User Password Protection


#1

Hi everyone,

I’ve recently joined dreamhost for my hosting and I’ve noticed something that I find a little troubling. All the passwords of the various users are visible when you’re logged into the panel (panel.dreamhost.com). Obviously my password is protected, but I find it a bit shady that I’m able to see the passwords of my various users (be it their mail account or their ftp account for their particular subdomain). Is there a way to blank out the password information?

Thanks in advance,

DashX


#2

Not that I am aware of. If you stop and think about it, however, this is not that unusual as you are ultimately responsible for all the activities of “your” users.

Those pages are delivered via ssl, so the risk of exposure to someone other than yourself is minimal, as long as you don’t give too many privileges on the account to other of your users.

–rlparker


#3

Aren’t those passwords usually stored using one way encryption such as hash?


#4

bjornl,

One would think so, though they are displayed in “plaintext” on the https accessible Control Panel screen. Does that make sense?

–rlparker


#5

As far as I know, you can’t reverse-plaintext (decrypt) a password from a hash. So that tells me that passwords are stored in plaintext, though maybe in an encrypted file. Hopefully.

It is disturbing and handy at the same time; it’s handy that I can look up a forgotten password of mine, but it is a security risk.

-Scott


#6

Exactly. That was also my thinking. I’d be very surprised if Dreamhost left them sitting in complete plaintext on their servers, but I agree they must not be using the “standard” hashing.

As you pointed out, they may be using some other encryption method; and I agree that “I hope so!”

–rlparker


#7

I hate the fact my passwords are visible like that. If you honestly have a problem with it, log in via SSH using putty or a terminal program, and change your password from there. So far that password hasn’t updated on the web panel. So I feel a little safer this way at least.