

2014 Hetzner and DigitalOcean are still sending root passwords by email - tbarbugli


======
raiyu
Hi,

We recommend that customers instead use our built in SSH key manager which
allows you to add public SSH keys to your account which can then be added to
your droplets during creation.

When you using SSH keys no root password is emailed and instead the SSH key is
used for access. Some customers who are just starting out want to test things
quickly so we provide an alternative where the password is emailed.

We've also started testing new base images which will auto-expire the root
password on the first login, so after you login you will be asked to update
the root password as well.

However, we still recommend that customers instead opt to use SSH keys for
access.

We also provide how-tos and tutorials in our community section to help new
users who are not familiar with how to use SSH keys on how to set them up and
use them for authentication into their virtual servers.

Thanks, Moisey Cofounder DigitalOcean

------
nemasu
Umm, I'm confused. What's a better alternative? Logging in somewhere and
viewing the password isn't really much better. And I'm sure a lot of places do
this. I get password, log in, change password.

~~~
mooism2
a. Ask for a root password before spinning up the machine.

b. Ask for a public key before spinning up the machine.

------
krat0sprakhar
I was setting up PCI guidelines for our servers and from my experience I can
tell that there's nothing inherently sending root passwords by email given
that the user is forced to change it on the first login.

~~~
tbarbugli
Good point, unfortunately they can't enforce that so its up to the user to
change the root password as soon as possible.

------
mooism2
I can't speak about Hetzner, but I gave DigitalOcean my public key before
spinning up a vm with them the other day, and they didn't send me a password.

~~~
tbarbugli
Yes, they give you 2 options; get a root password by email or use a provided
public key. I understand thats not good for sales but they should drop the
first option.

------
tbarbugli
This seems pretty weird considering the amount of customers they have, what
competitors do in this regard (eg. Amazon with EC2 provisioned machines)

