Is HostGator storing my password in plaintext?
I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.
I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:
I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?
passwords databases web-hosting
asked 13 hours ago
MarquizzoMarquizzo
23817
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 4 more comments
I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.
I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:
I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?
passwords databases web-hosting
asked 13 hours ago
MarquizzoMarquizzo
23817
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.
– schroeder♦
12 hours ago
10
@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.
– Marquizzo
12 hours ago
1
It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.
– Patrick Mevzek
11 hours ago
6
The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.
– Future Security
11 hours ago
5
"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?
– Kallmanation
10 hours ago
|
show 4 more comments
I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.
I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:
I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?
passwords databases web-hosting
asked 13 hours ago
MarquizzoMarquizzo
23817
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.
I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:
I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?
passwords databases web-hosting
passwords databases web-hosting
asked 13 hours ago
MarquizzoMarquizzo
23817
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 13 hours ago
MarquizzoMarquizzo
23817
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 12 hours ago
Marquizzo
asked 13 hours ago
MarquizzoMarquizzo
23817
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 13 hours ago
MarquizzoMarquizzo
23817
asked 13 hours ago
MarquizzoMarquizzo
23817
23817
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.
– schroeder♦
12 hours ago
10
@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.
– Marquizzo
12 hours ago
1
It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.
– Patrick Mevzek
11 hours ago
6
The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.
– Future Security
11 hours ago
5
"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?
– Kallmanation
10 hours ago
|
show 4 more comments
5
Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.
– schroeder♦
12 hours ago
10
@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.
– Marquizzo
12 hours ago
1
It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.
– Patrick Mevzek
11 hours ago
6
The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.
– Future Security
11 hours ago
5
"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?
– Kallmanation
10 hours ago
5
5
Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.
– schroeder♦
12 hours ago
Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.
– schroeder♦
12 hours ago
10
10
@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.
– Marquizzo
12 hours ago
@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.
– Marquizzo
12 hours ago
1
1
It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.
– Patrick Mevzek
11 hours ago
It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.
– Patrick Mevzek
11 hours ago
6
6
The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.
– Future Security
11 hours ago
The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.
– Future Security
11 hours ago
5
5
"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?
– Kallmanation
10 hours ago
"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?
– Kallmanation
10 hours ago
|
show 4 more comments
2 Answers
2
active
oldest
votes
Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).
Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.
Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.
answered 12 hours ago
CBHackingCBHacking
11k11828
5
That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.
– Marquizzo
11 hours ago
9
You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.
– psosuna
11 hours ago
1
I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.
– orithena
2 hours ago
add a comment |
The Password is stored as an encrypted text.
is it safe to assume that my password is stored in their database as plain text?
No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.
However the biggest concern here is not the way it is stored but the way it is transmitted.
do you have any suggestions on how to address this issue with the
provider?
You can ask the company to change the following
- Stop sending passwords over email.
- Provide Reset password option instead of recovering it.
- Replace encrypting passwords with Hashing and Salting.
The list contains high risk items first.
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).
Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.
Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.
answered 12 hours ago
CBHackingCBHacking
11k11828
5
That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.
– Marquizzo
11 hours ago
9
You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.
– psosuna
11 hours ago
1
I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.
– orithena
2 hours ago
add a comment |
Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).
Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.
Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.
answered 12 hours ago
CBHackingCBHacking
11k11828
5
That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.
– Marquizzo
11 hours ago
9
You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.
– psosuna
11 hours ago
1
I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.
– orithena
2 hours ago
add a comment |
Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).
Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.
Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.
answered 12 hours ago
CBHackingCBHacking
11k11828
Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).
Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.
Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.
answered 12 hours ago
CBHackingCBHacking
11k11828
answered 12 hours ago
CBHackingCBHacking
11k11828
answered 12 hours ago
CBHackingCBHacking
11k11828
answered 12 hours ago
CBHackingCBHacking
11k11828
11k11828
5
That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.
– Marquizzo
11 hours ago
9
You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.
– psosuna
11 hours ago
1
I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.
– orithena
2 hours ago
add a comment |
5
That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.
– Marquizzo
11 hours ago
9
You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.
– psosuna
11 hours ago
1
I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.
– orithena
2 hours ago
5
5
That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.
– Marquizzo
11 hours ago
That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.
– Marquizzo
11 hours ago
9
9
You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.
– psosuna
11 hours ago
You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.
– psosuna
11 hours ago
1
1
I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.
– orithena
2 hours ago
I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way.
– orithena
2 hours ago
add a comment |
The Password is stored as an encrypted text.
is it safe to assume that my password is stored in their database as plain text?
No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.
However the biggest concern here is not the way it is stored but the way it is transmitted.
do you have any suggestions on how to address this issue with the
provider?
You can ask the company to change the following
- Stop sending passwords over email.
- Provide Reset password option instead of recovering it.
- Replace encrypting passwords with Hashing and Salting.
The list contains high risk items first.
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
add a comment |
The Password is stored as an encrypted text.
is it safe to assume that my password is stored in their database as plain text?
No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.
However the biggest concern here is not the way it is stored but the way it is transmitted.
do you have any suggestions on how to address this issue with the
provider?
You can ask the company to change the following
- Stop sending passwords over email.
- Provide Reset password option instead of recovering it.
- Replace encrypting passwords with Hashing and Salting.
The list contains high risk items first.
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
add a comment |
The Password is stored as an encrypted text.
is it safe to assume that my password is stored in their database as plain text?
No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.
However the biggest concern here is not the way it is stored but the way it is transmitted.
do you have any suggestions on how to address this issue with the
provider?
You can ask the company to change the following
- Stop sending passwords over email.
- Provide Reset password option instead of recovering it.
- Replace encrypting passwords with Hashing and Salting.
The list contains high risk items first.
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
The Password is stored as an encrypted text.
is it safe to assume that my password is stored in their database as plain text?
No, the company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, the conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.
However the biggest concern here is not the way it is stored but the way it is transmitted.
do you have any suggestions on how to address this issue with the
provider?
You can ask the company to change the following
- Stop sending passwords over email.
- Provide Reset password option instead of recovering it.
- Replace encrypting passwords with Hashing and Salting.
The list contains high risk items first.
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
answered 2 hours ago
Kolappan NathanKolappan Nathan
1,563618
1,563618
add a comment |
add a comment |
Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.
Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.
Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.
Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
5
Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.
– schroeder♦
12 hours ago
10
@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.
– Marquizzo
12 hours ago
1
It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.
– Patrick Mevzek
11 hours ago
6
The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.
– Future Security
11 hours ago
5
"No...that is impossible." What is it about so many companies that just absolutely have no concept of how security works? Of course its possible, how do you think hacking happens?
– Kallmanation
10 hours ago