Dreamhost password-reset still unsatisfactory?


#1

This is a comment on a recent thread entitled “URGENT: My Dreamhost account is hijacked”, but since this comment is not itself urgent I didn’t want to bring that thread back to the front.

I have sympathy for the OP’s plight and hope their difficulties are well on the way towards being resolved.

If the OP has any idea how their account was broken into, it might be worth posting about that also. And since this is (as Andrew noted) a discussion forum, it would be good to address some wider issues.

I wonder how many DH customers know that (subject to some reasonable assumptions which I will note) their DH hosting acount can be completely hijacked if they merely leave their laptop unattended for 30 seconds while open on their regular email inbox.

Here’s how. Assume for the sake of definiteness that the unattended inbox is gmail (or google apps).

(1) Enter “newslettery” (n.b. the trailing ‘y’) into the Search box and hit “Search”
(2) Click on the most recent match (which conveniently appears at the top)
(3) Select-and-copy the text following “To:” (which also, conveniently, appears near the top)
(4) In another tab, browse to “panel.dreamhost.com” and click on “Forgot password”
(5) Hit “paste” into the text box and click on “Reset my password!”
(6) Go back to the first tab, click on “inbox” and click on the email which has just arrived
(7) click on “You can reset your password by clicking this link:”
(8) A new tab opens; enter a new password twice (the shorter the better, quicker to type) and click on “Reset my password!”
(9) Go back to the first tab and (to cover your tracks) delete the email which you are looking at
(10) Another email arrives (from DH, saying they just re-set the password) - delete this email also.

Total time: well under 30 seconds if on a fast internet connection and you know what you are doing.

Then, later on, at your leisure:

(11) If the account holder has a secret question-and-answer, change it
(12) Harden the password which you entered at step 8
(13) See if the account holder has any MX records; if so, change them, in order to disrupt his or her access to email.

Comments:

(1) Who would ever leave their laptop unattended for 30 seconds while open on their inbox? It is sometimes claimed that people who would do that are not “administrator material” and should not be attempting to administer websites, esp. if used for business.

Be that as it may, if a person is being maliciously targeted, it might not be difficult to get them to leave their laptop unattended for 30 seconds, even if they are an experienced and savvy administrator. If anyone doubts this I will try to think up a plausible scenario, but it should not be necessary.

(2) Would email sent to their Dreamhost login email address be auto-forwarded to their regular email account? Well, this is an interesting question, and the answer is that it ought not to be. With gmail, for example, one can make one’s secondary email address (to which password-reset links will be sent) go to a rarely-accessed and well-protected account. But with Dreamhost everything - including newsletters and operational alerts needing immediate attention - goes to the same email address. So it is quite likely that even a savvy administrator will end up having his Dreamhost account-related email auto-forwarded to his regular email account.

(3) A few years ago, Dreamhost procedure was far worse, to the extent that a Starbucks waiter with access to computer in a back room could compromise a Dreamhost account by peering over a customer’s shoulder for less than 3 seconds, retiring to the back room, and then emerging and peering again over the same shoulder for 1 second at a precisely engineered moment. Things have now improved … to the extent that a laptop needs to be unattended for 30 seconds for the account to be compromised. But is this good enough?


#2

Maybe the Chinese, Russian or South African intelligence services are after your account. I doubt many would know I was a DH customer, let alone try to reset my password from an unattended laptop… But I see your general point about the possibility.

Obviously a second recovery email address or mobile phone number associated with an account would be a good move.


#3

Simple answer, enable multifactor authentication.

Go now, everyone!

https://panel.dreamhost.com/index.cgi?tree=billing.secure&


#4

We recommend that customers enable multi-factor authentication on their DreamHost account (and to other online accounts they use, such as GMail accounts) for greater security. While this measure certainly cannot prevent all unauthorized access to your account, it makes it considerably more difficult for an attacker to gain access.

Beyond that, locking your computer when you step away from it (or taking it with you, if it’s a laptop!) is a good idea in general, and will protect you from any number of unpleasant possibilities, including the one you’ve described. (For instance, if your computer was left on and unlocked in public, an attacker could install a key logger and/or remote control application, and there is certainly nothing that we can do to detect or prevent this.)


#5

Thanks for the responses. It would be interesting to find out how much customer acceptance there is of multi-factor authentication, but that would be a question for another thread.

For now, my comment is that the DH wiki page about multi-factor authentication is not very clear when it comes to password re-set. It says:

[quote]If you lose your Google Authenticator device you can still regain access to your account just like before. The old “Forgot password link” will now read “Forgot password or lost/failed multifactor authentication?”

Clicking this link will bring you to a form that asks for your e-mail. Once you submit the form we will send you a link that you can use to reset your password and disable multifactor authentication.[/quote]

This sounds as though it could mean that on the linked-to page one can without further ado re-set the password and disable multifactor authentication.

But presumably what it ought to mean is something like: on the linked-to page, one can either enter the password, and if OK, one can then disable the mobile phone check,

or one can do the mobile phone check, and if OK, one can then re-set the password.

i.e. (using email as an alternative vector of multi-factor authentication) one can use one’s password to re-set the mobile phone check, or one can use one’s mobile phone to re-set the password.

Is that (approximately) what happens?


#6

That’s a good question, actually. I’ll check into how we have that process set up.