

Rackspace passwords are visible to customer service - lisper
http://rondam.blogspot.com/2010/03/danger-will-robinson-rackspace-cloud.html

======
LiveTheDream
I asked a Rackspace rep about this. Here is the real deal:

\- passwords are NOT stored in cleartext

\- however, passwords _are_ visible to customer service via a "secure, non-
public tool"

\- the reason for this is because "people generally prefer to give out a
password to authenticate themselves [over the phone] than portions of the
billing information"

\- so if a user account database is stolen somehow, the malicious thief would
not have access to convenient info like email/username/cleartext password.
(However if a customer service rep is the bad guy, you're still in trouble
since they have access to the tool.)

\- at some point, Rackspace intends to "removing CSR access for SAS-70
purposes and moving to something like a challenge/response like the Managed
division uses." AFAIK SAS-70 is some kind of audit regulation, but the
wikipedia article put me to sleep after reading the first sentence.

~~~
nfnaaron
"- however, passwords are visible to customer service via a "secure, non-
public tool""

"- so if a user account database is stolen somehow, the malicious thief would
not have access to convenient info like email/username/cleartext password."

What if the secure, non-public tool is also stolen?

~~~
wizard_2
The tool is probably for decrypting the passwords. The Passwords are probably
hashed for verification to their website, etc, and then encrypted to a key
which is encrypted to each tech's password as they hire new techs.

I'm sorry, I should say, this is how I imagine a good way to do it would be,
not that it's how they do it.

This way though everything could be stolen and it wouldn't give up clear text
passwords.

------
Terretta
Anyone that's ever logged into their control panel knows the control panel can
show you your password with a button click.

If you're a Rackspace customer, you trust them run your network fabric and
your hardware. They don't need your password to see what you're doing, but you
may as well trust them with that too.

Speaking of trust -- if your machine password gives a Rackspace CSR access to
your app's private data, you're just as guilty as you're accusing them of
being. You're not storing your private data in the clear, are you?

(As for why they might do this: Most users aren't sophisticated enough to use
a password generator and manager, making "What's my password again?" a common
support question. Providing the "Show me my password" function in the web
control panel means a CSR doesn't have a job reason to look at it. And even if
they do, cloud customers already trust Rackspace support with the reboot
switch, and for that matter, with the "delete this whole image and all its
backups" button.)

------
mootothemax
What part of this conversation _proves_ Rackspace stores passwords in the
clear?

~~~
akkartik
Yeah the title is technically wrong. But a hosting provider having access to
clear passwords is still atrocious.

~~~
axod
They have access to the _HARDWARE_. They _could_ do anything they wish to with
your data. That's why you have things like contracts and trust.

If you're using the same password for more than one account/login, then
seriously, that's not a good idea. Don't do it. Ever.

------
callmeed
First off, Rackspace's cloud services has totally different CS staff than
their managed hosting services. I'm a managed customer and this has never
happened. In fact, I had to deal with their cloud CS people regarding a DNS
issue and got the run around.

Anyway, the managed folks ask for your portal password and a challenge
question (high school mascot). In the 4 years I've used them, they have never
asked for a root password to one of my boxes.

And, BTW, Softlayer does ask for your machine's root password in their support
ticket form.

~~~
sunchild
Nice - that's a single challenge question, and one that can be easily
discovered in the public record.

------
rjb
Reminds me of an incident I had with my account at NeSol some years ago. I
used to get promotional cards in the mail from them, always in pairs, one
addressed to my login account name and the other addressed to my password. It
seemed inconceivable and I could never get them to actually believe me, even
with scanned proof.

No matter the policy or level of security behind internal tools, it still
potentially can leave more room for such errors.

~~~
lhuang
How do you know they didn't believe you? They could have been pretending.

------
cwalcott
Seems similar to <http://news.ycombinator.com/item?id=1148328>. The internals
of any VPS aren't really secure from the hosting provider, although I don't
why that means CSRs should have plaintext access to the root password.

------
eli
This is Rackspace _Cloud_ , not to be confused with Rackspace's many other
offerings.

And if you're running code on someone else's hardware then they pretty much
implicitly have access to all your stuff, password or not.

------
rick888
Does the author of this article not know about 2-way encryption? It can be
used to store encrypted passwords in a database and the original value can be
retrieved.

~~~
viraptor
Letting a random employee to see your password on demand is just as bad as
storing it in plaintext. Now the employee knows you and knows your password -
for most people that means free access to their mail account, which means free
access to all their accounts.

~~~
axod
security 101 - use different passwords for everything.

~~~
viraptor
Good idea in theory. Unfortunately every serious person doing programming /
administration / ... will have at least 20 accounts on the internet (probably
underestimated!: email, other email, HN, sourceforge, github, facebook, own
pc, own pc admin, vps, stackoverflow, etc. etc.)

At some point it's not possible to remember them all anymore... You have a
choice of storing them with master password (now I can get all of them in one
file), using the same one, having a password scheme (like usualpwd_HN,
usualpwd_gmail, ...) or ... ?

Edit: what I started doing is setting random password that I will _not_
remember and just requesting a reset when I get logged out.

~~~
axod
...or... writing a simple script that given a key, generates you a password
based on it.

I probably have 50+ passwords at least, and every one is different. I just run
my little script with a "key" and it tells me the password.

And of course browsers remember them anyway.

eg

    
    
      ./get_my_password.sh mygmail
      ./get_my_password.sh server_1_mysql_root
    

I think 1password etc do similar things though.

~~~
Groxx
1password uses 128-bit AES, based on your master password. Intelligently, they
didn't write their own encryption.

 _Of course, we wanted to avoid writing this code in the Agile Keychain and
elected to use the OpenSSL function PKCS5_PBKDF2_HMAC_SHA1 to generate the
keys. Key generation is simply too important a step to not rely directly on
the experts. In order to thwart would-be attackers and strengthen the key, we
elected to use 1000 iterations in the PBKDF2 algorithm._

<http://help.agile.ws/1Password3/agile_keychain_design.html>

------
hugs
Ironically, I was just now on the phone on-hold with Rackspace waiting to
activate my account, when I tabbed over to HN to see this post at the #1 spot.
I tipped off the customer rep that they might want to come on over to HN and
reply. Looking forward to seeing how they officially respond...

------
holdenc
It's disconcerting to hear that a CSR can see this. But, the bottom line is
that a hosting company's quality is typically inversely proportional to their
size. After a certain number of customers, the company's main business is
automating hosting support and maintenance for the masses.

------
silversmith
Read the comments there:

"I've been a rackspace customer for a while, and I've only ever used that
password to verify my identity over the phone. A different password is used to
log into the web interface to access data and tickets."

It's a verification phrase, not a password.

~~~
lisper
They may have been a RS customer for a while, but they are nonetheless
mistaken: at least for Cloud customer service, they can see your account
password, and with that password anyone can log into your account, change your
contact information, and change your server root passwords.

------
wesley
Gigenet.com stores the passwords in clear text. You can see this in their
support system HTML source. You have to supply the root password each time you
create a support ticket and the password remains visible even in closed
tickets from months ago.

------
tlack
They would need to be able to see passwords to login to your server to fix
stuff anyway, unless you'd prefer for them to backdoor every machine they
install with their ssh key. What's the big deal here?

------
RyanMcGreal
Godaddy was raked over the coals in these pages a month or two ago over the
same issue.

------
lurkinggrue
The Rackspace Cloud CSR could have just been lying.

~~~
jrockway
Or it could have been anyone else in the middle:

You: My password is "foo" Random person: Yes, that's exactly what the screen
says.

Little do you know, there is no screen.

------
aneth
My favorite cheap PHP host is Bluehost. I like everything about them except
that they ask for passwords over the phone, and mention that every time I talk
to them. Not only is a secure password a pain to say over the phone ("amersand
backslash carrot capital-H comma...") but I don't like the idea of a
disgruntled employee trying out the same password on my email accounts, even
if I don't use the same password.

