FreeHostia Forums
http://forum.freehostia.com/

Warning! Your Email Password is NOT Encrypted!!!
http://forum.freehostia.com/viewtopic.php?f=5&t=9709
Page 1 of 1

Author:  zebra [ Sun Mar 22, 2009 5:01 pm ]
Post subject:  Warning! Your Email Password is NOT Encrypted!!!

Did anyone know that your email password created under freehostia is NOT encrypted? That means that employees at freehostia can read your password in PLAIN TEXT.

I just found that out from a customer service representative. Quite frankly, I'm quite concerned. I think there should be a clear warning telling people about this. Then we might have second thoughts on what to use as the password, and what kind of information we want to pass through this email account.

Author:  Miles [ Mon Mar 23, 2009 5:33 am ]
Post subject: 

Please note that this is not correct. Our customers personal information is secured and our customers passwords are encrypted as they must be.
In rare cases when a customer requires help from us, as system technicians we could check this information as administrators with the appropriate level of security needed. This action is required so we will be able to investigate the reported problem and guide our customers in resolving the problem as fast as possible and mostly convenient for our customers.

Author:  zebra [ Mon Mar 23, 2009 6:51 am ]
Post subject: 

It is encrypted over the Internet when using an SSL connection, but it is NOT encrypted in the database.

I asked a simple question about Outlook setting in a service ticket, and the tech support staff wrote out my password in plain text. If a password is stored in human-readable format, then it is NOT safe at all.

Author:  zebra [ Mon Mar 23, 2009 7:41 am ]
Post subject: 

This is not a common practice. I contacted godaddy and they assured me that the customer passwords are stored in encrypted format in their database and under no circumstances, even if the customer is asking for technical support that any technical support staff would be able to view customer's passwords.

I just think customers should be warned before signing up that passwords can be seen in plain text. (even if it's technical support staff). No where in the terms of service or privacy policy did it mention that it might be the case. If I knew that passwords can be seen by other people, I would not have sign up for the service at all.

Author:  zebra [ Mon Mar 23, 2009 7:59 am ]
Post subject: 

In the cPanel company website, under Universal Password Trap (http://www.cpanel.net/support/docs/passtrap.htm)
Quote:
storing password information in plain text is a huge security risk

So even the cPanel company do not support storing password in plain text.

For customer support, technical staff should just use the server password to access customer's cPanel. And if a customer forgets his password, it should just be reset in WHM. I do not think storing customer's password in plain text is a acceptable practice.

Author:  Josh.Waller [ Mon Mar 23, 2009 8:11 am ]
Post subject: 

Zebra I am not sure how Freehostia secure there customer data, although I'm sure it very secure. After working for another "un-named" hosting company I saw a practice that was to encrypt the passwords with a custom encryption algorithm that could also be decrypted with the correct key. Freehostia may be using a simular method.

Now im not sure what sort of encryption you think should be used, but if your pointing towards the current web standard of MD5 this can now be broken aswell.

Author:  zebra [ Mon Mar 23, 2009 8:24 am ]
Post subject: 

Yes, storing passwords using MD5 would be unwise. So hopefully, an algorithm that has not been broken yet, like SHA-2.

Even if the password is stored using a custom encryption algorithm, I do not think the password should be decrypted unless specifically asked and authorized by a customer. I asked a simple question regarding Outlook setting, and my password was written in the reply in plain text. If the technical support staff feels there is a need to check my password setting, the client should be consulted first. I feel like my privacy has been greatly violated.

Author:  zebra [ Mon Mar 23, 2009 4:39 pm ]
Post subject: 

No, that would not be necessary. I guess I am just very much surprised that tech support has access to client passwords. And I am even more surprised that everyone is so OK about this.

Imagine Gmail, yahoo, Hotmail, Facebook, or whatever else people use start telling people that their tech support can read users' passwords. I certainly hope that is not the case.

Author:  Josh.Waller [ Tue Mar 24, 2009 11:50 pm ]
Post subject: 

It is clear we are just going around in circles with this thread. You say its insecure, freehostia say it’s secure. If you wish to discuss this further please contact freehostia direct by either emailing {email: "support at freehostia dot com} or by opening a trouble ticket from the control panel.

Topic Closed

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/