New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Appalling security of many providers
First post (long time lurker).
It's striking how many providers have extremely shoddy account security. For example, I have just signed up to ArubaCloud, looking to take a few 1 euro servers. I then receive an email with my username and password in plain text!!!
This is completely crazy and a huge security issue. It's not just Aruba who are doing this, I have had this countless times in the past. My guess is it's due to the dodgy software these guys are using and skinning for their sites. Surely there must be an option to one-way hash these passwords for storage.
Really puts me off spending any money with services who completely fail to provide even a basic level of security.
Thanked by 1Yura
Comments
Blame whmcs then.
Default whmcs signup email has the password as ******* in the e-mail
I don't send passwords in welcome emails. They can set new ones for their services after it has been provisioned.
Edit: looks like arubacloud is using their own S/W.
How can I show the password by default
Lol coming from a security expert and his password1234.
If someone has access to your email... what difference does it make? I am sure the emails are sent encrypted to begin with, i.e. using SSL.
This 'topic' has been going on for 10 years, I get at least 1 complaint p/week from someone who signed up and could not then find their password for solusvm a day or so later because it was all *********** in the email.
Would be great to have the option to tick a box during sign up that says "Please exclude my password from the VPS details email" sadly this is a situation that exists because you cant please 100% of the people 100% of the time and no matter what your position is and how much you stand by it, someone on the other side feels just as strongly.
If someone is serious about account security, she or he will change the password and turn on 2FA.
If someone is not serious, she or he probably would have used a shit password like dick1234 anyways.
The issue here goes far deeper than just being displayed in an email. The very fact they know the plain text version is deeply troubling. Passwords should be immediately one-way hashed to be stored in DB.
If a hacker gets into their DB (like the many countless big corp examples) then bingo they have everyone's passwords. If they were properly hashed then potentially (depending on algorithm) terrible problem averted.
I'm not talking about an auto-gen'd password. I'm talking about a password I manually entered. And yes, I'm not stupid enough to use the same password across accounts.
2FA does absolutely nothing when a hacker has dumped the contents of their accounts DB for all to see.
Appalling! Shocking! I'm so shocked at it! It's breathtaking! I literally can't breathe! No one has ever done this ever! I'm having a heart attack! Guys! Someone call 911!
Quick! Someone get me a password safe space STAT!!! People I give my password to have my password! Someone should sue!
Nothing against you I just have this reaction when someone uses strong words like appalling to describe something that isn't incredibly abnormal. I think it's hilarious. It always makes me think of this:
http://m.imgur.com/gallery/40Idny0
(Not saying you're an asshole, just association in my mind with the trend of word use)
I've seen countless providers do that, not just in the hosting industry.
Just change your password afterwards. No biggie
Agreed, but sending mail at sign up does not mean its stored as plain text in DB. It can be generated, mailed and then hashed password can be stored in DB. It'd be a concern if they send your password during recovery.
Just hashing may not be sufficient now, salt + hash would be a better choice.
It's not that big of a deal, seriously.
I would rather please the large majority of customers that prefer to have their password available to them at any time by visiting their email rather than the 5% that are security conscious.
Yep. Few companies shape the expectations and desires of their customers. The rest merely cater to what they desire. It's okay that not everyone is the Apple of their market. Not sending passwords is secure, it's the better choice, but it doesn't matter if your customers prefer to go elsewhere because they don't like it. Your choice will not spark the rest of the industry to follow.
Surprise surprise, AboveClouds is a plain text offender!
From now on you can login to the MyCloud control panel with your email address and password.
Username (my email)
Password: (my password)
The only time it bugs me is when I don't realize the password I'm typing into a form will be emailed. It's happened enough that I've started putting in a tmp password at signup, then logging in and changing it either way.
This is true, however you failed to point out that the password emailed is automatically generated and the user has no interaction in the creation of the password.
For me it's just as secure and a security conscious customer should change the initial password to a password of their choice, which in our case is not emailed or stored in plain text whatsoever.
A security conscious provider would allow a user to set a password during the sign-up process.
I should point out that AboveClouds sends out a new password in plain text after a user clicks the password reset link.
and so the, I am right, no i am right, no i am right, no i am right begins.
Are you going to pretend that an provider or a provider's employee needs your s3cur3 password to snoop/mess with your data?
This is how it should be done.
If i help someone set it up its normally done verbally or written on a letter :P and mailed XD
well 32 character passwords <.<
I also use a mouse type generator for the password. Move the mouse around and each movement adjusts it by some for letters, numbers and symbols. etc. but thats OP
I did mention that in my previous post.
Customer password reset request > Email sent w/ link (Expiry of 30 minutes) > New automatically generated password is emailed to the customer.
I feel the same way about tin foil neckbeards screaming about security on their shared resources which anybody working for the company has access to your data.
It doesn't have to be stored in plain text to be sent to you in plain text if done before encrypting the password. It's trivial to send it then hash it.
This is what WHMCS does. However, it's important to note that the emails are stored in plain text in the database unless you remove them.
Another interesting note is the product password. Like let's say the root password for the SolusVM module, for example. This is stored in plain text regardless. This is why many providers will generate this instead of let you type one, and you should also change it if possible.
So bottom line is that this is somewhat standard among providers using WHMCS, the most common billing software. It's not perfect, of course, but it's good to be aware of it and take an extra step or two to work around it.
What I do with WHMCS welcome emails:
I just close the loop there with one simple adjustment.