Password security


#1

I recently forgot my DreamHost password, and clicked on the link to have it emailed to me. I was shocked to see the email show up with a clear-text password. I don’t mean a newly generated password that I could use to login with, but my old password sent to me in clear text.

Is DreamHost storing user passwords without any sort of hashing… not a good idea (especially given what happened to Sony last week). Or am I missing something? I didn’t think it was possible to recover someone’s password from a password file without some vicious math and a lot of time.

//dan.


#2

see: http://discussion.dreamhost.com/thread-129702.html


#3

Good to know I’m not alone in recognizing a MAJOR security vulnerability. Hopefully with the recent press on Sony they’ll do something.


#4

“Hopefully … they’ll do something.”

Hi. I draw your attention to the first sentence of the first post of that other thread which LakeRat linked to, which is: “The password recovery process gets discussed from time to time, but nothing ever happens.”

This is becoming quite a soap opera! The main but silent character (dreamhost management) is giving a bravura display of chutzpah (which is variously translated as “audacious effrontery” or “supreme self confidence”).

If you have a dreamhost account, you can submit a support ticket about this. I did that, by the way, before I ever started that other thread, and received an interesting reply in less than 24 hours, so it’s worth doing.

I suggest, when you submit a support ticket, ask for permission to reproduce in this forum whatever reply they give you!

~Tom


#5

These requests go back to 2004!

I guess all we can do is hope and pray that there’s another breach of security soon as that might force them to reconsider their security practices… It’s obvious that requesting more security isn’t going to lead to any action…

[list=1]
[]Security Upgrade - Not Sending Account/User Passwords by Email
[
]copy stored public key automaticlly into new accounts
[]Allow uploading an SSH public key for (new) users
[
]Improve Password Security To Comply with Industry Best Practices
[]Do not store/email web panel passwords in plain text
[
]Make subversion http access run with SSL by default
[]Prevent easy password stealing
[
]Stop sending new account passwords through plain-text e-mail
[]Don’t send user password via e-mail when setting up new account
[
]Stop sending FTP/shell/user passwords via email (cleartext)
[]Don’t send passwords in email
[
]passwords are still shown in plain text if as support messages
[]Don’t send user password via e-mail when setting up new account
[
]Don’t display passwords in plaintext on the panel.
[]Having to request cleartext passwords to developers is embarrassing.
[
]Add MD5 password encryption option for authentication.
[*]Don’t ever send user (chosen) passwords via plaintext email.

[/list]


#6

I wonder when this will happen at DH: http://www.stuff.co.nz/technology/digital-living/5159030/Thousands-of-websites-exposed-in-hack-attack