I signed up for a new account recently to stay for the long term, but I’m no longer sure about it. I’ve migrated about 20% of my other hosting accounts to Dreamhost, but I put a stop to it.
I’m very happy with the core hosting service, but I’m absolutely shocked by Dreamhost’s security practices.
Dreamhost is violating every fundamental security rule:
Rule: Passwords must be known only to users themselves. Service providers never store passwords, they store salted non-reversible hashes.
Reality at Dreamhost: my password was just sent to me in clear text upon testing “forgot password” functionality. Clear proof that Dreamhost centrally stores my password somewhere - accessible to lots of people other than myself.
Rule: Passwords are never echoed back to users, even when setting new passwords.
Reality at Dreamhost: my password was just displayed to me when I changed it. Whenever I change my password, somebody snooping over my shoulder will know it.
Rule: Passwords are never sent over nonencrypted channels.
Reality at Dreamhost: all account changes trigger an email (which is inherently not secure) with the password. If somebody snoops on Wifi traffic or if somebody will ever see my inbox or if my email provider has security troubles, then all of my websites and customers will be compromised.
(4. Rule: Inherently nonsecure protocols that fundamentally allow compromising accounts are not supported.)
(Reality at Dreamhost: FTP is not only supported, but offered as the default option for new accounts as opposed to SFTP. HTTPS with self signed certs isn’t strongly recommended for all web based control panels.)
I don’t even want to think what will happen if Dreamhost’s databases are ever compromised through internal bad intent or external malicious action. All of the passwords, data, accounts, ecommerce traffic and reputation of all customers of Dreamhost would be at risk.
Dreamhost - can we expect better security practices from you in the immediate future?