I was changing my cPanel password, and after doing so it showed a hyperlink that said Relogin (or something very close to that). Hovering my mouse over the link revealed my password in plain text :eek::eek::eek::eek:

I couldn't believe it! Why should my password be shown in plaintext? Imagine if someone had been there beside me (with or without my knowledge) they could have seen it.

On another occassion, I wanted a DNS modification to my domain. The rep emailed me and asked for my password to verify who I was.

Why should I give a tech support my password
He must have a way of verifying it.
That means that it is in plaintext somewhere on their servers

This is EXTREMELY disconcerting. It should be salted and hashed and should NEVER be in plain text ANYWHERE for ANYBODY to view, not even machines!
(i was just looking through my emails and I cannot find the email that shows the rep asking for my password)

the reps usually also offer the option to give the last 4 digits of the credit card used on the account

I agree - they should not be asking for passwords in live text. I also had to give mine by email to verify my account, which is also a big security concern.

I agree - they should not be asking for passwords in live text. I also had to give mine by email to verify my account, which is also a big security concern.With all respect my friend, you have created a bigger folly than HM. You should never, ever, ever give your password to anybody. What if it was not hostmonster that you replied to? What if you use that password for other things, such as online banking? Perhaps not you, because you are clever, but what about others?

This is NOT a small problem. HM Should definately change this immediately! No body but ME should have knowledge of or access to my password.

When ever they ask me for my password, I tell them "NO". Then they ask for the last 4 digits of my C.C. and we are on our merry way :D

and i would of course recommend that you change your password if you have not done so already

What for? It will be on HM servers in plain text. And I just changed it to a 94-bit strength password a few days ago.

The servers on Hostmonster are running a custom version of CentOS (a RedHat Linux direvitive). As such, all passwords for user accounts are salted and hashed into a file called passwd.

So once you create your password (or change it) it is NOT stored on the servers in plain text. You probably saw the password repeated to you because it was echoing back what you input as a means of verification. I am not saying there are not problems with this process, I just want you to understand the passwords are not stored on the servers in plain text.

As to your original question about why Support asks for your account password: they have to verify the person asking the questions and requesting the help has a right to ask and request such things. Not all questions require verification, but when it is required, they need to make sure it is a request from an authorized source.

I don't work for Hostmonster so I don't know about how they verify the password is correct, but I know it isn't stored in plain text. Linux doesn't operate that way and I'm not aware of any way to force this behavior without rewriting the kernel code.

As you rightly pointed out, if you are uneasy about sharing your password with Hostmonster support, then you can give the last 4 of the credit card use to purcase the account. But what happens when someone uses Paypal (like me) to pay for their Hostmonster account? I don't have a credit card on file. I have to use my account password.

One more thing. You are right to be very wary of sharing your password with anyone (even support) through email, unless you are encrypting your communication with the use of key pairs. Email is typically sent in plain text and anyone capturing the email packets with your account password will quickly learn how to compromise your account. In LiveChat, one the other hand, the communication is sent via https (encrypted) communication so it is safer to divuldge your password through Live Chat than via email. Plus, if you are only giving your password to support and your account gets compromised because they used your password, you know to whom your fingers should be pointing.

The main point of my reply here is not to make excuses on how Hostmonster verifies your identity, but to assure you your password is not being stored on the server in plaintext. I also wanted to touch on some of the other subjects in the thread.

~regards

also just to elaborate on "seeing"

just because you are typing into an input with type='password' and to you they just look like asterisks, they are none the less not really "encrypted" and when you click the submit button, just because the password is not sent via GET so you dont see your password in the address bar, if you looked at the headers for the page, it would show your password as POST data.

all im saying, is if you are entering secure info into a computer in a public place, you should take precautions for them to not see what you are doing

and that it is being sent through ssl you dont worry about it being captured like shad said

I don't work for Hostmonster so I don't know about how they verify the password is correct, but I know it isn't stored in plain text. Linux doesn't operate that way and I'm not aware of any way to force this behavior without rewriting the kernel code.
I am speaking to customer support right now. They do store the passwords in plain text. This is a very dangerous practise, and I am disappointed. highly disappointed.

Transcript of chat with Tony S
felipe1982.com [7:28:20 PM]: why do u ask clients for their passwords? is that safe? Also - is HM staff able to see the client's password on file?
Tony S [7:29:22 PM]: we use it as ownership verification - it's safe over chat because the chat is SSL encrypted. Yes, I can see your cPanel password
felipe1982.com [7:39:39 PM]: ok
[7:40:56 PM]: do u think it is secure to have client passwords in clear text? They shouldn't be vieweable by anyone, at least if HM is concerned about security (HM customers are, like me)
Tony S [7:41:46 PM]: we host over 1 million domains - if there were a security question about seeing the passwords, I'm sure we'd have changed that by now
felipe1982.com [7:42:34 PM]: an HM staff go log into my gmail account with that password. And my gmail address is on file at HM
[7:43:42 PM]: should have said "could" go log in
Tony S [7:45:37 PM]: I don't think any of us would do that. This may sound kinda bad... but I don't think we'd bother :)
*emphasis my own*
ps - rewritting kernel code isn't too hard. And there are (probably) other ways around it that are easier.

... wow ...

I have nothing to say about that. As an Information Security professional, the hairs on the back of my neck stand on end at the thought of storing passwords in plain text ... let alone using passwords to verify ownership.

While there is more ability to fingerpoint in a password gets leaked with using that as verification, storing passwords in plain text is just not acceptable ... for any reason. It's disappointing to hear that. I would be very interesting in their reasoning for storing passwords in this manner.

As far as verification, they should not use passwords, or credit card data, of any kind. What they *should* do is create a unique string of characters, sort of like an account id and use that for verification. Maybe even double verify with this account ID + street address of credit card on file or something else.

Would it be possible that someone lose their account ID ... sure ... but there can be ways of retrieving it before contacting support.

Thanks for the feedback on this, felipe ... let us know if you hear anything else ...

On the subject of plain text passwords, a little while ago I discovered that my site had been hacked into, and as I was going through all my hidden files I did indeed find a file that had just my control panel password in it, in plain text. I have moved the said file to a password protected directory, but I still don't know if that's really helping or not.

Now with the new password enforcement systems, has hostmonster realized yet that storing their customers' passwords in plaintext is A BAD IDEA?

Will hostmonster be rectifying this problem within the next year? Decade?

</sarcasm>

The fact that they can see your password from the administrative interface does not mean it's stored in plaintext. Viewing and storing are two entirely different animals.

The fact that they can see your password from the administrative interface does not mean it's stored in plaintext. Viewing and storing are two entirely different animals.

I disagree. Passwords should be passed through a one-way hash algorithm such as SHA1. They are stored this way to help prevent someone from knowing what your password is. It is also infeasible to reverse the one-way hash algorithm and return the plaintext password. Thus providing more security.

I spoke with HM, and they have *confirmed* that they *do* store the pw in *plaintext*

This is a terribly insecure practice, and one that baffles me.

In the past, when I issue a new support ticket, they've sent me an email, asking me to provide them with my password. This, too, is a horrible security practise, as the majority of email providers do not encrypt their SMTP traffic. Also, HM staff *should_not* know the password of their clients. There is NO need.

Paypal, banks, government institutions, educational institutions never ask you for your password. Indeed, they emphasis that fact at the footer of all of their email addresses.

Needless to say, I've refused to give them my password via email. Then they scratch their heads, ...., think, ...., then ask me for the last 4 digits of my credit card.

What if something like this befell HM?
unearthed a server hosting the credentials of 44 million stolen gaming accounts (http://news.techworld.com/security/3224918/world-of-warcraft-accounts-stolen/?olo=rss).
Having clear text passwords stored on the servers would definitely have been a bad idea.

What's an even bigger joke is when they ask you some question that anyone could get a hold of, like your mother's maiden name or what high school you went to.

On September 16, 2008, during the 2008 United States presidential election campaign, the Yahoo! personal email account of vice presidential candidate Sarah Palin was subjected to unauthorized access. The hacker had guessed Palin's password hint questions by looking up biographical details such as her high school and birthdate.
-- http://en.wikipedia.org/wiki/Sarah_Palin_email_hack

It's possible and doable. It has happened to high-profile public personalities. Security should be everyone's problem, and everyone's concern. Shouldn't be a second-though, tacked-on at the end. Back to the central problem, however, is why does HM continue these insecure security procedures?

Just a quick note. This IS an old thread, but because it comes up among only two when searching the site for "insecure password" it's worth commenting:

Just because a Hostmonster support rep tells you your passwords are being stored in text format doesn't necessarily make it so. A LOT of tech reps make comments like that based only on what seems apparent to them from what they see on their screens.

The fact is, like it or not, somebody, somewhere, including you, and quite often somebody else in the chain of informational exchange, HAS to be able to READ your password. But just because HM support is able to call up your password in readable text format, DOESN'T MEAN IT'S BEING STORED AS TEXT.

Support reps may assume that's the case because they can see it, but being able to see it does NOT mean it's actually stored that way. All that means is that they have the ability to display it on THEIR terminals as text. All it means is that THEY have the ability to decrypt the hashed stored password and see it themselves.

Even if the passwords are NEVER stored in plain text (which is far more likely the truth), it is still (understandably) a concern that any HM support rep can open and read them, since this does mean at some point in time, they are all converted to plain readable text.

BUT, the fact is, whether we like it or not, passwords, at some point or other, MUST be read by human eyes if they are ever forgotten. If this is not possible, it would be IMpossible to EVER retrieve a lost password!

The key to keeping passwords secure is to limit the number of people with access to the ability to view the passwords, AND limit the amount of time the password exists in plain text format either in memory on the HM server, while you are speaking to support, or on your own computer, while either setting up passwords (such as in Cpanel with the password generator ~ where they are obviously readable, or while you have your browser password manager open to view them).

Being able to read PW's as text is a fact of life we all either have to accept, or NEVER EVER FORGET YOUR PASSWORDS (which may mean always choosing easily remembered ones ~ a really BAD idea all the way around).

The fact is, choosing very hard to remember or guess passwords is the best way to prevent ANYONE from guessing and using them. The fact is, using such passwords increases the likelihood of forgetting them, which means we MUST either store them as plain text (VERY BAD IDEA!), or have access to some way of at least displaying the encrypted stored passwords as plain text long enough to retrieve them.

Obviously, the second choice is best, because it is only for the limited amount of time it takes to see them that they are vulnerable. Once you close all the programs that make them viewable, and clear the plain text versions out of memory (usually simply by exiting the programs that display them ~ but restarting your computer entirely is even safer), they SHOULD no longer be available as text anywhere. This is true on YOUR computer. as well as HM's computers.

I for one, do NOT believe that HM is actually storing passwords of any kind in plain text. I honestly do NOT believe they are THAT stupid. That's just security 101 for server administration. NO hosting service would survive long if they engaged in such blatantly STUPID practices!

With all that in mind, there are STILL those brief periods when passwords are rendered readable, during which they ARE MOST DEFINITELY VULNERABLE.

While you, or HM have them open as readable, they are vulnerable to either people looking over the operator's shoulder (yours or the HM rep), and vulnerable to any SPYWARE that might exist on yours or their machines.

The solution is simple. Keep your anti-virus and spy ware detection current and up to date! As far as whether HM is doing the same, you either TRUST them, or you don't, to be doing it too.

If you don't trust them, well then, I would take your business elsewhere or start running your own server and take care of it yourself.

If you have a problem with either sending to HM, or having HM send to YOU, a password in plain text, it's NOT as big a deal as so many people seem to think it is!

First of all, never, ever send your PW to anyone via email! Not even HM! Contact them by phone and READ IT to them, or use Live Chat to do it (at this point in time, all they want is the last four digits anyway). Once you're done dealing with them, CHANGE IT!

If you must have HM send it to you because YOU forgot it, get it, log in, and CHANGE IT!

These steps are standard practice for ALL passwords, no matter what they are for. If you EVER have to read one to ANYONE for any reason, change it immediately afterward!

I don't care how many levels of encryption you may or may not use, there will ALWAYS be the need to READ a password no matter WHAT anyone does. If you CHANGE the dumb thing right after making it readable, or sending it as readable through email, it won't matter.

On a side note, there are many web sites that will not retrieve passwords, but instead send a link with which you can reset a password, but even those are NO MORE SECURE than sending you a plain text password. The link itself is readable, isn't it? If THAT email in intercepted, all someone else has to do is visit that link, and THEY will have instant control over your account.

Using encrypted email can help prevent that, yes, but trust me, encrypted emails come with their own nasty problems. And even THAT encryption can be bypassed using all the same techniques used to grab the password your trying to protect in the first place.

Your best defense is your own due diligence, changing passwords regularly and after every single episode of vulnerability, and protecting your own machines properly with updated virus and spyware detectors.

This reply comes in two parts, because it was too long to post in just one

PART 1


The fact is, like it or not, somebody, somewhere, including you, and quite often somebody else in the chain of informational exchange, HAS to be able to READ your password.
If you've studied information security, you'll know that is not true. It is never important for anyone (but the owner) to know the password. If the passwords are handled securely, they will be hashed. Upon authenticating, the stored hash will be compared to the hash supplied at login. If they match, it is assumed the password entered is the correct password.


But just because HM support is able to call up your password in readable text format, DOESN'T MEAN IT'S BEING STORED AS TEXT.
Maybe it is not being stored as text, but, it isn't being stored securely.


All it means is that THEY have the ability to decrypt the hashed stored password and see it themselves.
Hashes cannot be decrypted because they are not encrypted. Hashing is not encrypting. Good hash algorithms are non-reversible. It is infeasible to try, and really the only way of getting close is by finding collisions (mainly brute force).


Even if the passwords are NEVER stored in plain text (which is far more likely the truth), it is still (understandably) a concern that any HM support rep can open and read them, since this does mean at some point in time, they are all converted to plain readable text.
This should be of major concern to a company the size of HM, with the millions of customers that they have. They've recently increased the security of their site, by requiring more security passwords, and enforcing HTTPS (in 2009, or 2010, a little late fellas ;) but commendable nevertheless)


BUT, the fact is, whether we like it or not, passwords, at some point or other, MUST be read by human eyes if they are ever forgotten. If this is not possible, it would be IMpossible to EVER retrieve a lost password!If you've read about information security, you'll know this is not true. When a user forgets her password, it should never be reversable, and should never be recoverable. Additional authentication information should be employed, such as "what was the name of your first pet?" etc. After passing a few tests in succession, it can be assumed the use is indeed who she claims to be, and a new will be created for her (or she makes a new one herself). In this way, her old password, which she may have been using on more than one website, is not compromised at all, and no one will ever know what it is. This way is much safer and more secure.


The key to keeping passwords secure is to limit the number of people with access to the ability to view the passwords, AND limit the amount of time the password exists in plain text format either in memory on the HM server, while you are speaking to support, or on your own computer, while either setting up passwords (such as in Cpanel with the password generator ~ where they are obviously readable, or while you have your browser password manager open to view them). . No. The key to keeping passwords secure is hash them with a strong hash that is not reversible, and ask the user for other authentication information when speaking with support staff. (GPG/PGP may well serve a good purpose here.) Furthermore, I'd like to say that, e-mail is terrible insecure, just as well all know FTP is insecure. All information sent via FTP or SMTP is usually unencrypted, and can be viewed quite easily. If HM support asks a client for the last four chars of her password, this information can be seen by a clever attacker, and very easily (i've done it myself on more than one occasion, for educational purposes only). Now, anyone can impersonate me quite easy, now having the last 4 characters of my password in their possession. Which makes the other 17 characters that constitute my full password void.
Continues on the next post below.

This reply comes in two parts, because it was too long to post in just one

PART 2



Being able to read PW's as text is a fact of life we all either have to accept, or NEVER EVER FORGET YOUR PASSWORDS (which may mean always choosing easily remembered ones ~ a really BAD idea all the way around).No. Wrong again. This isn't a fact of life. Information security practises, as encountered in my America, Australian, and European Information Security Standards, calls for password to never be stored in plain text, and to never be knowable by anyone except the owner. In this way, it is extremely difficult that an attacker will get access to, and crack the password. Passwords will only be remembered by the owner, never stored in plaintext.


The fact is, choosing very hard to remember or guess passwords is the best way to prevent ANYONE from guessing and using them.
I agree that big long scary passphrases are the best, but they needn't be so tough as to forget them so easily. One might choose a stanza of a song, and just use the first letter of each word, and pick a random symbol (!@#$%^&*()) and number (1234567890) and randomly insert them into the passphrase.


The fact is, using such passwords increases the likelihood of forgetting them, which means we MUST either store them as plain text (VERY BAD IDEA!), or have access to some way of at least displaying the encrypted stored passwords as plain text long enough to retrieve them. .
Only the owner needs to be concerned with this. Plaintext passwords should A) never traverse the internet unencrypted, in part or in whole, and B) should never be stored in plaintext on a server, or be stored in reversble hashes (who uses reversable hashes? Besides weak security practises that have been avoided and abhorred for decades upon decades -- what's the point!?)


Obviously, the second choice is best, because it is only for the limited amount of time it takes to see them that they are vulnerable. Once you close all the programs that make them viewable, and clear the plain text versions out of memory (usually simply by exiting the programs that display them ~ but restarting your computer entirely is even safer), they SHOULD no longer be available as text anywhere. This is true on YOUR computer. as well as HM's computers.
The fact that they are reversible (assuming they are not stored as plain text, which we cannot be assured of at this point) makes them weak and unsafe, and vulnerable to attack and abuse.


I for one, do NOT believe that HM is actually storing passwords of any kind in plain text. I honestly do NOT believe they are THAT stupid. That's just security 101 for server administration. NO hosting service would survive long if they engaged in such blatantly STUPID practices!

With all that in mind, there are STILL those brief periods when passwords are rendered readable, during which they ARE MOST DEFINITELY VULNERABLE.
That window of opportunity is all that is needed to breach the accounts of millions. Why not just avoid that altogether, and use strong irreversible hashes, and narrow the likelihood of that threat down to "Very Unlikely". In this way, they will be employing security nearly equivalent to banks, Universities, Government agencies. And perhaps they can tout this as a bonus to doing business with HM over other less secure hosting companies!


While you, or HM have them open as readable, they are vulnerable to either people looking over the operator's shoulder (yours or the HM rep), and vulnerable to any SPYWARE that might exist on yours or their machines. I agree, and this is one more reason why passwords should never be reversible.


The solution is simple. Keep your anti-virus and spy ware detection current and up to date! I agree, but this has nothing to do with storing hashed passwords.


If you don't trust them, well then, I would take your business elsewhere or start running your own server and take care of it yourself.
You just might be onto something there ...


If you have a problem with either sending to HM, or having HM send to YOU, a password in plain text, it's NOT as big a deal as so many people seem to think it is!
Many institutions, banks, merchants, et al, have had credit cards and passwords stolen from their databases. They weren't hashed, they weren't encrypted, and they suffered a lot of money, embarrassment, and consumer confidence. This could have been avoided had they hired a good security team or consultant to improve security.


First of all, never, ever send your PW to anyone via email! Not even HM! Contact them by phone and READ IT to them, or use Live Chat to do it (at this point in time, all they want is the last four digits anyway). Once you're done dealing with them, CHANGE IT!
Ok, so now we've both mentioned and agreed to the insecurity of standard plain text e-mail. I also do agree with you about using a more security and authenticated channel such as phone or encrypted live chat. I do not see the need to change your password after each support. 1) Support can do anything to your account anyways with or without your password. The password is only used to ensure you are who you say you are over chat or phone or e-mail. 2) with modern security practises, this need becomes greatly reduced if passwords were never reversible or viewable by support staff. There are other "industry standard" way to authenticate a user, without storing their passwords in plain text.


These steps are standard practice for ALL passwords, no matter what they are for. If you EVER have to read one to ANYONE for any reason, change it immediately afterward! This used to be standard practise, now it's stupid practise. It should never been this way, ever. Never give your password to anybody, not your employer, not your support staff, not your bank. Never by e-mail. Never stored a password unencrypted, or unhashed. Never use reversible hashes. That's the industry standard.


I don't care how many levels of encryption you may or may not use, there will ALWAYS be the need to READ a password no matter WHAT anyone does. Wrong. This is not how "industry standard" authentication works. Read up on basic information security practises, and user authentication. Basically, in a secure environment, passwords are stored using irreversible hashes. A user supplies a password, which is immediately hashed too. THe system then compares the two hashes (not the passphrases) to verify and authenticate a user.


If you CHANGE the dumb thing right after making it readable, or sending it as readable through email, it won't matter.
If you've come this far, you'll see this is insecure. 1) Passwords shouldn't be stored as plain text, 2) They should be stored using irreversible hashes, 3) Passwords shouldn't be given to anybody, 4) sensitive information should not be conveyed via unencrypted e-mail. (not to mention that hassle of changing your password each time you get support!)


On a side note, there are many web sites that will not retrieve passwords, but instead send a link with which you can reset a password, but even those are NO MORE SECURE than sending you a plain text password. The link itself is readable, isn't it? If THAT email in intercepted, all someone else has to do is visit that link, and THEY will have instant control over your account.
Right! And that's why unencrypted e-mail should be avoided. Instead of an e-mail link, the password reset should be completed on a secure (HTTPS/TLS) page.


Using encrypted email can help prevent that, yes, but trust me, encrypted emails come with their own nasty problems. And even THAT encryption can be bypassed using all the same techniques used to grab the password your trying to protect in the first place.
This is not true with ciphers such as AES, and others. With a strong passphrase, this is equivalent to brute-force, which is infeasible at this time.

So, you being "anybody", I challenge you to post my Mom's maiden name and what high school I went to, right here.

Please, these are common questions on endless websites, including my bank, one of the biggest in the world.

Word to the wise: be very, very careful what you challenge others to find out about you on a web forum. Check the PM I sent.

@felipe1982:

You've made a lot of good points I don't have time to dissect individually, but seem to have missed the real point I was getting at.

For example, if you yourself truly feel that HM is not dealing with the issue securely, why are you continuing to use them as a host? Would it not be best, if you are, as you say you are, such an expert, to move your site elsewhere, where the security is better?

As for hashing. Hashing is a form of encryption. All dogs are not German Shepherds, but all German Shepherds are dogs. Hashing may very well not be the same as other forms of encryption in the way it works or is used, but it is still, nonetheless, encryption.

Yes, it IS true that passwords MUST, at times, be readable. If you forget a password, and there is no encrypted (hashed) manner with which to reset it, it must be read. Barring a hashed reset, there IS no other way to retrieve the lost password. And even with a hashed reset, a link has to be sent to the user. Whether it is a link, or a text password, either can be intercepted. Either way, if the password is reset by the user, immediately after transmission, only the user will know what it is, provided the means to set a new password is secure in itself. If it isn't, stop using the host, or deal with the system the way it is. It's that simple IMHO.

We can all wish that no hosts or web sites EVER handled things in insecure ways, but the reality is, some of them DO. That's the real world my friend. And we can either deal with it by doing what we should do and need to do, or complain until they change things. Maybe they will eventually change it. In the meantime we still need to do what we can, and not rely so much on others to protect us all from the big bad wolves. Besides, there is only so much they CAN do. If we aren't doing what we should, all the security they can possibly offer wouldn't do any of us any good at all.

i agree with felipe and the reason i still do bussiness with them, is because it must be secure enough if no one has gained access to the accounts yet. there are many more ways to hack accounts.

there should be no way to retrieve them, only to reset them. the reset should happen on the server not through email. links can be set up as a 1 time use, but if it is intercepted the intended receiver may not be the 1 use. if you are resetting your password and expect a link in the mail, you shouldnt go off and do something else b4 using that link. links are generally set up as confirmation types. of they send you to a page to enter a new password as long as you also enter other info on that page for identification.

i agree with felipe and the reason i still do bussiness with them, is because it must be secure enough if no one has gained access to the accounts yet. there are many more ways to hack accounts.

Agreed. This is the same reason I continue doing business with them as well.


there should be no way to retrieve them, only to reset them. the reset should happen on the server not through email.

Also agreed. Reset IS a much better way to deal with it, but only if the email is not intercepted, and IF, as you point out below, WE don't waste any time acting on the reset email. However, as I will point out below, the same is true if the password itself is sent via email.


links can be set up as a 1 time use, but if it is intercepted the intended receiver may not be the 1 use. if you are resetting your password and expect a link in the mail, you shouldnt go off and do something else b4 using that link. links are generally set up as confirmation types. of they send you to a page to enter a new password as long as you also enter other info on that page for identification.

Agreed. Normally, it's a link with a one time use code number added to the end of the address, however that link can be intercepted just as easily as a password. Either way, if we do NOT change the password IMMEDIATELY upon receiving the email (whether it contains a password reset link, or the current password itself), it MAY still be possible for the interceptor of that email to gain access.

The ONLY way that would not be true is if the email is a reset, AND the current password is required to perform the reset. If the reason for reset is a lost password, this option is not feasible.

Either way, immediate action is necessary for US to maintain security.

There really is only ONE other option that would never be vulnerable (or would at least be the LEAST vulnerable option), and that is for HM to insist on using reset links ONLY, that ALWAYS require the current password to be used. Quite a few companies actually DO warn you that that YOU are solely responsible for never forgetting your password, and will NEVER tell you what that password is, OR allow you to reset it without the current password.

Essentially putting the user in the "SOL" position if they ever do forget the current PW.

Since HM is a low cost shared host, they have a great deal of noobie users who aren't accustomed to high level password security measures, so a high number of them are very likely to lose or forget their passwords. Thus, HM does offer ways to retrieve them.

If WE change our passwords IMMEDIATELY after each time they are sent to us, the amount of time the account it vulnerable is the same, whether it is done by sending the PW in text form, or a reset link is sent.

They could, of course, link the reset link in their database to the I.P. address from which the reset request was sent, allowing a very short time for it to be used, and locking out the link if it's accessed from a different I.P., but even then, how could they possibly know whether your actual computer had been compromised by someone else in your home or office, or even controlled remotely?

The fact is, they cant know.

And that's why so much weight, like it or not, is on OUR own shoulders for ensuring that our own practices regarding passwords are secure.

It's up to US to know when our passwords may have been rendered vulnerable, for no matter how short a time period, and take the necessary steps to secure them by changing them every single time that happens.

The ONLY other option is to never forget or lose your current password, and for HM to ALWAYS require it in order to perform a reset.

It's up to US to know when our passwords may have been rendered vulnerable, for no matter how short a time period, and take the necessary steps to secure them by changing them every single time that happens.Is it up to us to ensure that vehicles meet safety standards and regulations? I do not believe it is. It is up to car manufacturers to abide by government regulations (not to mention ethics, and common sense) to ensure that the products they sell are safe and secure, so that anyone using them can expect a certain (high?) level of safety and security, without having to check their brakes, cables, tires, flame-proof upholstery, etc., every 4 weeks. An institution or organisation that handles passwords, sensitive information, private information, banking details, and a host of other (very secret) things has a huge responsibility to ensure the integrity and security of all of their customers, no matter if they have an "economy" hosting plan, or not. Even "economy" cars have to follow safety regulations...


For example, if you yourself truly feel that HM is not dealing with the issue securely, why are you continuing to use them as a host? Would it not be best, if you are, as you say you are, such an expert, to move your site elsewhere, where the security is better? Not an expert, just an enthusiast/paranoiac. Any suggestions ...? Honestly, I just don't have time now to scour the web. If anyone knows of a host, that does not have ridiculous shared-hosting prices, please let me know.


As for hashing. Hashing is a form of encryption. All dogs are not German Shepherds, but all German Shepherds are dogs. Hashing may very well not be the same as other forms of encryption in the way it works or is used, but it is still, nonetheless, encryption. Chihuahuas are dogs, but you don't use a Chihuaha to guard the front of your mansion estate. And German Shepherds may suffer additional illnesses or diseases that a Chihuahua may suffer. A different dog, for a different purpose. Hashing and encryption are under the domain of 'cryptography.' They are used differently, and provide different levels and layers of security. You use encryption to hide data that needs to be reversed. you use hashes to store a so-called 'fingerprint' of data, that may be used to represent an arbitrarily long piece of data, such as a password, a document, or a ISO9660 file (.iso). Example. In the case of a 600MB ISO file, we can encrypt the 600MB ISO, and get something like 660MB (assuming 10% growth from the encryption operation). Further, we can then decrypt the file, and get back the original 600MB unencrypted file. A hash of the original 600MB file cannot be reversed. You cannot produce 600 million bytes from just 128 bits.


If it isn't, stop using the host, or deal with the system the way it is. It's that simple IMHO.You are right indeed, and I agree, mostly. It is prudent to make others aware of the problem, and perhaps convince administrators at HM to enhance their security. A year ago (or so) they mandated the use of much stronger passwords. Someone in HM thought this was important, and implemented it. The same can be done with hashed passwords.


We can all wish that no hosts or web sites EVER handled things in insecure ways, but the reality is, some of them DO. That's the real world my friend. And we can either deal with it by doing what we should do and need to do, or complain until they change things. Maybe they will eventually change it. In the meantime we still need to do what we can, and not rely so much on others to protect us all from the big bad wolves. Besides, there is only so much they CAN do. If we aren't doing what we should, all the security they can possibly offer wouldn't do any of us any good at all. Ultimately, it is up to the user to ensure that his host is keeping his information secure, and that he follows security best-practises to keep vulnerabilities to a minimum. 100% agree with you.

Regards,
Felipe

So what's HM saying about the issue?

Is it up to us to ensure that vehicles meet safety standards and regulations? I do not believe it is. It is up to car manufacturers to abide by government regulations (not to mention ethics, and common sense) to ensure that the products they sell are safe and secure, so that anyone using them can expect a certain (high?) level of safety and security, without having to check their brakes, cables, tires, flame-proof upholstery, etc., every 4 weeks. An institution or organisation that handles passwords, sensitive information, private information, banking details, and a host of other (very secret) things has a huge responsibility to ensure the integrity and security of all of their customers, no matter if they have an "economy" hosting plan, or not. Even "economy" cars have to follow safety regulations...

If you drive an unsafe car, you can die. If you use an insecure host, the worst that may happen is your site files can be hacked, unless you happen to be careless enough to store personal information on your site, which is just foolish. If you keep good backup habits, an entire site can be restored in, at most, a couple of hours. If you keep good password storage habits, and CHANGE them when necessary, the perceived "holes" in HM's security measures won't matter.

Wearing your safety belt in a car that is so poorly designed it crumples during a 30 MPH impact won't save your life. The comparison isn't really valid.


Not an expert, just an enthusiast/paranoiac. Any suggestions ...? Honestly, I just don't have time now to scour the web. If anyone knows of a host, that does not have ridiculous shared-hosting prices, please let me know.

The only suggestions I do have, I've already made. Change your passwords every time you encounter what you perceive as a possible vulnerability episode. If you do, you minimize the time they are vulnerable. I highly doubt you'll find any similarly priced host that has any better security. And that's exactly why I suggest learning better habits on your own end.


Chihuahuas are dogs, but you don't use a Chihuaha to guard the front of your mansion estate. And German Shepherds may suffer additional illnesses or diseases that a Chihuahua may suffer. A different dog, for a different purpose. Hashing and encryption are under the domain of 'cryptography.' They are used differently, and provide different levels and layers of security. You use encryption to hide data that needs to be reversed. you use hashes to store a so-called 'fingerprint' of data, that may be used to represent an arbitrarily long piece of data, such as a password, a document, or a ISO9660 file (.iso). Example. In the case of a 600MB ISO file, we can encrypt the 600MB ISO, and get something like 660MB (assuming 10% growth from the encryption operation). Further, we can then decrypt the file, and get back the original 600MB unencrypted file. A hash of the original 600MB file cannot be reversed. You cannot produce 600 million bytes from just 128 bits.

LOL. Yes, I like the Chihuahua analogy, and you're right. That's what we get for the price we pay. Unfortunately, if you want a slew of Dobermans, and heavier steel vaults, they aren't going to come at this price. It's either pony up the cost for better security, or learn how to deal with the security you can afford. It's that simple. There may be more HM can do, and they may very well make some improvements, but in the meantime, isn't it a good idea to implement best practices on our own end?


You are right indeed, and I agree, mostly. It is prudent to make others aware of the problem, and perhaps convince administrators at HM to enhance their security. A year ago (or so) they mandated the use of much stronger passwords. Someone in HM thought this was important, and implemented it. The same can be done with hashed passwords.

I'm not arguing that point at all, but if passwords are ALWAYS hashed, that would mean that severe security measures have to be in place, the most important of which is, only WE ever know what our passwords are, they are NEVER sent through emails. Resets could still be allowed, but as I pointed out, even those can be intercepted just as easily as an email containing a text password. If you want FULL level security, they can never allow password resets, OR sending password reminders.

The fact that they do is a BUSINESS decision, not a security decision. There are so many noobie users using HM, forgotten passwords are a regular occurrence. If they forced every user to NEVER forget their passwords, they would lose a lot of business, since many noobies do not understand why they shouldn't be allowed to change them. They don't understand the risk. They should, but they don't.


Ultimately, it is up to the user to ensure that his host is keeping his information secure, and that he follows security best-practises to keep vulnerabilities to a minimum. 100% agree with you.

I should add it's up to us to UNDERSTAND the security practices. What's vulnerable, when it's vulnerable, and what steps to take if and when vulnerabilities occur.

What a lot of noobies need to understand is that, if you want to be able to retrieve or reset an account password, there is NO WAY to do that without exposing the account to some level of vulnerability, at least for a short time. How long that is, depends on US. I know a lot of sites that allow password resets, but the reset link is set to expire an hour after it is sent. That's a good practice, and one I do think HM should use. Send a reset link set to expire one hour after it's sent. FORCE users to CHANGE their password!

No PW reminders. I do think that practice would be a more secure way of doing things, and it wouldn't cause a lot of noobies to quit and go elsewhere.

The only thing about that scenario I don't care for is that it might tend to support the false impression that HM is entirely responsible for our site's security, which is patently untrue.

There is only so much they can do. They provide the foundation. We build the house on the foundation (our sites). If we don't bother to keep the doors and windows locked, and keep track of our own keys, can we really blame the foundation builder when someone breaks through the front or side door? Think of Cpanel as the side door, that leads to the utility room. HM doesn't even use that door. We do. If we lose the keys to it, they have the ability to either send us a copy, or create a new copy, re-keying the lock. Either way, the key has to be sent somewhere. It is during that transit period, short as it is, that our side door becomes vulnerable.

The absolute BEST defense is never forget your password, and change it whenever you even THINK it may have become vulnerable.

What for? It will be on HM servers in plain text. And I just changed it to a 94-bit strength password a few days ago.

As you rightly pointed out, if you are uneasy about sharing your password with Hostmonster support, then you can give the last 4 of the credit card use to purcase the account. But what happens when someone uses Paypal (like me) to pay for their Hostmonster account? I don't have a credit card on file. I have to use my account password.



____________________________
gothic fantasy art (http://www.gothicfantasyart.us/)
Fairy Fantasy Art (http://www.gothicfantasyart.us/)