password, they should have used a temporary reset code, valid for a short time, to limit the risk from having the email intercepted.
When I reported the issues with their handling of passwords and password resets, I received this reply:
Thank you for contacting us.
If you have any suggestions regarding your system, you are welcome to post it on forum.1and1.com. For complaints, please send an email to [protected]@1and1.com.
If you have any further questions please do not hesitate to contact us. "
I had very clearly explained the issues (And how to fix them) and it should have been forwarded to someone who could fix it, and I should have received a follow up explaining how the issues were being addressed. It should be obvious that a public forum is not the place to discuss security issues. The reply suggests they were too lazy to think about who should fix the problem, and may not have even really read the email, since they aren't sure whether I was "suggesting" or "complaining".
I further encountered issues with their server configuration. Ordinarily, the multiviews feature of apache allows you to use links to / page and if you have implemented it with php, apache will find / page. Php and use it when the link to / page is clicked. The advantage of this is that if, in the future, you decide to use python for this page instead, you replace / page. Php with / page. Py and the links to / page are unaffected (See "cool uris don't change", by tim berners-lee ). However, on 1&1's servers, this didn't work for scripts. So the link to / page would work for / page. Html, but not for / page. Php or / page. Py, etc.
In trying to resolve this issue, I found the first line of support was not competent to handle this sort of thing, in fact, they seemed to have a hard time understanding the issue. After carefully explaining the issue in detail, I was asked for screenshots. After illustrating the issue step by step with screenshots, and carefully explaining what was occurring versus what I wanted and why, I was told that I needed to add the ". Php" extension to my links. Of course, I had already explained that this was what I specifically wanted to avoid, why I wanted to avoid this, and how it ordinarily should work (As it did on my server at home). All together it took five emails before the issue was escalated to a higher level of technical support and eight days to get a reply from them. They were able to propose a work around using mod_rewrite, but this had been a lot of trouble for what should have been a relatively simple problem, and the delay in getting competent support was unacceptable in my opinion. If this had been an active business site (And it was supposed to be a business class hosting package) , this would have certainly been unacceptable.
I eventually decided that I would be better off doing the hosting myself and just keeping the domain names registered with 1&1. I told them when I asked about this option that I believed that there should be no extra cost for the downgrade, based on what I had already paid for the initial package. I was given instructions on how to perform the downgrade via their web interface. The web interface clearly stated the cost of changing the package was "$0.00". However, I soon received an invoice for an additional charge. When I wrote about this, the reply I received bordered on being rude. It gave an explanation of the invoice and concluded with, "thus, the invoice is valid and is non-refundable. " it failed to address the complaint that I had been explicitly told in
Advance there would be no charge, and didn't even have the manners to throw in a "sorry for the misunderstanding. "
The lack of basic customer service and courtesy was a bigger issue for me than any of the technical issues. When I decided to leave their service entirely, I explained all of these issues to them, essentially offering them another chance to make it right and win me back as a customer. They didn't care enough to reply. They simply don't value their customers that much. I could not recommend their service to a friend, or to anyone, really. I might mention them as a low-cost option for someone with relatively basic needs, but with caveats about their poor customer service.