New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
So I stumbled upon this post about chicagovps
skirtTight
Member
https://www.phx2600.org/forum/viewtopic.php?f=7&t=1560
It's quite funny IMO.
Comments
Haven't they been kicked enough here?
I personally have one of those 5 bucks 2gb ram openvz vpses, I love it.
@Damian got you beat
That looks like a camel....
Burn @bamn. Take that!
Maybe "beating a dead camel" is a saying for our EU users?
Yes, we have a lot of them here
Back on the actual topic,
that guy's notion of hashing isn't really entirely correct. Nothing's really stopping me from running $pw over bcrypt and mailing it to you at the same time.
It doesn't mean I'm storing it plaintext. That said, the feature actually is configurable in WHMCs.
Regardless, let's stop beating a dead horse.
I just wanted to clarify that at least 95% of the VPS hosts out there also email passwords, as its most convenient for customers for easy access and reference. If you have any concerns, you have full access to both Manage and SSH to change your passwords to your service(s) instantly.
Thanks for choosing ChicagoVPS. I'm glad to hear that you are satisfied with our services, its our goal to keep our customers happy! If you need anything, don't hesitate to contact us.
I do this. Don't enter a real final root password on the order form. I haven't had any complaints. This is a relatively standard practice and most of the customers are not completely clueless.
That guy thought even if he change his password on a ssh session, the new password will be stored in the database as well.
Same here. We stopped letting customers set their own password, instead sending out a random string of characters, with the ideal that they'll see their own passwords.
The only provider I can think of that doesn't send passwords is BuyVM. And that's it.
I did notice that as well and @CVPS_Kevin perhaps that is something you can look out for when a client makes issue with this, perhaps an easy thing to look out for to prevent such posts.
We also randomly generate passwords for root VPS login details and is sent via email and field is not shown on order form, client registration details have password changed to * in the welcome email
Don't see the point of posting an link to old thread though, the OP of that thread is clearly a ....
The way most such scripts/apps are designed is that they have a programming object that receives all the registration_form data and just before hashing and storing it in the database (remember hash is different from encryption; hash-es cannot be reversed) the password that the user supplied OR the system randomly generated is stored in a temporary variable. The WELCOME EMAIL template is prepared with all the info and variables parsed and the password is copied from the temporary variable the system stored in previous step. lastly, the email is sent and the object, obviously, distroyed.
So, although you see the password in email does not mean that the passwords are being saved in plaintext. A naive user may ask HOW DO YOU AUTHENTICATE me if you dont know my password and if its hash-ed .... its simple .... the password you supply at login is also hashed and the login-hash is compared with the stored-hash .... if they match, you get to login
The point is, the thread above is useless and the company obviously did not had that much information about how the password is being sent in the emails if its encrypted in database. Complete and utter waste of time in my opinion by the OP who posted in phx2600.org
I think the problem is that they don't actually know this, so they can't explain it to someone else either.
I lol'd at "Please review my signature."
I need no fancy signature. At work I'm like the Romanian version of the Volturi. Everything comes to me.... even if I dont want it to
I think the guy is also assuming his password is a one way hash. If you're concerned you change it after you get the email, and change your SSL port # as well.
The inclusion of user provided password in the e-mail confirmation is one of the things that most disturbed me when first trying out LEB providers. It is a practice that should be discontinued.
In addition, control panel interfaces on port 80, where everything is sent back and forth in the clear, is a very bad practice.
Why does WHMCS even have that feature.
Not sure who does this on port 80, but HTTPS should be the norm for providers, I hope. First thing I mandated when we started.
I have a server from a LET advertiser here that does this. When asked about the security implications, support said that their billing was secure, so they had no plans to harden the control panel implementation.
Yes, no comment. I've seen hosts that don't have SSL and have some explanation about it. Personally I think anything sensitive such as personal information and passwords should definitely be run over SSL.
+1
We always ask our customers to submit passwords etc only via our Client Area (SSL) and not by directly replying to the ticket via Email.
So, in our thought on this after reading this is, dumb person buys so and so vps, is sent the password that he decided on, then complains cause it is in the email telling him what he signed up with. If he doesn't like that he sure wont like the plain text emails saved in whmcs that have his password on it either.
Storing your password in plain text will save the resources wasted on hashing the password.
I think its okay because Chicagovps is always trying to aim for efficiency and wants to save as much resources as possible.
+9001 for Chicagovps for being so resource saving.
We do this.