
GoDaddy store your passwords in clear and may access your VPS without permission - sucuri2
http://blog.sucuri.net/2010/02/godaddy-store-your-passwords-in-clear.html
======
regularfry
This needs repeating: there is _no way_ for a VPS provider _not_ to have
access to the internals of your VM; it is unrealistic to have such an
expectation.

It might not be unrealistic to expect them to ask before looking, but if your
concern is "one bad apple" then you've already lost.

~~~
peterwwillis
the important part is the difference between a compromised authentication
secret and having local control over hardware/software. the password is now
out in the open. there is now _one more_ way for someone to root the slice
other than getting control over the node(s) running the slice.

~~~
tptacek
If they have root on your VM, they have your root password too. We're talking
about maybe a couple hundred lines of code, tops.

It's clearly easier to get root passwords out of a database, but in the
unlikely scenario where an internal employee sets out to sabotage the whole
operation, a couple hundred lines of C code doesn't make the effort that much
more unlikely.

Don't get me wrong; storing the passwords in the clear is very bad. The thing
that is really going to go wrong? Someone's going to commit a change to their
web app that coughs up everyone's password to an outsider.

~~~
swolchok
> If they have root on your VM, they have your root password too. We're
> talking about maybe a couple hundred lines of code, tops.

The default hash for crypt(3) (and thus /etc/shadow) in newer Linux
distributions is salted SHA-512. Shouldn't that be significantly more
difficult to crack than the old MD5 hashes? john didn't even support it when I
checked a few months ago.

~~~
devicenull
You don't have to crack it if you can just replace the login binary with one
that logs it somewhere.

~~~
swolchok
Oh, of course. I errantly assumed they didn't have root at the same time as
you still had access.

------
andrewvc
Sadly, I can't say I'm really surprised, this _is_ GoDaddy after all.

This is a company that has been shown to be consistently anti-customer time
after time.

Their founder's latest blog post, on the GoDaddy homepage, is titled '5 things
I wish I learned in Business School. Plus ... a smoking HOT blonde.' That
pretty much sums up their cynical view of their customers as sheep to me.

------
patio11
This kind of freaks me out. If you told me somebody had cleaned out either my
brokerage account or my GoDaddy account, I'd pray it was the brokerage
account. There are much easier options for recovery from that.

It's not that I don't trust GoDaddy. They've been good to me. It is just that
I don't trust every person who might happen to see their data base in the next
decade.

Crikey, now I have to treat every password I've ever used there as
compromised. Bleeeeeeech.

[Edit: It occurs to me that I probably lose consistency points for this since
I've previously argued that plain text passwords are "not that big of a deal."
Thomas, I owe you a drink.]

~~~
sucuri2
That's the problem I have with it... specially if their admins can access that
at will to SSH to their VPS boxes.

~~~
patio11
You can tell I've been a SEO too long when the prospect of somebody yanking my
domain name hurts a lot more than the prospect of somebody rooting me.

~~~
tptacek
Because you know exactly how much money you'd lose if that happened.

------
undefined_user
One thing people should be aware of is that almost no VPS hosting solution is
secure.

The worst offender is Parallels/Virtuozzo(which I think godaddy uses).

On the linux side. A root user on the host node can simply run the command
vzctl enter 1111 and enter your vps without a password. To make things even
scarier, when an admin enters your container this way. It doesnt leave a bash
history file. You have a very small chance of ever knowing they entered the
container at all.

Even if they dont want to enter your container. They still have full access to
all of your files which are located in in the /vz folder on the host node.

Other vps solutions are slightly more secure. But it seems like %50 of the vps
hosting industry is using virttozzo and most of them probably have no issue
entering your container with or with out your permission.

~~~
axod
If you don't trust your hosting provider, I think you have bigger issues.

~~~
sailormoon
Exactly right. Your hosting provider has physical access to the machine. There
is no such thing as security under those circumstances.

~~~
olefoo
It's essentially DRM, except that you would be the media provider and the
hosting company is the pirate. For your stuff to function you need to provide
the cryptext, the decryption device and the key. So of course they have
access.

------
sucuri2
Update from Godaddy's CSO (Chief Security officer):

<http://blog.sucuri.net/2010/02/godaddy-security-update.html>

~~~
stanleydrew
Wow, you're letting them off the hook pretty easily don't you think? Seems
like this is a major breach of trust, worthy of a little more sustained anger
no?

~~~
sucuri2
Not off the hook, no. The issue still stands that they store the passwords in
a retrievable format. About them accessing the servers, he said that they will
change their policy to communicate first with the client, which is a big PLUS
for me. If anyone wants their malware removal service, it is fine for me.

But just for calling back and talking about improvements, gives them a +1
(they are famous for ignoring their users).

Plus, that happened almost two months ago (see the date in the logs) and this
post was on my draft for a while... So the sustained anger had time to pass.

~~~
stanleydrew
Ah, didn't catch the date. I understand your anger may have subsided by now :)

But to me this still seems like letting GoDaddy off the hook. I understand
they want to provide some sort of malware protection service for which they
need to periodically log in to your vps with your password. The question is,
if you are concerned about security at all, and you're not interested in
taking advantage of that service, why would you continue to do business with a
company that openly stores your password and makes it retrievable?

Seems like you shouldn't care if they have some sort of "procedure" in place
for password retrieval. That's almost irrelevant. It's time to move your
business elsewhere.

~~~
nfnaaron
"I understand they want to provide some sort of malware protection service for
which they need to periodically log in to your vps with your password."

This is so unusual, and so unexpected that it should have been in the TOS, at
the top. This should NOT have been a surprise, with proper description of the
REAL TOS, rather than just the written TOS. (I am assuming this isn't in the
TOS, I'm not a GD customer.)

------
vinhboy
Argh that really sucks. We should make a website that keeps track of these
'clear text' password people.

~~~
xs
this is why i use <http://prq.se> for hosting

~~~
sailormoon
Thanks a lot for that suggestion/link. I'm looking for new dedi hosting and I
really love those guys.

I'll be seriously thinking about moving to them. The most expensive combo
package there is less than I pay right now. Plus, they're committed to
privacy. Very very compelling.

How has your uptime been? Had any problems?

~~~
m_eiman
I've used PRQ for about a year, and had no major problems. There was a DDoS
attack at one time that broke things for a while, but other than that I've had
no problems.

I had a dedicated server that ran without any problems, and when I had a few
questions it was easy to get in touch via phone, mail and IRC.

~~~
sailormoon
Great, that's good to hear. Thanks.

------
mbreese
This is a little different than just a registrar having access to your
passwords. I don't have a server with them, so I must admit, I'm more
concerned with whether or not they have my domain account password in
cleartext. If they do, I'll switch registrars immediately, just on the
principle of the thing.

That being said, I don't really care about them having your root password for
your VPS. I really don't. Why? Because it's their server (physically). So, if
they wanted access to it, they could just pull the hard drive and mount it in
another computer. Your expectation of privacy just goes out the window if you
don't own the hardware.

------
callahad
Would anyone be willing to skim their terms of service and see if they mention
requiring access to your server?

~~~
patio11
_You acknowledge and agree that Go Daddy has the right to carry out a
forensics examination in the event of a compromise to Your server or account._

~~~
sucuri2
I agree with that (and I also confess that I didn't read it before signing
up). However, it doesn't say that they will do that WITHOUT your permission
(or even asking first).

~~~
stingraycharles
Aren't you giving them permission when you agree with their terms?

~~~
Avenger42
I think that sentence should put the onus on them to prove "the event of a
compromise to Your server or account".

~~~
nitrogen
It doesn't say who has to compromise it.

------
agentq
I found out the other day that DreamHost also stores control panel passwords
in the clear.

~~~
nfriedly
They also store ftp and database user passwords in clear text. In fact, the
used to _show_ the ftp user passwords in their control panel. Now it's hidden,
but you can still access ftp user passwords via their api and you can get
MySQL user passwords by doing a "one-click install" of something and then
opening the config file.

~~~
andfarm
Correct. If having user service passwords stored in our database bothers you,
log into a shell account and change the password with "passwd". We'll pick up
the new password hash on our next user config and store the password
internally as "changedbypasswd".

You can also view MySQL user passwords by clicking on the username in the
panel (<https://panel.dreamhost.com/index.cgi?tree=goodies.mysql>). This
shouldn't be a big deal, though, as you have to store the passwords in the
clear in config files anyway.

------
hypermatt
Thats really scary, trust is always a concern when your in a managed hosting
solution. How do we know that people from their company aren't taking
advantage, even if the Godaddy isn't trying to.

------
Periodic
A tool that I wish more people would use is PwdHash
(<https://www.pwdhash.com/>). It's a system for generating psudo-random
passwords for the web.

Basically, it will take some input from you (a password) and then hash that
with the domain name of the site you're accessing and supply that when you
actually submit the form. This means that my GoDaddy password would be
"O0ErvdwEiy" instead of "asdfasdf".

It helps protect you against sites that may store your password in plain text
because a compromise of one system does not mean a compromise of all systems.

It's fairly painless to use, but is only supported as a Firefox extension or
through their website. There are some issues with sites that use different
domains for their login servers or that use flash for their login dialog (yes,
they exist).

------
memoryfault
Hostmonster.com also stores your password in plaintext. When I called customer
support once they asked me for the last 4 characters of my password. So, I
asked the support guy "Can you see just the last 4 or can you see my whole
password?" He told me he could see my whole password. W. T. F.

------
rmk
We use godaddy in our company for email and webpage hosting. It's not been a
great experience.

Storing passwords in the clear sucks. Why would they do that, unless their
audience is primarily 'non-technical' people?

~~~
stanleydrew
Because their audience _is_ primarily 'non-technical' people. Have you seen
their ads?!

~~~
rmk
Ha ha ha... well then, storing passwords in the clear? who cares :-)

------
mcotton
I know that when I worked for a major hosting company in 2001, we had our own
SSH keys added to every VPS. This gave us access without needing their
password.

Right or wrong, it is very common at hosting companies.

------
coverband
I think the standard practice with other providers is to have a separate admin
account that can login to the VPS and whose actions are easily audited.

Using the VPS owner's account and password is ridiculous and could cause a
legal liability for the VPS owner.

------
olefoo
Not really surprised by this. GoDaddy is horrible on so many levels, selling
chained certificates without telling you what that implies until after you
purchase; ganking peoples domains at the behest of third parties without going
through UDRP.

And if you've ever had to deal with them you may agree with me when I say that
their website constitutes criminal negligence on the part of the UI/UX
designer. Deceptive and high-pressure sales tactics are a bad sign; especially
in a company that wants so much of your trust.

------
IgorPartola
The real question here is, who do you recommend as an alternative. Thankfully,
the domain name registrar market is not monopolized by GoDaddy, but I have
never used anybody else.

~~~
pavs
Godaddy is one of the worst choice for hosting. Also, avoid media temple. So,
basically most _well known_ hosts, other than these two, are good choices.

~~~
IgorPartola
Thanks for the advice. Currently I put my faith into the following list of
companies:

* GoDaddy - registrar * Tocici/BuildYourVPS.com - VPS server * EveryDNS

GoDaddy is by far the biggest pain in the @$$ to use out of these.

------
swombat
Worth repeating for the nth time: just because they have access to your
password doesn't mean it's stored in clear. They could simply be using a
reversible encryption algorithm.

This does not excuse them from accessing your VPS without your permission, of
course, but the only thing you know about their password storage mechanism is
it allows them to access your password when they need it. You have no idea
what the procedure for this access is, or how exactly it's stored.

~~~
sucuri2
Reversible encryption algorithm that an admin can use to get my password and
access my servers == same as clear-text to me...

The problem is not that they can get hacked and someone steal all their data,
the problem is a malicious employee acessing my private server and my
passwords. That's the issue.. unless they trust all their employees.

~~~
swombat
As others have pointed out, if you don't trust your host, you're hosed right
from the start. If you want a private server, keep it in your closet.

Having the password reversibly encrypted means that if someone gets their
hands on a dump of the db, they will at least not be able to automatically
gain access to millions of accounts with no effort. Depending on the
encryption scheme used, it may even be extremely secure - for example,
decryption could require sending the encrypted string to a different,
extremely secure server off the WAN that answers with the password.

~~~
tptacek
In 15 years as a security professional and over 5 years directly consulting
for big companies, little companies, locked down companies and lunatic
companies, selling operating systems, browsers, parts of the power grid, cores
of financial exchanges, retail banking applications, email management
applications and to-do lists, I have never once seen the "extremely secure"
system you allude to.

I have seen lots of "reversable encryption", though.

Maybe I've just gotten lucky in my career, and I just get the fun applications
where people do this wrong. But there's no way GoDaddy did it right.

~~~
sailormoon
Nonetheless you must admit it is possible.

If I did this, that's how I'd do it. Have a separate computer, locked down to
the max, except for a couple of functions: accepting HTTP requests POSTing an
encrypted password, then sending back the decrypted string. That function
would be severely rate-limited. Another function, to confirm the hash of
passwords, would not be rate-limited, allowing high volumes of website access.

I could make that machine friggin' _impregnable_ (and so could you). But yeah.
No-one ever does it.

~~~
tptacek
I wouldn't do it at all. If I wanted escrowed access to a VM, I'd stick a
"break glass" SSH key on the box.

I'm not sure how "extremely secure" this "password-decrypting server" design
really is, by the way. SQLI is often equivalent to remote code execution. Even
when it isn't, XSS is equivalent to operator access, and operators can use the
feature that decrypts the password.

Passwords are hazmat. You shouldn't be storing them, at all.

~~~
sailormoon
Yeah. I used to disagree with you, but now I agree.

You should write up a definitive guide for password security. For instance, I
want to know if we should still use salts in the age of bcrypt, etc. Tell us
what to do, man.

~~~
tptacek
I kind of don't want to be "the password guy".

~~~
sailormoon
Haha. I understand.

------
budu
I've filled a complaint to GoDaddy support and I'm now looking for an
alternative. What are your suggestions?

~~~
cstejerean
If you want a VPS you should check out SliceHost.

~~~
ahi
RackSpace has turned SliceHost into a dead man walking. Linode has better
pricing and a real future.

~~~
masomenos
Do you have any specifics, or is this just mud slinging?

Longtime slicehost customer here, haven't seen any negative impact from the
acquisition.

~~~
danieldon
See these for reference:

<http://news.ycombinator.com/item?id=1132138>

<http://journal.uggedal.com/vps-performance-comparison>

<http://news.ycombinator.com/item?id=966555>

<http://journal.dedasys.com/2008/11/24/slicehost-vs-linode>

Still, Slicehost is certainly one of the best VPS providers.

~~~
nitrogen
Thanks for that list. The second link was particularly useful.

------
holdenc
There's a difference between storing passwords in clear text and not storing
passwords as a one-way hash.

~~~
epochwolf
If hundreds of people within the company can reverse the encryption on a
password it might as well be in plain text.

------
jbyers
GoDaddy's business practices are awful. Their view of the rights of domain
owners alone was reason enough for us to move all of our domains to Gandi.
More expensive, fewer features, but at least they respect their customers.

------
sidbatra
It makes sense if they need to do maintenance but there has to be some code of
conduct / guidelines for a VPS provider.

Either way, I stopped using Godaddy a while back - slicehost is amazing for
developers and hackers.

------
tensafefrogs
I just checked directnic.com, and they seem to store passwords in clear text
as well (if you retreive your password, they email it to you(!))

------
jcapote
And here I thought that GoDaddy was the bastion of perfection in our
technology landscape </sarcasm>

------
bshep
Thats REALLY scary, I wonder how many passwords they store? just the previous?
your whole password history?

------
st3fan
Automatic malware removal on Linux systems? Get real.

------
yameighty
ffdsfds

------
rogermugs
people always say they're such a great domain registrar...

its the least navigable site i've ever used in my life. i will always use enom
via google.

------
howcool
Gone Daddy!

Who in their right mind would work with this funky company in the first place?
They seem to be hiring morons. Or maybe they have the Superbowl models doing
their Security.

------
fseek
Way to go, godaddy!

~~~
dasil003
I bet if you had said "Way to godaddy!" you would be sitting at -2 instead of
-3 right now

------
pibefision
How could someone expect a minimum serious service of a provider named "Go
Daddy". Really, this is not ironic.

~~~
froo
What a bizarre statement.

I really don't see the correlation between a memorable (and thus brandable)
business name and business performance.

Some of the web's biggest and most respected properties have almost whimsical
names, but that doesn't reduce their "street cred" so to speak.

