[bobocat]

Anyone interested in encrypting passwords now?
http://arstechnica.com/tech-policy/news/...posted.ars
http://lulzsecurity.com/releases/sownage...TEMENT.txt

[LakeRat]

Kudos to Dreamhost for all the recent password upgrades.

I just followed the panel's forgot password link as a test and was emailed to one address on the account only a password reset link, and the email text contained the IP that requested the reset. Very nice upgrade there.

I also see you are also no longer allowed to view a server users password in the panel only change it. The API has also been updated to remove password display.

I'm sorry it had to come to a crisis management situation to see the changes happen, but I am glad they finally have occurred.

Anyone have additional comments on area's where they feel improvement is still needed?

[tomtavoy]

It's a little early to be handing out kudos. They have only done 3/4 of the job. They don't ask the Secret Question.

They do have a secret question. There is a screen in the control panel where you can set and change it. They even have the nerve to say,

Quote:Your secret question and answer is what we use in the event you've forgotten your password, so be sure to make it something that only YOU would know. "What are the last four digits of my social security number?" would be a good example.

Well I'm not American so I don't really know about social security numbers, but I would be quite surprised if "the last four digits of my social security number" was really a good example. I would have thought it merited an intense brilliant red in the new dreamhost goodness-in-passwordery scale.

But be that as it may, what it says about "...is what we use in the event you've forgotten your password" is definitely untrue, for the time being. Hold the kudos. It is still possible for someone who can intercept your email to hijack your account.

~Tom

[LakeRat]

Great point! I'm not even sure how they do use that security question, and you're right they should use it.

The whole motive for bringing this thread back up tho was to re-open the discussion while they are very obviously paying attention and making changes.

[bobocat]

Thanks for reviving this discussion. It's very chilling in some ways to go back and read through it and others like it in light of recent events.

(02-13-2012 11:48 AM)LakeRat Wrote:  I just followed the panel's forgot password link as a test and was emailed to one address on the account only a password reset link, and the email text contained the IP that requested the reset. Very nice upgrade there.

Finally. It's amazing because this is really not that hard to implement. I believe most of the Panel is written in Perl and there are good packages in CPAN which can be used for this sort of thing. A competent programmer could add this sort of functionality in less than a day, possibly within an hour or so. There's really no excuse.

(02-13-2012 11:48 AM)LakeRat Wrote:  I also see you are also no longer allowed to view a server users password in the panel only change it. The API has also been updated to remove password display.

I played with the API once and ran away after the very first test returned all the usernames and passwords in plain view! I think, however, that the Panel behaviour you mentioned was actually implemented some time ago, not long after some of the discussions on this forum.

(02-13-2012 11:48 AM)LakeRat Wrote:  I'm sorry it had to come to a crisis management situation to see the changes happen, but I am glad they finally have occurred.

That's the eerie part. Some of the comments in these discussions mentioned something like let's hope DH gets hacked soon so that they'll improve their security... Really though, it shouldn't have happened. There's no excuse. The tried and tested modules are out there for free. I've added bcrypt to my app recently and was surprised at how easy it is to add incredibly strong and secure hashing.

(02-13-2012 11:48 AM)LakeRat Wrote:  Anyone have additional comments on area's where they feel improvement is still needed?

Dreamhost can do whatever they like and reap the rewards, whether it's hanging their head in sorrow as people leave after a security breach which they were literally asking for, or keep growing because they provide a balance between ease of use and security. Whatever they choose to do, there should always be an option to opt-in to industry best practice. That's actually a lenient request. Industry standard should be default with the option to opt-out. But I'm pretty sure DH won't go for it.

They are not, for example, going to stop encrypting passwords (note: not hashing). This violates the industry standard. So whenever they choose to do this, for whatever reason, there should always be the option to bypass their deviations. There should be a checkbox on the password changing form which allows you to choose between encryption and hashing along with the consequences that the customer has to face. Encryption means that Support can more easily help you troubleshoot your account but slightly increases the risk that someone may gain access to your password in the unlikely (snicker) event of a break-in. Hashing means that even if your password is compromised, it would take 10,000 years to figure out what it is, but Support will be less able to help you if you run into trouble with your account, or something like that.

If one is persistent, one can already do this for many things. I've had Support shut down the automatically created ftp and phpmyadmin access to all of my domains. It took time, but I got what I wanted. I don't want services that I never use available for all to see and attempt a brute force attack. There's absolutely no reason for it. You can also avoid having your passwords encrypted by changing them in the shell (I've added that to the wiki because it wasn't obvious before). If DH wants to display or send cleartext passwords, then fine, do it, but give me the option to opt-out. Don't force me to the level of the lowest-skilled of your customer base. Sure, I used to be there, but as I've studied and learnt about security, I want to take steps to improve it.

Please let me!

[tomtavoy]

(02-13-2012 06:31 PM)LakeRat Wrote:  I'm not even sure how they do use that security question,

Guessing ... I imagine they use it in the event that a customer has lost control of their password and also of the email address associated with the account.

Quote:they should use it

Yes indeed ... HOWEVER ... gmail also has sub-standard security in this area. They allow a password re-set either via secret question or via email link.

(I just checked. I have a gmail account that I only ever use for forgetting the password of it, in order to test google's recovery mechanisms.)

Maybe this substandard security is a devilish ploy on the part of google; by deliberately having reasonable-but-less-than-optimal security, they absolve themselves of responsibility in the event of a customer losing high-value information through account hacking; for a high-value account, it is the customer's responsibility to choose a host with appropriate security mechanisms.

Maybe something of the sort has also flitted through the mind of Dreamhost?

~Tom

[andrewf]

tomtavoy Wrote:Guessing ... I imagine they use it in the event that a customer has lost control of their password and also of the email address associated with the account.

Correct — we use the secret question / answer as part of our manual account recovery process, for when customers can't recover their password using automated methods.

bobocat Wrote:They are not, for example, going to stop encrypting passwords (note: not hashing).

Given our recent scare, this is no longer true. We are currently working on phasing out all use of reversible password storage for web panel logins and FTP/SFTP/shell/mail. In fact, if you change your panel password right now, we throw away the new password after hashing it — we're no longer storing those in any recoverable format, going forward.

[jwwicks]

(05-24-2011 05:30 PM)bobocat Wrote:  Have you all read the very lucid accounts of the HBGary break-in recently? Ars Technica has a good series of articles on it.

....
Just for the record, to see what domains are hosted on your machine, you can type:

Code:

$ cat @

and hit tab twice for autocomplete. According to DH support, it's trying to guess which email address you want, so it lists all of the available domains.
...

I'm not a hacker but that one is a treasure trove.
Many of the domains had wp/wordpress/joomla/drupal etc.. on my own machine. Now a hacker could target those specifically with known exploits rather than sniff scripting.

Jw

---

(02-14-2012 11:59 AM)andrewf Wrote:  Correct — we use the secret question / answer as part of our manual account recovery process, for when customers can't recover their password using automated methods.


Given our recent scare, this is no longer true. We are currently working on phasing out all use of reversible password storage for web panel logins and FTP/SFTP/shell/mail. In fact, if you change your panel password right now, we throw away the new password after hashing it — we're no longer storing those in any recoverable format, going forward.

Are you folks also planning on phasing out the mysql password show button?

Jw

[bobocat]

(05-05-2012 09:49 AM)jwwicks Wrote:  I'm not a hacker but that one is a treasure trove.

Wow, still works for you? I guess they just turned it off for me

I don't think they'll get rid of the recoverable SQL passwords because they are stored in plaintext in your account anyway, and there is an automatic door installed where anyone can try to brute-force into your database (add dh_phpmyadmin to any of your domains).

For that reason, SQL passwords/users should be as long and complex as possible.

[jwwicks]

(05-24-2011 05:30 PM)bobocat Wrote:  ...
Just for the record, to see what domains are hosted on your machine, you can type:

Code:

$ cat @

and hit tab twice for autocomplete. According to DH support, it's trying to guess which email address you want, so it lists all of the available domains.

To see most of the usernames on your machine, type:

Code:

$ ls -l /tmp/sess_a* | awk '{print $3}' | sort -u

..

Oh it gets worse, some of those session files are rw-r-r you can head the contents...

Wow guess what it's wordpress with a cart session and its a different user account I use.

I'm no security guru, but
Put that together with domain, user etc... and you have a session hack I'd think.

Jw