133

I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.

I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:

enter image description here

I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?

enter image description here

Marquizzo
  • 1,907
  • 4
  • 9
  • 13
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/91658/discussion-on-question-by-marquizzo-is-hostgator-storing-my-password-in-plaintex). – Rory Alsop Mar 28 '19 at 14:46
  • 10
    Bluehost too :( . When you contact bluehost customer service (any agent) throw emails or chat on web, they ask for the last 4 digits of your **PASSWORD** to proof t's you - the owner – AccountantM Mar 29 '19 at 09:38
  • I had JustHost for a long time until one day they asked me as a "security question" to tell them some portion of my password. He assured me that he "couldn't see my whole password" but could/would not tell me if they were storing in plain text. That was my last day as a customer. In both of our cases it's either plaintext or, as mentioned below, reversible; which is unnecessary and dangerous. – Gary Mar 29 '19 at 17:59
  • 1
    Passwords are only safe when stored _encrypted_ by a one-way, salted, _cryptographically secure_ hash. Whether stored plaintext or encrypted (and decryptable), you are one security incident away from access. The offenders are not going to fix it. Migrate to another provider, Fire them! ... and explain that their bad security practices are the reason. – ChuckCottrill Mar 29 '19 at 22:52
  • @ChuckCottrill I will, my plan expires in 2 months. I was looking at switching to Dreamhost, but it looks like [they have the same problem](http://plaintextoffenders.com/post/4540444084/dreamhostcom-all-my-domains-and-web-sites-are) Does anybody have any recommendations for similar services that come with hosting, domain & e-mail service all in one? – Marquizzo Mar 29 '19 at 23:00
  • Consider changing your password _frequently_ until then. And avoid reusing passwords across sites. Considering the provider may have violated ToS by their poor password security, you may be able to cancel early. – ChuckCottrill Mar 29 '19 at 23:19
  • 1
    Note that another signal that the provider stores cleartext (or decrypts) passwords is when they prevent reuse of portions of previous passwords - how can they detect reuse without having the previous password in cleartext ;-) – ChuckCottrill Mar 29 '19 at 23:22

3 Answers3

184

Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).

Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.

Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • 39
    That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol. – Marquizzo Mar 27 '19 at 00:07
  • 53
    You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM. – psosuna Mar 27 '19 at 00:26
  • 8
    I'd change the first sentence to "... if that was any user-provided password" to catch the broadest sense. Only autogenerated passwords that must be changed at next login are okay(ish) to transmit this way. – orithena Mar 27 '19 at 09:35
  • 15
    This answer could be stronger. The rep was _completely wrong_. Even if they are using reversible encryption so they can extract the original plaintext, that's about as good as not encrypting at all _and_ he claims that email is secure which is total nonsense. This needs to be escalated with HostGator for the benefit of everybody. – Lightness Races in Orbit Mar 27 '19 at 13:37
  • 4
    Why do you say "in a pinch, bcrypt" - is it not just as secure as scrypt or argon2? It certainly has years of field testing. – corsiKa Mar 27 '19 at 18:55
  • "they're designed to be fast" - to clarify, do you mean GPUs are designed to be fast, or SHA is designed to be fast? (Because SHA is _not_ designed to be fast... ) – Dai Mar 27 '19 at 23:10
  • 2
    After 20 years of scrutiny, zero significant issues with the bcrypt algorithm has been found.. – user1067003 Mar 27 '19 at 23:39
  • @LightnessRacesinOrbit How can we escalate this in a way that’s inescapable for them to act on? I mean this is important and I’m truly interested in learning how to escalate this properly. – Chris Mar 28 '19 at 21:25
  • Send it to every ticket and reporting contact you can find at HostGator along with the notice that you will publicize, via Reddit, Twitter, and other sources, the information if they have not acted upon it within 48 hours. Or something like that. – music2myear Mar 28 '19 at 22:17
  • 1
    @corsiKa Bcrypt is fine algorithmically, but it provides weaker protections against brute-forcing than the newer algorithms because its memory requirement - while higher than that of PBKDF2 or anything else built on traditional fast hashes - is still pretty low and therefore can be parallelized easily. Scrypt and argon2 have tunable memory requirements that allow going much, much higher than the 4KB requirement of bcrypt (which would have been significant once but is almost trivial now). – CBHacking Mar 29 '19 at 00:11
  • 3
    @TheD The SHA family is [very much designed to be performant](https://en.wikipedia.org/wiki/NIST_hash_function_competition). It must be; secure hashes are used in tons of applications where speed is critical, such as HMACs on encrypted network traffic, and often implemented on low-power small-die embedded devices. Sure, speed isn't the ultimate goal - as the link notes, some very fast algorithms were rejected even if no attacks were known - but it is absolutely one of the goals. The major purpose of the password hashing functions is to be slow (unlike SHA). – CBHacking Mar 29 '19 at 00:17
  • @Chris I don't know. I'd like to know also! Aside from the severe security failings, they are also misteaching their customers. – Lightness Races in Orbit Mar 29 '19 at 11:09
  • Wow that's awful – Sava B. Mar 29 '19 at 16:09
82

Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.

This is confirmed HostGator being listed on Plaintext Offenders, as well as by its entry in the CVS file containing a list of offenders. This is not new and has been known since at least 2011. HostGator has not reformed since. The Plaintext Offenders website shows a screenshot similar to yours as evidence:

HostGator sux

Peter Cordes
  • 890
  • 9
  • 12
forest
  • 64,616
  • 20
  • 206
  • 257
  • 12
    I realize that this is a semantic point, but I don't see how this proves that they store passwords in **plaintext**. They could have them encrypted and are decrypting them when they send them to you. Of course this is bad practice. – Greg Schmit Mar 28 '19 at 18:05
  • 3
    And they claim, at least, that they don't store passwords in plaintext: https://i.imgur.com/9qrVPrm.png (again, not disputing that this is bad practice). – Greg Schmit Mar 28 '19 at 18:08
  • 11
    @GregSchmit: Regardless of whether the password is stored plaintext in the auth database, it is stored plaintext in HostGator's e-mail server, potentially transmitted in plaintext across the Internet, and potentially stored plaintext at the recipient e-mail server. I say potentially because it largely depends on the domain where you receive your HostGator e-mail and how the server handling that domain is configured. – Ben Voigt Mar 28 '19 at 20:24
  • 7
    @BenVoigt We already know **for a fact** that the plaintext password was emailed, so that's irrelevant. The question is whether they are **storing** that in plaintext in their database. The OP wouldn't have asked "is this password stored in plaintext on an email server somewhere", because that would be a stupid question to ask given that the password was emailed. – Greg Schmit Mar 28 '19 at 20:29
  • @GregSchmit: Why can't OP ask a question he already knows the answer to? That's Socratic method. The goal is not to learn the answer, it's to make the other person aware of the problem. – Ben Voigt Mar 28 '19 at 20:30
  • @BenVoigt Ok, that's true. I would just suggest that if the OP was asking that question, it would be worded differently. I think it's clear they were asking whether the company was storing the passwords in plaintext in the database. – Greg Schmit Mar 28 '19 at 20:40
  • 2
    @GregSchmit: I read the OP's question as "am I crazy / missing something, or does this evidence really mean that they're storing plaintext-equivalent passwords?" Maybe the OP missed the semantic point that recovering plaintext with a known key is different from storing in plaintext, or maybe they know it's basically just as bad and glossed over that. This definitely answers the main thrust of the question, that escalation is probably pointless because they're still doing the same bad thing they have been for years, and it's presumably been pointed out to HostGator before. – Peter Cordes Mar 29 '19 at 02:07
  • @PeterCordes I disagree, because the **password was in the email**, which implies (without having with ask) that they store passwords in a way that they can retrieve them (either plaintext, or encrypted). The highest voted question addresses this by first stating that it's a problem, but that it isn't known whether this means they are stored encrypted or plaintext, and this answer (incorrectly) assumes that it has been proven that they store passwords as plaintext. – Greg Schmit Mar 29 '19 at 02:30
  • 6
    To reiterate (because apparently this needs to be done), I agree that encrypting passwords is bad practice, since that means that they can be decrypted, but this answer dishonestly pretends that it's been proven that they store passwords in plaintext when it's plausible that they store them encrypted, and the highest-voted answer correctly addresses this. – Greg Schmit Mar 29 '19 at 02:35
  • 2
    @GregSchmit: that's fair. I left a suggested edit to add "or equivalent" to make this answer not wrong. The top answer already covers the details of the distinction, so we don't need to repeat that here, just use some weasel words. – Peter Cordes Mar 29 '19 at 02:54
  • 1
    I'll be _extremely_ naive: couldn't they have picked a random string, saved the hash, and automatically emailed that same string? (I repeat this is a _naive speculation_, OFC this is NOT a proper way to handle the process as they could have logs/email/whatever with that string as plain text stored somewhere). – Gruber Mar 29 '19 at 04:35
  • 3
    @Gruber No. OP says it was _their_ password from a year ago, not a new generated password. – Lightness Races in Orbit Mar 29 '19 at 11:12
  • @LightnessRacesinOrbit ups nice catch, can't understand how I missed that! – Gruber Mar 29 '19 at 23:31
  • @PeterCordes Thank you for the edit. I was using the terminology that Plaintext Offenders used, meaning that the data is _effectively_ plaintext. You are completely right though that it could in theory be technically encrypted while still effectively plaintext, and we can't know if that is the case. – forest Apr 02 '19 at 00:54
  • 1
    @forest: you're welcome :). And yeah, exactly my thoughts. For sophisticated readers like ourselves, we know the distinction is not really relevant, but the minutiae are actually important here in the context of figuring out which parts of the OP's email exchange are technically true or not. (The specific question, not just the general problem pointed out by the question.) So the commenters did have a good point. – Peter Cordes Apr 02 '19 at 01:03
3

If the company rep's response is true, the Password is stored as an encrypted text. This makes the plain text password in unprompted email a bigger concern.

is it safe to assume that my password is stored in their database as plain text?

The company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, my conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.

If the stored password is encrypted, the biggest concern here is not the way it is stored but the way it is transmitted, in plain text on an email when the user did not request any.

do you have any suggestions on how to address this issue with the provider?

You can ask the company to change the following (in the order of priority)

  1. Stop sending passwords over email.
  2. Provide Reset password option instead of recovering it.
  3. Replace encrypting passwords with Hashing and Salting.

In response to comments,

  1. Yes, there is high chance that the rep is lying or didn't know what he is talking about. But there is also a possibility that he was telling the truth. This answer deals with that scenario.
  2. I consider transmission of passwords as a bigger problem to storage because the OP was sent the password in an email when he did not ask for any.
  3. I have seen systems that store passwords in an encrypted text and send them to users upon request. They are not secure, but they do exist. Just because you received your info in plain text does not guarantee it is stored that way too.
Kolappan N
  • 2,662
  • 14
  • 26
  • 50
    "No, the company representative explicitly told that they are not storing the password in plain text" since when can you blindly trust what a low level rep says about a large company? – MindSwipe Mar 27 '19 at 12:10
  • 41
    @KolappanNathan Given that that same employee considers sending passwords via email to be a safe practice, there's very little reason to assume that rep is a trustworthy source of information. – Beofett Mar 27 '19 at 12:21
  • 2
    @Beofett He is not aware of the security risks involved in what his company is doing. But how does it mean that he does not know what his company is doing? I am not telling that you should trust him, but there is a possibility that it is the truth. – Kolappan N Mar 27 '19 at 12:23
  • @KolappanNathan There's a difference between "there's little reason to assume that rep is a trustworthy source" and "I know he does not know what his company is doing". But if a (presumably tier 1 or sales) support person says something that contradicts basic security practices, why would you take the chance that that's the only thing they got wrong? – Beofett Mar 27 '19 at 12:26
  • 21
    "Assuming he is telling the truth" implies he is either truthful and correct or lying. The reality is likely a third option: he doesn't actually know the answer and, like many reps, is simply trying to make the person on the other end happy. Never attribute to malice what can easily be explained by ignorance. The fact that the rep doesn't even know how to spell encryption (the way they spelled it clearly wasn't the result of a simply typo) is a strong indication that they are simply ignorant of this topic and don't know anything about it. – Conor Mancone Mar 27 '19 at 12:30
  • Also, I would say that the method of storage is the bigger concern here. Most passwords get leaked because someone gets a hold of them at rest. Hacking accounts by intercepting emails with plain-text passwords is substantially less common, almost by definition (because you can only MITM emails one at a time, but if you hack a server you get everything). – Conor Mancone Mar 27 '19 at 12:33
  • 3
    @ConorMancone That is possible and an answer already exists for such a possibility. My answer deals with an another possible scenario that the password is encrypted. It is a possible scenario. **No one can tell for 100% percent that the password is in plain text.** What is wrong about writing answers for an another possible scenario? The typo does not indicate anything. He misspelled a single letter!!! – Kolappan N Mar 27 '19 at 12:40
  • 1
    @KolappanNathan When it comes to [plain text offenders](http://plaintextoffenders.com/) it doesn't really matter if it is literally plain text or encrypted - the two are just as bad when it comes to security. As per the typo, it isn't actually a typo because they misspelled two different parts of the word. I actually think that has significance - if they misspell the word that badly, I think anything they say about the topic should be ignored. Regardless though, my biggest disagreement is about your statement regarding transmission vs storage – Conor Mancone Mar 27 '19 at 12:59
  • 3
    @ConorMancone The OP said that he received the password in email when he **did not ask for any**. He could have abandoned his email. I consider transmission to be biggest issue. I agree with the fact that encrypting passwords is insecure too. No disagreements there. – Kolappan N Mar 27 '19 at 13:03
  • 1
    @KolappanNathan I would argue that even if he did ask for it, a responsible company would have said "No, we're not emailing you a password. It isn't possible, and even if it was possible (for example when you first signed up) we still wouldn't." – corsiKa Mar 27 '19 at 19:00
  • @corsiKa Exactly why I say transmission is the bigger problem here. That's why I list asking the company to stop sending passwords as the first step of action. – Kolappan N Mar 27 '19 at 22:57
  • 3
    FWIW, I think this is a good answer that both assumes that everything in the chat log is true while still concluding that it's bad security. – Darrick Herwehe Mar 28 '19 at 12:28
  • 1
    @ConorMancone: If he says it is and is saying it without any knowledge to make the customer happy he is still lying. – Joshua Mar 29 '19 at 22:42