Please Stop Emailing me my Password in CLEAR TEXT

[softwarecandy]

So far I am very impressed with HostGator's quality and responsiveness of service.

Except for one issue: security.

When I first registered to HostGator, I was surprised to see in the welcome email, along with my account username, my password - in CLEAR TEXT...

I am not a security expert, but I do know that sensitive/confidential information should always be delivered encrypted (usually over SSL), or by some other semi-secure means (telephone, sealed envelope, etc.).

How can a respectable company like HostGator, which is supposed to host e-commerce sites, can send passwords in clear text?

When I asked HG's support about this, I was told that HostGator is planning to address this issue. However, I didn't receive any specifics or time frame for implementing a solution to this well known problem (which every web site with accounts must face, including my future online store).

"Well", I thought, "if this happens only once, when the account is first established, I can probably live with that since I can change the password immediately".

But then, a few minutes ago, when I ordered a dedicated IP address, I received in the "IP request" confirmation email with... my password again. :-(
It is at the bottom of the email message, along with the ticket ID.

What is going on? How am I supposed to install a shopping cart with a private SSL certificate on a host that delivers my admin password in clear text?

And when is HostGator going to change this?

[Serra]

This is a common practice in the hosting industry. Due to the amount of email being passed now days, clear text passwords are no longer an issue as hackers no longer parse email for passwords, just not productive.

[Kris Siegel]

Quote:

Originally Posted by Serra

This is a common practice in the hosting industry. Due to the amount of email being passed now days, clear text passwords are no longer an issue as hackers no longer parse email for passwords, just not productive.

I think the biggest issue is the fact that HostGator is storing passwords as either clear text or encrypted text. Both are common but very bad practice.

Any website that requires the users to create and use a password should always store the password in a salted hash. Anything else, IMO, is gross negligence. Even encrypting the password is bad as the company holding the encrypted passwords can easily decrypt them.

While sending passwords in an e-mail isn't a good idea I think the way HostGator is / was storing passwords is the bigger issue.

I'm curious to know if their new solution is simply encrypted passwords or if they've doing it right this time with hashed passwords.

[softwarecandy]

Quote:

Originally Posted by Kris Siegel

I think the biggest issue is the fact that HostGator is storing passwords as either clear text or encrypted text. Both are common but very bad practice.

Any website that requires the users to create and use a password should always store the password in a salted hash. Anything else, IMO, is gross negligence. Even encrypting the password is bad as the company holding the encrypted passwords can easily decrypt them.

While sending passwords in an e-mail isn't a good idea I think the way HostGator is / was storing passwords is the bigger issue.

Well, I just consulted with a professional in this business and he agrees with you. This is what he says:

Quote:

HostGator is obviously storing passwords in cleartext or in some method where the cleartext can easily be recovered. If they have a break-in, or a rogue employee, the entire password file might get disclosed. That is not "industry best practice" and they should know better.

That said, I believe that HostGator strives to excel in its business and I hope that it will address this issue before such breach occurs. I would be glad to learn that HostGator indeed intends to address this issue (just as it is doing now in its billing system).

[striddy]

You can and should be changing your passwords often.

See this recent thread.

http://forums.hostgator.com/showthread.php?t=33655

[softwarecandy]

Quote:

Originally Posted by striddy

You can and should be changing your passwords often.

I agree and indeed that's what I do.

However, I would like to be able to set the schedule for changing my passwords (e.g once every X months, just like employees in large Hi-Tech corporations are required to do) and not upon a surprise after every minor communication with HostGator.

Quote:

Originally Posted by striddy

See this recent thread.

http://forums.hostgator.com/showthread.php?t=33655

I noticed your question:

Quote:

Originally Posted by striddy

And how would you prefer they email you the passwords?

Passwords from any site you join on the web are always sent in plain old email.

Actually, this depends on the institution and type of account involved. My bank, for example, would never email me my password. Instead, I have to call a representative and get my password over the phone.

But I am not expecting this level of security from HostGator. This may be an overkill for this kind of account. What I do expect is that my password will be emailed to me, only upon my initiated request. That way, it is reasonable to assume that I am in that "special mode" of immediately changing my just-emailed password (like what happens when you first register to almost any password protected web based service).

BTW, HostGator has multiple types of accounts, each allowing a different userid/password:

1. cPanel (web site admin and maintenance)
2. Billing
3. Support (ticket system)
4. Forums

The first two are more sensitive to password protection practices then the last two. IMHO, HostGator doesn't have to deal with all of these issues at the same time or give them the same priority.

[dustbuster]

It is worrying that they even have access to our non-hashed passwords. I seem to recall writing to support about this, and their response was that it's more convenient for customers to keep emailing passwords in cleartext.

[vince]

Quote:

Originally Posted by dustbuster

It is worrying that they even have access to our non-hashed passwords. I seem to recall writing to support about this, and their response was that it's more convenient for customers to keep emailing passwords in cleartext.

What they should be doing is storing passwords in a 1 way hash format like MD5. The original password cannot be recovered (at least in a reasonable amount of time, yes over 5 years you might bang a password out), that's the point.

Passwords should never be emailed, instead a single use link to a website (encrypted with SSL) should be used to reset the password.

HostGator had a potential security breach with an exiting employee last month: http://forums.hostgator.com/showthread.php?t=33170&

Can anyone from HG chime in an let us know when our data will not be plain text?

[n0rbertt]

I would think they are emailed to you and then md5'd for the DB , no ?

[Major Internet]

Are we talking about shared account or all accounts?

If on a shared account, I would think that the cost involved re-authing hashed passwords would be cost prohibitive. I know for a fact I don't try to recall passwords as I choose not to record them for security. That means the 2-6 months I spend not using a particular account password means I have to retrieve it.

That being said, I log into the account and change the password on my way out using the generator. Pretty sure thats why it's there

Reseller Primary WHM accounts should be hashed.