It is currently Tue Mar 26, 2019 10:13 pm


All times are UTC


Forum rules


Please click here to view the forum rules



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 
Author Message
 Post subject: Warning! Your Email Password is NOT Encrypted!!!
PostPosted: Sun Mar 22, 2009 5:01 pm 
Newbie
Newbie

Joined: Thu Dec 18, 2008 3:57 am
Posts: 13
Did anyone know that your email password created under freehostia is NOT encrypted? That means that employees at freehostia can read your password in PLAIN TEXT.

I just found that out from a customer service representative. Quite frankly, I'm quite concerned. I think there should be a clear warning telling people about this. Then we might have second thoughts on what to use as the password, and what kind of information we want to pass through this email account.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 5:33 am 
Site Admin

Joined: Sat May 31, 2008 1:56 am
Posts: 436
Please note that this is not correct. Our customers personal information is secured and our customers passwords are encrypted as they must be.
In rare cases when a customer requires help from us, as system technicians we could check this information as administrators with the appropriate level of security needed. This action is required so we will be able to investigate the reported problem and guide our customers in resolving the problem as fast as possible and mostly convenient for our customers.

_________________
Best Regards,
Miles
ModeratorsTeam
Freehostia.com


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 6:51 am 
Newbie
Newbie

Joined: Thu Dec 18, 2008 3:57 am
Posts: 13
It is encrypted over the Internet when using an SSL connection, but it is NOT encrypted in the database.

I asked a simple question about Outlook setting in a service ticket, and the tech support staff wrote out my password in plain text. If a password is stored in human-readable format, then it is NOT safe at all.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 7:23 am 
Support Tech
Support Tech

Joined: Fri Mar 24, 2006 7:21 pm
Posts: 842
I will repeat what we have said in the trouble ticket that you have opened regarding this issue. All our clients data is SECURED and there is no way hackers(as you said in your trouble ticket) to crash our security and our data center's security and to obtain this information. There are lots of encryption methods different than the SSL page encryption method that you are referring to and believe me we have a really strong security system built on a custom basis which makes it unique and respectively impossible to get hacked.
We can see all our clients accounts information as we login as Administrators in their accounts in case they request assistance via a trouble ticket opened from their accounts with us. If you are using a cPanel hosting elsewhere the situation will be the same. This is a common practice of almost 99% of the online services provided on the web.

_________________
Best Regards,
Burton
ModeratorsTeam
Freehostia.com


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 7:41 am 
Newbie
Newbie

Joined: Thu Dec 18, 2008 3:57 am
Posts: 13
This is not a common practice. I contacted godaddy and they assured me that the customer passwords are stored in encrypted format in their database and under no circumstances, even if the customer is asking for technical support that any technical support staff would be able to view customer's passwords.

I just think customers should be warned before signing up that passwords can be seen in plain text. (even if it's technical support staff). No where in the terms of service or privacy policy did it mention that it might be the case. If I knew that passwords can be seen by other people, I would not have sign up for the service at all.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 7:59 am 
Newbie
Newbie

Joined: Thu Dec 18, 2008 3:57 am
Posts: 13
In the cPanel company website, under Universal Password Trap (http://www.cpanel.net/support/docs/passtrap.htm)
Quote:
storing password information in plain text is a huge security risk

So even the cPanel company do not support storing password in plain text.

For customer support, technical staff should just use the server password to access customer's cPanel. And if a customer forgets his password, it should just be reset in WHM. I do not think storing customer's password in plain text is a acceptable practice.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 8:11 am 
Moderator
Moderator

Joined: Tue Feb 27, 2007 12:18 am
Posts: 521
Zebra I am not sure how Freehostia secure there customer data, although I'm sure it very secure. After working for another "un-named" hosting company I saw a practice that was to encrypt the passwords with a custom encryption algorithm that could also be decrypted with the correct key. Freehostia may be using a simular method.

Now im not sure what sort of encryption you think should be used, but if your pointing towards the current web standard of MD5 this can now be broken aswell.

_________________
http://www.mjmclocks.co.uk


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 8:24 am 
Newbie
Newbie

Joined: Thu Dec 18, 2008 3:57 am
Posts: 13
Yes, storing passwords using MD5 would be unwise. So hopefully, an algorithm that has not been broken yet, like SHA-2.

Even if the password is stored using a custom encryption algorithm, I do not think the password should be decrypted unless specifically asked and authorized by a customer. I asked a simple question regarding Outlook setting, and my password was written in the reply in plain text. If the technical support staff feels there is a need to check my password setting, the client should be consulted first. I feel like my privacy has been greatly violated.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 4:22 pm 
Support Tech
Support Tech

Joined: Fri Mar 24, 2006 7:21 pm
Posts: 842
I am not authorized to provide the methods of encryption used on our servers in public due to security reasons. You are the first client that we have who gets so frustrated by the fact that we have tried to help. If you would like I can leave a comment in your account with us with warning to my colleagues not to post your details during our investigation procedures. This will make our response time much larger(hours maybe) but you will feel better.
Note that we are here to provide technical support to our clients, not to steal their details and to sell/provide them to hackers. This is not how business is made for sure and is far away from our company's policy.

_________________
Best Regards,
Burton
ModeratorsTeam
Freehostia.com


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 23, 2009 4:39 pm 
Newbie
Newbie

Joined: Thu Dec 18, 2008 3:57 am
Posts: 13
No, that would not be necessary. I guess I am just very much surprised that tech support has access to client passwords. And I am even more surprised that everyone is so OK about this.

Imagine Gmail, yahoo, Hotmail, Facebook, or whatever else people use start telling people that their tech support can read users' passwords. I certainly hope that is not the case.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Mar 24, 2009 11:50 pm 
Moderator
Moderator

Joined: Tue Feb 27, 2007 12:18 am
Posts: 521
It is clear we are just going around in circles with this thread. You say its insecure, freehostia say it’s secure. If you wish to discuss this further please contact freehostia direct by either emailing {email: "support at freehostia dot com} or by opening a trouble ticket from the control panel.

Topic Closed

_________________
http://www.mjmclocks.co.uk


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ]  Moderators: Moderators, Support Team

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Hosting | Domains | Servers | Extras | Order | Support | Contacts | FreeHostia © 2011