Hacker News new | comments | show | ask | jobs | submit login

So I thought I give empire-hosting a try to play with a cheap box.


Thank you for signing up with us. Your new account has been setup and you can now login to our client area using the details below.

Email Address: my.mail@address

Password: YepYouGuessWhatWasRightHereInCleartext

To login, visit http://secure.empire-hosting.net


Ah well.. Let's look at the other recommendations of that list, I guess.

Just because the welcome email contains the password in clear doesn't mean that they permanently store the password in their database unhashed.

First of all: I didn't claim that (although, yes, maybe that kind of got implied). [1]

But I even think this practice is useless. They just sent my password in cleartext. It sits now in my inbox and I have to delete it or I store my unprotected password. And - for what exactly? Does that serve any purpose? I just entered it a second ago.

So I question the usefulness of that approach and consider this very first contact unprofessional. YMMV and all.

1: Just tried the 'Forgot my password' dance and it they don't retrieve it at least: Received mail with link to site which sends a mail with auto-generated password to log in. A bit weird, but well..

Deleting an email really isn't that onerous a task, but you are of course free to use whatever criteria you wish to judge a host.

And as you point out with the "forgotten password dance", access to your email account gives an attacker access to your hosting account anyway (although not stealthily).

Again, I didn't claim it is.

This was the very first contact. Sending me passwords (same for 'temporary ones' after a reset. I consider that a cumbersome process whereas I consider the initial mail just plain "wrong") delivers more than just the text over this channel.

I read between the lines "Here's your password again from 2 minutes ago. File it away" which again is nothing I consider a good idea. The impression is that they write the digital form of a post-it note of the password for my monitor.

Is it a big issue in itself? Nope, probably not. But it certainly ruined the first impression for me and I'll walk away now. I shared that part because others might (or might not) agree and to potentially save like-minded people a registration.

No, but it does mean that anyone who's able to view your traffic or your mail box content could've seen the password (anyone controlling any router or a mail relay between you and them, or your mail service provider, or even someone with tcpdump on your LAN segment).

If your threat model includes hostile mail relays, you probably shouldn't be using bargain basement VPS providers.

Password-reset emails are also easy for an attacker to generate, and no harder for them to intercept than the welcome email.

Right, that's what GP said in the comment you replied to: that he probably should not use that VPS provider.

And yes, password-reset emails may also be a concern (not as severe, though, if reset emails are single-use and have short TTL).

But you at least know your account has been compromised.

can we please stop having this conversation every time a plain text password is mentioned, its a bad idea to have a recoverable password, in any form, the end.


It's not helping that you give the wrong explanation. The issue here isn't that the password is recoverable, because you don't know whether that is true. It may as well be properly bcrypted. The problem is that they sent you the plaintext password you just entered via email.

Can we please have people stop assuming that the password is recoverable just because it's put in an email when it's set.

Interesting, how would your perception change if the email included a notice saying something to the effect of, "here is you password... rest assured, we have not stored it on our system. Please memorize it and delete this email for maximum security"? Of course, you really need to protect your email as much as possible. If someone gains access to your email, they can pretty much ruin your day anyways. All they would have to do is click the "forgot password" link, wait for the email to come in to your inbox, and go from there.

Why would that help? His password was sent across an open network in plain text...

Actually - I dont think they save it at all. They kickstart a new VM with the root password and forget about it permanently.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact