Password recovery: is anyone happy?


#1

The password recovery process gets discussed from time to time, but nothing ever happens. Well, maybe a significant number of customers are perfectly happy with the status quo.

So if anyone likes the way things are, I invite them to say so here, and why. To set the scene, I will say what happens now; then I will say what I think is wrong with it. Then (as a probably irrelevant appendix) I will say what I think should happen.

(1) WHAT HAPPENS NOW

On the panel login screen, anyone can enter any email address and press the “please email me my password” button. If the email address corresponds to an active dreamhost account, the password for that account is immediately emailed to that address.

(2) WHAT IS WRONG WITH IT

First, three lemmas:

Lemma 1: dreamhost actively encourages the use of gmail

Lemma 2: gmail actively discourages deletion of messages

Lemma 3: the dreamhost password recovery email actively encourages you not to fret

So: if you behave as actively encouraged to do by dreamhost and gmail,

if you (or indeed anyone else) have ever invoked the dreamhost password recovery mechanism on your email address, then there will be an old message sitting in your gmail account worded as above, and you will not be fretting about it.

This means that whenever you are logged into gmail, if anyone (your prankster brother-in-law, for example) gets hold of your keyboard, while your back is turned for just a few seconds, they can do a quick “search mail” for the text “don’t fret”, which will bring up any emails which dreamhost has sent you containing your password. They can then return the screen to your inbox, and when you come back a few seconds later, you will be none the wiser. I just tried it, and the process took 7 seconds.

(3) QUESTION: is anyone happy with this?

(4) WHAT I THINK SHOULD HAPPEN

I’m adding this section so that people don’t get the idea that doing things properly would make the process horribly complicated. It’s actually really simple. The password recovery button should cause an email to be sent to your email address, containing a time-limited invitation to a dialog that asks you your security question and then reveals your password.

~Tom


#2

Holy cow!

So I just realized I forgot my panel password and did the reset thing expecting to get a new password. Instead I get my actual password meaning that Deamhost is storing my password either un-encryped or in a method that has reversible encryption. I’d expect this from my bank, because banks are idiots about computers, but I honestly expected better from Dreamhost.

What’s really messed up is that I also forgot my Forum password and had to do the reset for that too, only to find that the forum has better password security then Dreamhost…


#3

Well, just to give another point of view, I’m quite happy with dreamhost storing our passwords in recoverable form,

thinking about the balance between convenience and risk, and bearing in mind that dreamhost positions itself to attract novice users, which is a good thing cos it (presumably) keeps costs down.

Novices presumably forget their passwords more often than anyone else, and it might be too much to ask of them to create a new password every time they forget their old one.

Also, if the dreamhost citadel is ever breached by an attacker, all of our websites would be in an undefined state (aka toast), and the fact that our passwords have been stolen would be a minor extra detail

(assuming we don’t re-use passwords elsewhere ~ which I think even novices ought to be clued up enough not to do)

However, putting a security question in between the email and the password recovery is, surely, an essential step that novices should be able to cope with. “What is your mother’s maiden name” is perfectly adequate for first-time users, and more security-conscious folk can dream up their own less crackable questions.

BTW in my previous message, sorry about the non-working bbcodes. I suppose images aren’t enabled in this forum. So the magnificent proofs of lemmas 1 to 3 will have to remain hidden.

~Tom


#4

recoverable password is not acceptable. That opens a potential dangerous hole for hackers. It is always suggested to use one-way encryption to encrypt your password. There is no way to retrieve your password but you can reset it upon request.


#5

I’m not perfectly happy with anything. But DHs system is convenient enough.

Did I mention it was convenient? Oops, yah, did that.
Have I ever needed it? Nope.
Has my password ever been stolen? Nope.
Do I rotate administrative passwords on a reasonably frequent (…if perhaps irregular) basis? You betchya.
Do I have GMail? Sure, why not.
Do I use GMail for web or network administration purposes? Hell no.

But why wouldn’t I complain?
Because there’s about a gazillion other things I’d rather have the DH folks deal with than molly-coddling them that can’t be arsed to remember their own administrative passwords.

Ok, that’s worth a big LOLZ if it’s your idea of evidence that DH “actively encourages” GMail for administrative accounts.

Do you use GMail for bank accounting or credit cards or ANYTHING other than maybe a Facebook subscription?
If so, it’s a clever strategy you may want to re-think.

And yet here you are still fretting over it.

(…deletia…)

Ok, definitely worth a big LOLZ.

If you’re logged into an administrative account on your computer and your bro-in-law japes you on it - you got what ya planned for. Which is to say, your clever administrative scheme has failed and you need to devise a new one. If your THAT INCREDIBLY CARELESS with your administrative information you’re just not administrative material.

Actually, I’m more satisfied with it now then when I started reading this post. This scheme weeds out the people who think they know how the Internet works and gives them an abject lesson in how much they need to learn.

Better hope that prankster-in-law of yours doesn’t figure out you leave your bank account info on GMail or you’re may (unwittingly) be buying the beer on his next fun drinking binge. So when that hot chick with an awesome pink headband goes jogging by, keep your eyes on your keyboard lest mayhem occur.

The additional step you’re proposing just means another 7 seconds added to the process. Your brother-in-law takes 14 seconds to steal your password instead of 7. If you’re using GMail for your admin account(s) you’ve made a mistake and DH is certainly NOT to blame for it. If you have told your computer to remember a password that it should NOT know and you SHOULD know, again, you’ve made a mistake that DH is not to blame for.

Dreamhost should add a wiki page about very basic administrative password management and move on to more important things.

Now I’m off to go see how many people in my apartment complex have open wireless connections on their home routers; some Nigerian dude promised me $10,000,000 US if I’d help him send a few anonymous emails and daddy needs a new pair of shoes. And lots of hookers and blow. And maybe a nice Ferrari too.


#6

Hello netdcon. Your post is quite illogical.

[quote]But why wouldn’t I complain?
Because there’s about a gazillion other things I’d rather have the DH folks deal with than molly-coddling them that can’t be arsed to remember their own administrative passwords.[/quote]

Molly-coddling “them that can’t be arsed to remember their own administrative passwords” is exactly what dreamhost is doing now, by having a password recovery mechanism geared for maximum convenience and minimum security.

I am suggesting that dh improve it to a level of medium convenience and medium security.

Two other posters are saying they should improve it further, to the level of industry-standard security. I also would be happy with that.

The point I am trying to make is that the customers who are most at risk due to the current insecure mechanism are the ones who are least knowledgeable in how to protect themselves through good practice, so if dreamhost wishes to attract novices users (which, as I suggested, benefits everyone by keeping costs down) they really ought to re-think the password recovery mechanism.

~Tom


#7

I don’t see anything wrong with their password recovery procedure. I would rather have my password e-mailed to me instead of having perhaps a link sent to reset the password or something like that. Personally I have never forgotten my password for my account and you should always keep some sort of file with your various accounts and passwords and take proper security measures with it in any case. If you are so concerned with your password being e-mailed to you and the fact that gmail retains your e-mails you should use another e-mail provider. Just because DH can recommend gmail doesn’t mean you have to use them. Even gmail gives the option to permanently delete messages instead of keeping them in the trash forever. Wouldn’t it be more prudent to not be looking at e-mails that have sensitive information where other people can see you? I think that is most of your concern and not the security of the setup.


#8

Well maybe you don’t have a prankster brother-in-law (PBL), but surely you can imagine what it would be like to have one, and please can you say what is wrong with the following?

PBL knows the email address that you use for admin-related activities. Reasonable or unreasonable? Keeping such an email address secret from close relatives seems excessive.

PBL could surreptitiously get hold of your keyboard for 30 seconds while you are logged into your email. Reasonable or unreasonable? Logging out of email if you are going to leave the room for 30 seconds seems excessive.

Given that, even if you are the kind of person who never forgets your password, PBL can discover your password without you ever knowing.

(In 30 seconds, he can go to the dreamhost login panel, trigger the sending of the recovery email, read it, and delete it.)


#9

don’t let the bastard in your house! Whip his ass! Folks don’t mess with my stuff. But here is a hint! takes several minutes. you gots other problems

Mayor


#10

You must be joking. Why would you have any relatives know about your business related e-mail account? If you know this person is prone to messing with your stuff you should change the e-mail address you have associated with DH and any other type of service you administer and keep it to yourself.

[quote]
PBL could surreptitiously get hold of your keyboard for 30 seconds while you are logged into your email. Reasonable or unreasonable? Logging out of email if you are going to leave the room for 30 seconds seems excessive.[/quote]

Logging totally off would be unreasonable. Locking your computer when you know someone might want to do nefarious activities while you step away, however, is highly recommended.

I assume this person doesn’t know your computer password and that even if you allow him to use your computer, it is under a login that you have created for family members that can only do limited activities (like browsing the web but not installing programs). If this is not the case I suggest you set up your computer like that immediately. If you know your computer is not secure you should always lock the screen when you step away from it. Your carelessness and lax security measures in an insecure environment seems to be the real problem.


#11

Hello mayor, what takes several minutes? I just tested it, and the time from clicking “email me my password” until receipt of said email was 21 seconds, and that is on a dialup connection.

My estimate of 30 seconds for the whole process, on broadband, is quite reasonable.

Ryo-ohki, I am not joking, and I never mentioned anything about “business related”.

I am not talking about people who use the web for business and who take a corresponding approach to security.

I am talking about a typical novice user who uses the web for, let us say, a blog.

That such a user should be expected to keep his or her email address secret from their relatives is ridiculous.

That such a user should be expected to lock down their computer when they leave it for 30 seconds is also ridiculous.

The current dreamhost system allows a PBL to discover that user’s password in 30 seconds without their ever knowing.

~Tom


#12

It is quite common to have one e-mail address that you use for administrative type things and another more personal e-mail address.

Those statements are just you not wanting to take responsibility for your own bad personal practices. You think the password protocol should be harder just because YOU don’t want to take your own precautions and the fact that you put up your relative’s outrageous behavior instead of beating the fear of god into him with a crowbar.

I have a desktop computer that anybody can use but the can only surf the web and they cannot install programs on it. I do all of my business on my laptop. I do have an account that family members can get on with the laptop too though with the same restrictions I have put on my desktop. If you are in a household that always has people over it is only common sense to lock the screen if you have to step away lest they snoop somewhere they shouldn’t. If your brother in law cannot control himself with your personal property I recommend you stop allowing him into your house or putting yourself in a position that would gain him access to your equipment. If you cannot avoid that it is only common sense to lock the screen as it only takes a moment to lock it and another moment to get yourself back in and you don’t have to worry about your information being compromised.


#13

Passwords should never be sent via unsecured email (or even revealed on the screen) - period.

Correct procedure should always be to email an expiring link to reset password.
that link should ask security question and on positive identification should prompt for new password.

it’s no more difficult for a novice user than the current highly INSECURE system being used.


#14

[quote=“Ryo-ohki, post:12, topic:55086”]
You think the password protocol should be harder just because YOU don’t want to take your own precautions and the fact that you put up your relative’s outrageous behavior instead of beating the fear of god into him with a crowbar.[/quote]

That is wrong. I don’t even have such a relative. Please can you try to address the argument … which is that the dreamhost protocol defies recommended practice, for no good reason.

Unless anyone can think of a good reason for it. Which no one has, yet.

~Tom


#15

No response? I guess people aren’t taking the prankster brother-in-law scenario very seriously. Let me try another.

There may well be flaws in the following (actually, I hope there are!) and I hope someone will point them out.

Numerous articles in reputable magazines explain how it is possible for malfeasants to snoop unencrypted internet traffic; for example, http://www.wired.com/threatlevel/2008/08/revealed-the-in/

Two posters in this thread have explained how it is good practice to keep one’s dreamhost account email address effectively secret; however, this address is likely to be used also for receiving dreamhost monthly newsletters and (if dreamhost is also one’s domain name registrar) annual ICANN-mandated whois reminders.

So,

(1) Malfeasant (M) snoops internet traffic looking for text which occurs in dreamhost newsletters or in whois reminders sent by dreamhost, and thereby harvests email addresses used for dreamhost accounts;

(2) M triggers the sending of the password recovery email to such addresses;

(3) M catches some of those emails and reads the passwords.

Please can someone explain why that wouldn’t work?

~Tom


#16

Gmail gives the option to always use https for a reason. It doesn’t do you any good if you don’t use it. Also there are steps you can take for your own machine to make sure any data you transmit is encrypted. If people would take more responsibility for their own security instead of being so lax about it they wouldn’t be bothered with the concerns you seem to be having.

I doubt anyone would go to such lengths just to compromise someone’s web hosting account in any case. Even if they did it to upload malicious code or deface your website that would just be a minor event. DH has backups you could use to restore your account (or if you kept your own backup of recent changes you could restore it manually). As for the end user they should have certain security measures in place to make sure their systems aren’t compromised by running across a website with malicious code.

Would you prefer DH to have no password recovery procedure at all? Even if they had a tougher password recovery option you would still have the same concerns. It is more likely that someone who has it in for you personally would try to use a brute force attack on your specific account than it would for some random data sniffer to use any information they gained to get into some random person’s account. Using an expiring link would have the same issues even if you had to answer security questions once you clicked on it. That would be even worse for someone if they can’t even remember what their password was. You may think that is unlikely for someone to forget both but that’s wrong. I took numerous calls from people who not only forgot their online passwords (for their cellphone accounts), they forgot the security questions too and the password on their billing accounts.

Snoopers want to get information that would benefit them in some way. Also they want to gather data quickly with very little manual intervention on their part. They may want your credit card details if possible or to sell e-mail addresses. Wanting DH to change their password recovery procedure for either of the scenarios you have is just not warranted because it is just common sense for people to be taking their own security measures to make sure their information isn’t compromised. If you kept an encrypted file on your computer with a list of your accounts and passwords you would never need to even use the password recovery mechanism. Switching on the https connection for gmail (or whatever other email service you use hopefully would have the same options) is only good practice as well as encrypting any information you have to be transmitting from your machine. It seems that you are just unwilling to take measures into your own hands at all like the rest of the more security conscious denizens of the intarwebs.


#17

Hello again Ryo-okhi, several things I don’t understand in your reply.

First, how does https help in this context? The problem is that the emails which dreamhost sends to the customer’s email address are not encrypted. How can a customer make sure that those emails are encrypted? As far as I can see, https doesn’t have any relevance here.

Second, I do appreciate that when you say “you” it is probably a generic “you”, but it might help if I make it clear that I have no concerns about my own security practices. Also, I have never forgotten a password and never needed to use any organization’s password recovery mechanism. I do, however, use such mechanisms in order to check the security of their methods.

Also, I have no signficant concern that malfeasants might particularly want to corrupt my websites especially. The majority of your post seems to be addressing that non-concern. (Also, please understand that I have no prankster brother-in-law. My previous scenario was entirely based on the fact that many people do.)

The scenario I have outlined is where M gains a random selection of dreamhost passwords in order to inflict random mayhem. Not to me personally, nor to you personally, just random. That is what hackers quite often like to do.

This discussion would be much more useful if you could try to keep personalities out of it!

Third, the improved password recovery mechanism which I outlined in the opening post would entirely defeat the attack I have described. And the even better mechanism requested by patricktan would defeat even more attacks. So why do you say, “Even if they had a tougher password recovery option you would still have the same concerns”?

Thanks
~Tom


#18

the https was in reference not to the dh e-mail being sent to you but you checking your gmail account but it doesn’t matter. let’s say that dh was using the method that patricktan suggested and only allow you to reset the password. while it would make it more of a hassle for an actual person to follow these steps, a hacker wouldn’t mind doing it vs someone who is just snooping for as much data and account information as possible at random for whatever nefarious purpose they have in mind. it is far better from a security prospective for people to use unique passwords for their accounts instead of using the same password everywhere when they also tend to use the same or similar usernames as well. this way if one account is compromised you don’t have to worry about other accounts elsewhere that have the same username, e-mail, and password associated with it. also if dh sets up the system that way how are you going to get your password if you forgot the security question as I have mentioned before? DH doesn’t operate by phone unless you pay for it so you cannot call in to have it reset. just having an expiring link wouldn’t work either if we are under the assumption that whoever is grabbing your information is going to act upon it immediately. you are just adding more steps they have to take to gain access into your account, not making it impossible. the effort it would take to change the system is just not worth it on dh’s end and the hassle it would create for customers who simply want to know what their password was and not have to pick something else that they would end up forgetting (since they obviously don’t save their passwords somewhere themselves) and having to reset it again. i will restate that it is still more likely someone will use a brute force attack on accounts than it would be for someone to use a bgp attack to monitor dh traffic or to be sniffing local traffic over insecure wifi connections. the greater majority of people use words that can be found in the dictionary for their passwords instead of a combination of letters, numbers and special characters so it would be a lot more productive to go that route.


#19

Hi again, we can surely rule out brute force attacks against dreamhost passwords. There are absolutely standard mechanisms for making those totally infeasible (for example, by slowing down repeated login attempts) and it would be unbelievably shocking if some such were not in place for dreamhost.

(Of course, I’m not going to test that, for obvious reasons. I hope someone knowledgeable can confirm it!)

I have to confess that as far as I can see, the rest of your remarks, though interesting, really don’t bear on the problem in hand. If you could explain more clearly, that would be great. In particular, please consider the following:

(1) the security question mechanism (placed in between receipt of the email and the password revelation or re-set) defeats any automated attack, and if the user has chosen well, it also defeats any feasible human attack (in exactly the same way that a password does)

(2) forgetting the answer to the security question is obviously much rarer than forgetting a password … after all, the whole point of the security question mechanism is that the question reminds the user of the answer … so in those very few cases where a user has forgotten both their password and the answer to their security question, it is quite reasonable that they would have to resort to messaging directly with dreamhost support in order to re-establish their credentials (and this can be done through messaging, it does not need expensive phone support)

So unless I’ve missed something vital, or misunderstood something, my argument is unaltered

~Tom


#20

I’ll resist the urge to make a StarTrek-infused comment for the moment.

You may have minimal security but I can assure you, mine is quite adequate to the task.

Security is my responsibility, not DH’s.

I don’t know what level of user DH “wishes” to attract. Here’s what I do know:

  1. My understanding was that DH provides a “DIY” environment, as opposed to novice-level environment.
  2. I’ve been doing systems and network administration for over 22 years now and I can tell you with some semblance expertise that none of the features at DH loan themselves to novitiate web administration.
  3. DH does not provide 24/7 voice phone support. This alone precludes the sort of hand-holding that novice web administration would require.

Just for giggles, I searched the DH web pages for the word “novice”. I suggest you try it yourself.
As for novice users keeping costs down - meh. Novice users require more staff, more resources, more-bloated control panel options (such as the one you suggest), and can represent more trouble that they’re worth.