Is HostGator storing my password in plaintext?












27















I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 5





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    12 hours ago






  • 10





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    12 hours ago






  • 1





    It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    11 hours ago






  • 6





    The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    11 hours ago






  • 5





    "No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?

    – Kallmanation
    10 hours ago
















27















I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 5





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    12 hours ago






  • 10





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    12 hours ago






  • 1





    It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    11 hours ago






  • 6





    The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    11 hours ago






  • 5





    "No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?

    – Kallmanation
    10 hours ago














27












27








27


3






I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here







passwords databases web-hosting






share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 12 hours ago







Marquizzo













New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 13 hours ago









MarquizzoMarquizzo

23817




23817




New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 5





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    12 hours ago






  • 10





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    12 hours ago






  • 1





    It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    11 hours ago






  • 6





    The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    11 hours ago






  • 5





    "No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?

    – Kallmanation
    10 hours ago














  • 5





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    12 hours ago






  • 10





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    12 hours ago






  • 1





    It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    11 hours ago






  • 6





    The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    11 hours ago






  • 5





    "No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?

    – Kallmanation
    10 hours ago








5




5





Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

– schroeder
12 hours ago





Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

– schroeder
12 hours ago




10




10





@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

– Marquizzo
12 hours ago





@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

– Marquizzo
12 hours ago




1




1





It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

– Patrick Mevzek
11 hours ago





It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

– Patrick Mevzek
11 hours ago




6




6





The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

– Future Security
11 hours ago





The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

– Future Security
11 hours ago




5




5





"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?

– Kallmanation
10 hours ago





"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?

– Kallmanation
10 hours ago










2 Answers
2






active

oldest

votes


















42














Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer



















  • 5





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    11 hours ago






  • 9





    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    11 hours ago








  • 1





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    2 hours ago



















0














The Password is stored as an encrypted text.




is it safe to assume that my password is stored in their database as plain text?




No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



However the biggest concern here is not the way it is stored but the way it is transmitted.




do you have any suggestions on how to address this issue with the
provider?




You can ask the company to change the following




  1. Stop sending passwords over email.

  2. Provide Reset password option instead of recovering it.

  3. Replace encrypting passwords with Hashing and Salting.


The list contains high risk items first.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    42














    Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



    Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



    Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






    share|improve this answer



















    • 5





      That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

      – Marquizzo
      11 hours ago






    • 9





      You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

      – psosuna
      11 hours ago








    • 1





      I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

      – orithena
      2 hours ago
















    42














    Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



    Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



    Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






    share|improve this answer



















    • 5





      That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

      – Marquizzo
      11 hours ago






    • 9





      You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

      – psosuna
      11 hours ago








    • 1





      I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

      – orithena
      2 hours ago














    42












    42








    42







    Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



    Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



    Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






    share|improve this answer













    Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



    Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



    Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 12 hours ago









    CBHackingCBHacking

    11k11828




    11k11828








    • 5





      That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

      – Marquizzo
      11 hours ago






    • 9





      You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

      – psosuna
      11 hours ago








    • 1





      I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

      – orithena
      2 hours ago














    • 5





      That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

      – Marquizzo
      11 hours ago






    • 9





      You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

      – psosuna
      11 hours ago








    • 1





      I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

      – orithena
      2 hours ago








    5




    5





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    11 hours ago





    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    11 hours ago




    9




    9





    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    11 hours ago







    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    11 hours ago






    1




    1





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    2 hours ago





    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.

    – orithena
    2 hours ago













    0














    The Password is stored as an encrypted text.




    is it safe to assume that my password is stored in their database as plain text?




    No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



    However the biggest concern here is not the way it is stored but the way it is transmitted.




    do you have any suggestions on how to address this issue with the
    provider?




    You can ask the company to change the following




    1. Stop sending passwords over email.

    2. Provide Reset password option instead of recovering it.

    3. Replace encrypting passwords with Hashing and Salting.


    The list contains high risk items first.






    share|improve this answer




























      0














      The Password is stored as an encrypted text.




      is it safe to assume that my password is stored in their database as plain text?




      No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



      However the biggest concern here is not the way it is stored but the way it is transmitted.




      do you have any suggestions on how to address this issue with the
      provider?




      You can ask the company to change the following




      1. Stop sending passwords over email.

      2. Provide Reset password option instead of recovering it.

      3. Replace encrypting passwords with Hashing and Salting.


      The list contains high risk items first.






      share|improve this answer


























        0












        0








        0







        The Password is stored as an encrypted text.




        is it safe to assume that my password is stored in their database as plain text?




        No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



        However the biggest concern here is not the way it is stored but the way it is transmitted.




        do you have any suggestions on how to address this issue with the
        provider?




        You can ask the company to change the following




        1. Stop sending passwords over email.

        2. Provide Reset password option instead of recovering it.

        3. Replace encrypting passwords with Hashing and Salting.


        The list contains high risk items first.






        share|improve this answer













        The Password is stored as an encrypted text.




        is it safe to assume that my password is stored in their database as plain text?




        No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.



        However the biggest concern here is not the way it is stored but the way it is transmitted.




        do you have any suggestions on how to address this issue with the
        provider?




        You can ask the company to change the following




        1. Stop sending passwords over email.

        2. Provide Reset password option instead of recovering it.

        3. Replace encrypting passwords with Hashing and Salting.


        The list contains high risk items first.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        Kolappan NathanKolappan Nathan

        1,563618




        1,563618






















            Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.













            Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.












            Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

            He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

            Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029