Is HostGator storing my password in plaintext? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)How up-to-date is the plaintextoffenders list?Is it better to hash n*x times in sha1 or n times in sha512 on the client side?Definitely safest password storage scheme?Forgot Password? - sends email with plaintext passwordIs it ok for software to store passwords locally in plain-text?Finding Plaintext Password RepositoriesHow to avoid storing plaintext during CHAP authenticationReceived an email about an “Etsy” Password Reset due to the “Linkedin Breach…” is this a phishing attempt?Storing Password Hash plaintextThird party program is storing a password in a DSN. Is it a security threat?Methods for storing plaintext passwords on a client

Why did Bronn offer to be Tyrion Lannister's champion in trial by combat?

Why do some non-religious people reject artificial consciousness?

Is it OK if I do not take the receipt in Germany?

Has a Nobel Peace laureate ever been accused of war crimes?

Is my guitar’s action too high?

lm and glm function in R

Do chord progressions usually move by fifths?

How to leave only the following strings?

Is the Mordenkainen's Sword spell underpowered?

How to ask rejected full-time candidates to apply to teach individual courses?

Does traveling In The United States require a passport or can I use my green card if not a US citizen?

Why did Europeans not widely domesticate foxes?

How to create a command for the "strange m" symbol in latex?

What came first? Venom as the movie or as the song?

What is the evidence that custom checks in Northern Ireland are going to result in violence?

What's the difference between using dependency injection with a container and using a service locator?

Assertions In A Mock Callout Test

Why doesn't the university give past final exams' answers?

Trying to enter the Fox's den

Why not use the yoke to control yaw, as well as pitch and roll?

Reflections in a Square

Can gravitational waves pass through a black hole?

A German immigrant ancestor has a "Registration Affidavit of Alien Enemy" on file. What does that mean exactly?

Can the van der Waals coefficients be negative in the van der Waals equation for real gases?



Is HostGator storing my password in plaintext?



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)How up-to-date is the plaintextoffenders list?Is it better to hash n*x times in sha1 or n times in sha512 on the client side?Definitely safest password storage scheme?Forgot Password? - sends email with plaintext passwordIs it ok for software to store passwords locally in plain-text?Finding Plaintext Password RepositoriesHow to avoid storing plaintext during CHAP authenticationReceived an email about an “Etsy” Password Reset due to the “Linkedin Breach…” is this a phishing attempt?Storing Password Hash plaintextThird party program is storing a password in a DSN. Is it a security threat?Methods for storing plaintext passwords on a client



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








133















I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question
























  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Mar 28 at 14:46






  • 9





    Bluehost too :( . When you contact bluehost customer service (any agent) throw emails or chat on web, they ask for the last 4 digits of your PASSWORD to proof t's you - the owner

    – AccountantM
    Mar 29 at 9:38












  • I had JustHost for a long time until one day they asked me as a "security question" to tell them some portion of my password. He assured me that he "couldn't see my whole password" but could/would not tell me if they were storing in plain text. That was my last day as a customer. In both of our cases it's either plaintext or, as mentioned below, reversible; which is unnecessary and dangerous.

    – Gary
    Mar 29 at 17:59







  • 1





    Passwords are only safe when stored encrypted by a one-way, salted, cryptographically secure hash. Whether stored plaintext or encrypted (and decryptable), you are one security incident away from access. The offenders are not going to fix it. Migrate to another provider, Fire them! ... and explain that their bad security practices are the reason.

    – ChuckCottrill
    Mar 29 at 22:52






  • 1





    Note that another signal that the provider stores cleartext (or decrypts) passwords is when they prevent reuse of portions of previous passwords - how can they detect reuse without having the previous password in cleartext ;-)

    – ChuckCottrill
    Mar 29 at 23:22

















133















I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question
























  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Mar 28 at 14:46






  • 9





    Bluehost too :( . When you contact bluehost customer service (any agent) throw emails or chat on web, they ask for the last 4 digits of your PASSWORD to proof t's you - the owner

    – AccountantM
    Mar 29 at 9:38












  • I had JustHost for a long time until one day they asked me as a "security question" to tell them some portion of my password. He assured me that he "couldn't see my whole password" but could/would not tell me if they were storing in plain text. That was my last day as a customer. In both of our cases it's either plaintext or, as mentioned below, reversible; which is unnecessary and dangerous.

    – Gary
    Mar 29 at 17:59







  • 1





    Passwords are only safe when stored encrypted by a one-way, salted, cryptographically secure hash. Whether stored plaintext or encrypted (and decryptable), you are one security incident away from access. The offenders are not going to fix it. Migrate to another provider, Fire them! ... and explain that their bad security practices are the reason.

    – ChuckCottrill
    Mar 29 at 22:52






  • 1





    Note that another signal that the provider stores cleartext (or decrypts) passwords is when they prevent reuse of portions of previous passwords - how can they detect reuse without having the previous password in cleartext ;-)

    – ChuckCottrill
    Mar 29 at 23:22













133












133








133


15






I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question
















I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here







passwords databases web-hosting






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 26 at 22:48







Marquizzo

















asked Mar 26 at 22:18









MarquizzoMarquizzo

6042210




6042210












  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Mar 28 at 14:46






  • 9





    Bluehost too :( . When you contact bluehost customer service (any agent) throw emails or chat on web, they ask for the last 4 digits of your PASSWORD to proof t's you - the owner

    – AccountantM
    Mar 29 at 9:38












  • I had JustHost for a long time until one day they asked me as a "security question" to tell them some portion of my password. He assured me that he "couldn't see my whole password" but could/would not tell me if they were storing in plain text. That was my last day as a customer. In both of our cases it's either plaintext or, as mentioned below, reversible; which is unnecessary and dangerous.

    – Gary
    Mar 29 at 17:59







  • 1





    Passwords are only safe when stored encrypted by a one-way, salted, cryptographically secure hash. Whether stored plaintext or encrypted (and decryptable), you are one security incident away from access. The offenders are not going to fix it. Migrate to another provider, Fire them! ... and explain that their bad security practices are the reason.

    – ChuckCottrill
    Mar 29 at 22:52






  • 1





    Note that another signal that the provider stores cleartext (or decrypts) passwords is when they prevent reuse of portions of previous passwords - how can they detect reuse without having the previous password in cleartext ;-)

    – ChuckCottrill
    Mar 29 at 23:22

















  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Mar 28 at 14:46






  • 9





    Bluehost too :( . When you contact bluehost customer service (any agent) throw emails or chat on web, they ask for the last 4 digits of your PASSWORD to proof t's you - the owner

    – AccountantM
    Mar 29 at 9:38












  • I had JustHost for a long time until one day they asked me as a "security question" to tell them some portion of my password. He assured me that he "couldn't see my whole password" but could/would not tell me if they were storing in plain text. That was my last day as a customer. In both of our cases it's either plaintext or, as mentioned below, reversible; which is unnecessary and dangerous.

    – Gary
    Mar 29 at 17:59







  • 1





    Passwords are only safe when stored encrypted by a one-way, salted, cryptographically secure hash. Whether stored plaintext or encrypted (and decryptable), you are one security incident away from access. The offenders are not going to fix it. Migrate to another provider, Fire them! ... and explain that their bad security practices are the reason.

    – ChuckCottrill
    Mar 29 at 22:52






  • 1





    Note that another signal that the provider stores cleartext (or decrypts) passwords is when they prevent reuse of portions of previous passwords - how can they detect reuse without having the previous password in cleartext ;-)

    – ChuckCottrill
    Mar 29 at 23:22
















Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
Mar 28 at 14:46





Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
Mar 28 at 14:46




9




9





Bluehost too :( . When you contact bluehost customer service (any agent) throw emails or chat on web, they ask for the last 4 digits of your PASSWORD to proof t's you - the owner

– AccountantM
Mar 29 at 9:38






Bluehost too :( . When you contact bluehost customer service (any agent) throw emails or chat on web, they ask for the last 4 digits of your PASSWORD to proof t's you - the owner

– AccountantM
Mar 29 at 9:38














I had JustHost for a long time until one day they asked me as a "security question" to tell them some portion of my password. He assured me that he "couldn't see my whole password" but could/would not tell me if they were storing in plain text. That was my last day as a customer. In both of our cases it's either plaintext or, as mentioned below, reversible; which is unnecessary and dangerous.

– Gary
Mar 29 at 17:59






I had JustHost for a long time until one day they asked me as a "security question" to tell them some portion of my password. He assured me that he "couldn't see my whole password" but could/would not tell me if they were storing in plain text. That was my last day as a customer. In both of our cases it's either plaintext or, as mentioned below, reversible; which is unnecessary and dangerous.

– Gary
Mar 29 at 17:59





1




1





Passwords are only safe when stored encrypted by a one-way, salted, cryptographically secure hash. Whether stored plaintext or encrypted (and decryptable), you are one security incident away from access. The offenders are not going to fix it. Migrate to another provider, Fire them! ... and explain that their bad security practices are the reason.

– ChuckCottrill
Mar 29 at 22:52





Passwords are only safe when stored encrypted by a one-way, salted, cryptographically secure hash. Whether stored plaintext or encrypted (and decryptable), you are one security incident away from access. The offenders are not going to fix it. Migrate to another provider, Fire them! ... and explain that their bad security practices are the reason.

– ChuckCottrill
Mar 29 at 22:52




1




1





Note that another signal that the provider stores cleartext (or decrypts) passwords is when they prevent reuse of portions of previous passwords - how can they detect reuse without having the previous password in cleartext ;-)

– ChuckCottrill
Mar 29 at 23:22





Note that another signal that the provider stores cleartext (or decrypts) passwords is when they prevent reuse of portions of previous passwords - how can they detect reuse without having the previous password in cleartext ;-)

– ChuckCottrill
Mar 29 at 23:22










3 Answers
3






active

oldest

votes


















183














Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer


















  • 39





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    Mar 27 at 0:07






  • 52





    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    Mar 27 at 0:26







  • 8





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    Mar 27 at 9:35






  • 14





    This answer could be stronger. The rep was completely wrong. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all and he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody.

    – Lightness Races in Orbit
    Mar 27 at 13:37






  • 4





    Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing.

    – corsiKa
    Mar 27 at 18:55


















82














Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.



This is confirmed HostGator being listed on Plaintext Offenders, as well as by its entry in the CVS file containing a list of offenders. This is not new and has been known since at least 2011. HostGator has not reformed since. The Plaintext Offenders website shows a screenshot similar to yours as evidence:



HostGator sux






share|improve this answer




















  • 11





    I realize that this is a semantic point, but I don't see how this proves that they store passwords in plaintext. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice.

    – Greg Schmit
    Mar 28 at 18:05






  • 3





    And they claim, at least, that they don't store passwords in plaintext: i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice).

    – Greg Schmit
    Mar 28 at 18:08






  • 8





    @GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured.

    – Ben Voigt
    Mar 28 at 20:24






  • 7





    @BenVoigt We already know for a fact that the plaintext password was emailed, so that's irrelevant. The question is whether they are storing that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed.

    – Greg Schmit
    Mar 28 at 20:29






  • 6





    To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this.

    – Greg Schmit
    Mar 29 at 2:35


















2














If the company rep's response is true, the Password is stored as an encrypted text. This makes the plain text password in unprompted email a bigger concern.




is it safe to assume that my password is stored in their database as plain text?




The company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, my conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



If the stored password is encrypted, the biggest concern here is not the way it is stored but the way it is transmitted, in plain text on an email when the user did not request any.




do you have any suggestions on how to address this issue with the
provider?




You can ask the company to change the following (in the order of priority)



  1. Stop sending passwords over email.

  2. Provide Reset password option instead of recovering it.

  3. Replace encrypting passwords with Hashing and Salting.


In response to comments,



  1. Yes, there is high chance that the rep is lying or didn't know what he is talking about. But there is also a possibility that he was telling the truth. This answer deals with that scenario.

  2. I consider transmission of passwords as a bigger problem to storage because the OP was sent the password in an email when he did not ask for any.

  3. I have seen systems that store passwords in an encrypted text and send them to users upon request. They are not secure, but they do exist. Just because you received your info in plain text does not guarantee it is stored that way too.





share|improve this answer




















  • 49





    "No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company?

    – MindSwipe
    Mar 27 at 12:10






  • 41





    @KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information.

    – Beofett
    Mar 27 at 12:21






  • 21





    "Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it.

    – Conor Mancone
    Mar 27 at 12:30






  • 3





    @ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. No one can tell for 100% percent that the password is in plain text. What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!!

    – Kolappan Nathan
    Mar 27 at 12:40






  • 3





    @ConorMancone The OP said that he received the password in email when he did not ask for any. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there.

    – Kolappan Nathan
    Mar 27 at 13:03











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









183














Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer


















  • 39





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    Mar 27 at 0:07






  • 52





    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    Mar 27 at 0:26







  • 8





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    Mar 27 at 9:35






  • 14





    This answer could be stronger. The rep was completely wrong. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all and he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody.

    – Lightness Races in Orbit
    Mar 27 at 13:37






  • 4





    Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing.

    – corsiKa
    Mar 27 at 18:55















183














Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer


















  • 39





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    Mar 27 at 0:07






  • 52





    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    Mar 27 at 0:26







  • 8





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    Mar 27 at 9:35






  • 14





    This answer could be stronger. The rep was completely wrong. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all and he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody.

    – Lightness Races in Orbit
    Mar 27 at 13:37






  • 4





    Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing.

    – corsiKa
    Mar 27 at 18:55













183












183








183







Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer













Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 26 at 22:48









CBHackingCBHacking

11.6k21929




11.6k21929







  • 39





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    Mar 27 at 0:07






  • 52





    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    Mar 27 at 0:26







  • 8





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    Mar 27 at 9:35






  • 14





    This answer could be stronger. The rep was completely wrong. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all and he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody.

    – Lightness Races in Orbit
    Mar 27 at 13:37






  • 4





    Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing.

    – corsiKa
    Mar 27 at 18:55












  • 39





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    Mar 27 at 0:07






  • 52





    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    Mar 27 at 0:26







  • 8





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    Mar 27 at 9:35






  • 14





    This answer could be stronger. The rep was completely wrong. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all and he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody.

    – Lightness Races in Orbit
    Mar 27 at 13:37






  • 4





    Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing.

    – corsiKa
    Mar 27 at 18:55







39




39





That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

– Marquizzo
Mar 27 at 0:07





That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

– Marquizzo
Mar 27 at 0:07




52




52





You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

– psosuna
Mar 27 at 0:26






You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

– psosuna
Mar 27 at 0:26





8




8





I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

– orithena
Mar 27 at 9:35





I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

– orithena
Mar 27 at 9:35




14




14





This answer could be stronger. The rep was completely wrong. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all and he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody.

– Lightness Races in Orbit
Mar 27 at 13:37





This answer could be stronger. The rep was completely wrong. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all and he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody.

– Lightness Races in Orbit
Mar 27 at 13:37




4




4





Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing.

– corsiKa
Mar 27 at 18:55





Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing.

– corsiKa
Mar 27 at 18:55













82














Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.



This is confirmed HostGator being listed on Plaintext Offenders, as well as by its entry in the CVS file containing a list of offenders. This is not new and has been known since at least 2011. HostGator has not reformed since. The Plaintext Offenders website shows a screenshot similar to yours as evidence:



HostGator sux






share|improve this answer




















  • 11





    I realize that this is a semantic point, but I don't see how this proves that they store passwords in plaintext. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice.

    – Greg Schmit
    Mar 28 at 18:05






  • 3





    And they claim, at least, that they don't store passwords in plaintext: i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice).

    – Greg Schmit
    Mar 28 at 18:08






  • 8





    @GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured.

    – Ben Voigt
    Mar 28 at 20:24






  • 7





    @BenVoigt We already know for a fact that the plaintext password was emailed, so that's irrelevant. The question is whether they are storing that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed.

    – Greg Schmit
    Mar 28 at 20:29






  • 6





    To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this.

    – Greg Schmit
    Mar 29 at 2:35















82














Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.



This is confirmed HostGator being listed on Plaintext Offenders, as well as by its entry in the CVS file containing a list of offenders. This is not new and has been known since at least 2011. HostGator has not reformed since. The Plaintext Offenders website shows a screenshot similar to yours as evidence:



HostGator sux






share|improve this answer




















  • 11





    I realize that this is a semantic point, but I don't see how this proves that they store passwords in plaintext. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice.

    – Greg Schmit
    Mar 28 at 18:05






  • 3





    And they claim, at least, that they don't store passwords in plaintext: i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice).

    – Greg Schmit
    Mar 28 at 18:08






  • 8





    @GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured.

    – Ben Voigt
    Mar 28 at 20:24






  • 7





    @BenVoigt We already know for a fact that the plaintext password was emailed, so that's irrelevant. The question is whether they are storing that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed.

    – Greg Schmit
    Mar 28 at 20:29






  • 6





    To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this.

    – Greg Schmit
    Mar 29 at 2:35













82












82








82







Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.



This is confirmed HostGator being listed on Plaintext Offenders, as well as by its entry in the CVS file containing a list of offenders. This is not new and has been known since at least 2011. HostGator has not reformed since. The Plaintext Offenders website shows a screenshot similar to yours as evidence:



HostGator sux






share|improve this answer















Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.



This is confirmed HostGator being listed on Plaintext Offenders, as well as by its entry in the CVS file containing a list of offenders. This is not new and has been known since at least 2011. HostGator has not reformed since. The Plaintext Offenders website shows a screenshot similar to yours as evidence:



HostGator sux







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 29 at 8:02









Peter Cordes

48268




48268










answered Mar 28 at 2:05









forestforest

40.5k18131146




40.5k18131146







  • 11





    I realize that this is a semantic point, but I don't see how this proves that they store passwords in plaintext. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice.

    – Greg Schmit
    Mar 28 at 18:05






  • 3





    And they claim, at least, that they don't store passwords in plaintext: i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice).

    – Greg Schmit
    Mar 28 at 18:08






  • 8





    @GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured.

    – Ben Voigt
    Mar 28 at 20:24






  • 7





    @BenVoigt We already know for a fact that the plaintext password was emailed, so that's irrelevant. The question is whether they are storing that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed.

    – Greg Schmit
    Mar 28 at 20:29






  • 6





    To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this.

    – Greg Schmit
    Mar 29 at 2:35












  • 11





    I realize that this is a semantic point, but I don't see how this proves that they store passwords in plaintext. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice.

    – Greg Schmit
    Mar 28 at 18:05






  • 3





    And they claim, at least, that they don't store passwords in plaintext: i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice).

    – Greg Schmit
    Mar 28 at 18:08






  • 8





    @GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured.

    – Ben Voigt
    Mar 28 at 20:24






  • 7





    @BenVoigt We already know for a fact that the plaintext password was emailed, so that's irrelevant. The question is whether they are storing that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed.

    – Greg Schmit
    Mar 28 at 20:29






  • 6





    To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this.

    – Greg Schmit
    Mar 29 at 2:35







11




11





I realize that this is a semantic point, but I don't see how this proves that they store passwords in plaintext. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice.

– Greg Schmit
Mar 28 at 18:05





I realize that this is a semantic point, but I don't see how this proves that they store passwords in plaintext. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice.

– Greg Schmit
Mar 28 at 18:05




3




3





And they claim, at least, that they don't store passwords in plaintext: i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice).

– Greg Schmit
Mar 28 at 18:08





And they claim, at least, that they don't store passwords in plaintext: i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice).

– Greg Schmit
Mar 28 at 18:08




8




8





@GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured.

– Ben Voigt
Mar 28 at 20:24





@GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured.

– Ben Voigt
Mar 28 at 20:24




7




7





@BenVoigt We already know for a fact that the plaintext password was emailed, so that's irrelevant. The question is whether they are storing that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed.

– Greg Schmit
Mar 28 at 20:29





@BenVoigt We already know for a fact that the plaintext password was emailed, so that's irrelevant. The question is whether they are storing that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed.

– Greg Schmit
Mar 28 at 20:29




6




6





To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this.

– Greg Schmit
Mar 29 at 2:35





To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this.

– Greg Schmit
Mar 29 at 2:35











2














If the company rep's response is true, the Password is stored as an encrypted text. This makes the plain text password in unprompted email a bigger concern.




is it safe to assume that my password is stored in their database as plain text?




The company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, my conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



If the stored password is encrypted, the biggest concern here is not the way it is stored but the way it is transmitted, in plain text on an email when the user did not request any.




do you have any suggestions on how to address this issue with the
provider?




You can ask the company to change the following (in the order of priority)



  1. Stop sending passwords over email.

  2. Provide Reset password option instead of recovering it.

  3. Replace encrypting passwords with Hashing and Salting.


In response to comments,



  1. Yes, there is high chance that the rep is lying or didn't know what he is talking about. But there is also a possibility that he was telling the truth. This answer deals with that scenario.

  2. I consider transmission of passwords as a bigger problem to storage because the OP was sent the password in an email when he did not ask for any.

  3. I have seen systems that store passwords in an encrypted text and send them to users upon request. They are not secure, but they do exist. Just because you received your info in plain text does not guarantee it is stored that way too.





share|improve this answer




















  • 49





    "No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company?

    – MindSwipe
    Mar 27 at 12:10






  • 41





    @KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information.

    – Beofett
    Mar 27 at 12:21






  • 21





    "Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it.

    – Conor Mancone
    Mar 27 at 12:30






  • 3





    @ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. No one can tell for 100% percent that the password is in plain text. What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!!

    – Kolappan Nathan
    Mar 27 at 12:40






  • 3





    @ConorMancone The OP said that he received the password in email when he did not ask for any. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there.

    – Kolappan Nathan
    Mar 27 at 13:03















2














If the company rep's response is true, the Password is stored as an encrypted text. This makes the plain text password in unprompted email a bigger concern.




is it safe to assume that my password is stored in their database as plain text?




The company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, my conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



If the stored password is encrypted, the biggest concern here is not the way it is stored but the way it is transmitted, in plain text on an email when the user did not request any.




do you have any suggestions on how to address this issue with the
provider?




You can ask the company to change the following (in the order of priority)



  1. Stop sending passwords over email.

  2. Provide Reset password option instead of recovering it.

  3. Replace encrypting passwords with Hashing and Salting.


In response to comments,



  1. Yes, there is high chance that the rep is lying or didn't know what he is talking about. But there is also a possibility that he was telling the truth. This answer deals with that scenario.

  2. I consider transmission of passwords as a bigger problem to storage because the OP was sent the password in an email when he did not ask for any.

  3. I have seen systems that store passwords in an encrypted text and send them to users upon request. They are not secure, but they do exist. Just because you received your info in plain text does not guarantee it is stored that way too.





share|improve this answer




















  • 49





    "No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company?

    – MindSwipe
    Mar 27 at 12:10






  • 41





    @KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information.

    – Beofett
    Mar 27 at 12:21






  • 21





    "Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it.

    – Conor Mancone
    Mar 27 at 12:30






  • 3





    @ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. No one can tell for 100% percent that the password is in plain text. What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!!

    – Kolappan Nathan
    Mar 27 at 12:40






  • 3





    @ConorMancone The OP said that he received the password in email when he did not ask for any. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there.

    – Kolappan Nathan
    Mar 27 at 13:03













2












2








2







If the company rep's response is true, the Password is stored as an encrypted text. This makes the plain text password in unprompted email a bigger concern.




is it safe to assume that my password is stored in their database as plain text?




The company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, my conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



If the stored password is encrypted, the biggest concern here is not the way it is stored but the way it is transmitted, in plain text on an email when the user did not request any.




do you have any suggestions on how to address this issue with the
provider?




You can ask the company to change the following (in the order of priority)



  1. Stop sending passwords over email.

  2. Provide Reset password option instead of recovering it.

  3. Replace encrypting passwords with Hashing and Salting.


In response to comments,



  1. Yes, there is high chance that the rep is lying or didn't know what he is talking about. But there is also a possibility that he was telling the truth. This answer deals with that scenario.

  2. I consider transmission of passwords as a bigger problem to storage because the OP was sent the password in an email when he did not ask for any.

  3. I have seen systems that store passwords in an encrypted text and send them to users upon request. They are not secure, but they do exist. Just because you received your info in plain text does not guarantee it is stored that way too.





share|improve this answer















If the company rep's response is true, the Password is stored as an encrypted text. This makes the plain text password in unprompted email a bigger concern.




is it safe to assume that my password is stored in their database as plain text?




The company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, my conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



If the stored password is encrypted, the biggest concern here is not the way it is stored but the way it is transmitted, in plain text on an email when the user did not request any.




do you have any suggestions on how to address this issue with the
provider?




You can ask the company to change the following (in the order of priority)



  1. Stop sending passwords over email.

  2. Provide Reset password option instead of recovering it.

  3. Replace encrypting passwords with Hashing and Salting.


In response to comments,



  1. Yes, there is high chance that the rep is lying or didn't know what he is talking about. But there is also a possibility that he was telling the truth. This answer deals with that scenario.

  2. I consider transmission of passwords as a bigger problem to storage because the OP was sent the password in an email when he did not ask for any.

  3. I have seen systems that store passwords in an encrypted text and send them to users upon request. They are not secure, but they do exist. Just because you received your info in plain text does not guarantee it is stored that way too.






share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 28 at 9:03

























answered Mar 27 at 9:41









Kolappan NathanKolappan Nathan

1,715618




1,715618







  • 49





    "No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company?

    – MindSwipe
    Mar 27 at 12:10






  • 41





    @KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information.

    – Beofett
    Mar 27 at 12:21






  • 21





    "Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it.

    – Conor Mancone
    Mar 27 at 12:30






  • 3





    @ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. No one can tell for 100% percent that the password is in plain text. What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!!

    – Kolappan Nathan
    Mar 27 at 12:40






  • 3





    @ConorMancone The OP said that he received the password in email when he did not ask for any. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there.

    – Kolappan Nathan
    Mar 27 at 13:03












  • 49





    "No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company?

    – MindSwipe
    Mar 27 at 12:10






  • 41





    @KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information.

    – Beofett
    Mar 27 at 12:21






  • 21





    "Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it.

    – Conor Mancone
    Mar 27 at 12:30






  • 3





    @ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. No one can tell for 100% percent that the password is in plain text. What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!!

    – Kolappan Nathan
    Mar 27 at 12:40






  • 3





    @ConorMancone The OP said that he received the password in email when he did not ask for any. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there.

    – Kolappan Nathan
    Mar 27 at 13:03







49




49





"No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company?

– MindSwipe
Mar 27 at 12:10





"No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company?

– MindSwipe
Mar 27 at 12:10




41




41





@KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information.

– Beofett
Mar 27 at 12:21





@KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information.

– Beofett
Mar 27 at 12:21




21




21





"Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it.

– Conor Mancone
Mar 27 at 12:30





"Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it.

– Conor Mancone
Mar 27 at 12:30




3




3





@ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. No one can tell for 100% percent that the password is in plain text. What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!!

– Kolappan Nathan
Mar 27 at 12:40





@ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. No one can tell for 100% percent that the password is in plain text. What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!!

– Kolappan Nathan
Mar 27 at 12:40




3




3





@ConorMancone The OP said that he received the password in email when he did not ask for any. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there.

– Kolappan Nathan
Mar 27 at 13:03





@ConorMancone The OP said that he received the password in email when he did not ask for any. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there.

– Kolappan Nathan
Mar 27 at 13:03

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029