[andrewf]

Quote:Maybe they'll say that the user which accesses a stats area is a completely different thing from the identifier which accesses the main panel of an account.

That's actually pretty much correct. We don't create any default stats users anymore; existing stats users with the same name/password as Panel users still exist, but are no longer created for new domains. This was actually done for security reasons: sending your Panel password to the stats page would transmit that password in clear text, which definitely isn't a great thing to be doing!

You can configure stats users at: https://panel.dreamhost.com/index.cgi?tree=status.stats.

[icvdm]

"I have been with DH for many years now. I have NEVER had an issue with them as far as security. "

How long is a many years?
At the top of my CP it says "..since 2002"

You must not have been among the users that were affected by this incident, which wasn't that long ago..

http://blog.dreamhosters.com/2007/06/06/...ts-hacked/

And this one that I recall viviidly.. Not a Security Breach so to speak but one that really annoyed me as I was billed for a LOT of money "by mistake"
http://techcrunch.com/2008/01/15/dreamho...r-apology/

I'll say this:
I like Dreamhost, I have many reasons to stay.... BUT..

I AM always annoyed at their cavaliere attitude which seems to be pervasive throughout the organization..

My advice is to be careful and be on the ball with your accounts and you'll enjoy the benefits DH offers.... But there will be Sighs and Groans.. As with any host.

(01-06-2011 07:00 AM)damonh Wrote:  I have been with DH for many years now. I have NEVER had an issue with them as far as security. The only thing I would be interested in is the ability for SQLi or XSS. How vulnerable is DH to this.

Other than that, I feel it is MY responsibility to secure my own sites and my own passwords. Working in the security industry over the past several months I have learned a lot and most of it is there is no such thing as 100% secure.

Now a lot of these issues you complained about have mostly to do with DH being able to give you your password. Well if it is is hashed correctly in the DB you need not worry. The proper program can extract it and send you the password in plain text, just in case you forgot it. Many places I have a password at do this.

You should be responsible for changing your password and do it on a periodic basis.

As long as my personal information is safe from hackers I am more than happy to be responsible for my account information.

Cheers

[Cyclical]

Yes, passwords should be hashed. I agree that security is more important than the convenience of a user being able to retrieve an old password. I am not some newbie technophobe, I can manage my passwords and if I forget one, I do not care if you have to reset it and send me a system generated one. I do understand why DH staff might want the ability to get passwords for people, but I don't think it's appropriate for a web hosting service.

However complaining that DH allows FTP (as an option, no less!) is delusional and detached from reality. Of course they allow FTP. That's fine (and good).