Yan Pritzker photographer, entrepreneur, software engineer, musician, skier

Bluehost stores your password in plain text

This is a public service announcement to users of bluehost.com hosting. They store your account password in plain text. During my long drawn out battle where they refused to own up to database problems, one of the support calls resulted in the support woman asking me for my password. When I refused to give it to her (as you always should!..they should not need it), she just read it out loud to me. So apparently, they are not just terrible at customer service, but also appear to have a very poor understanding of basic password security. You should never store plain text passwords.

I forgot to post on this when it happened, but someone just posted on my blog with another bluehost complaint, which reminded me of this. Their CEO, Matt Heaton does not respond to emails or comments on his blog, so I don’t know of any other way of getting in touch with someone over there who might both have a clue, and care enough about their customers to do something about it.

[...] – bookmarked by 4 members originally found by Aoi on 2008-09-11 Bluehost stores your password in plain text http://skwpspace.com/2008/07/10/bluehost-stores-your-password-in-plain-text/ – bookmarked by 4 [...]

For what its worth, that has since changed. Now their support can ask for the last 4 of the password, enter it into a form, and then it reports whether it was correct or not.

I am curious how this new functionality works. In order to compare 4 characters of your password wouldn’t they still have to have the plaintext password? If they were storing your password as they should, encrypted with a one way hash function there would be no way (as far as I know) for them to verify 4 chars of the password, unless they were also storing the last 4 characters separately hashed.

It would be great to hear directly from bluehost on how they do store your password now, however as with all other things they never tell customers what they are doing, never own up to any problems, and prefer to fix things quietly and secretly. So maybe they did fix this, but they sure didn’t tell the world (imagine how many people would be up in arms if they actually knew and understood the ramifications of having their password stored plaintext and known by any support employee).

Nope, they still store in plain text, I know this because they just sent it to me!
Only 8 more domains and we will no longer be giving Bluehost any money.. yaaaa!

BTW: Any service that offers a ‘forgot your password’ store password unencrypted, if they offer to reset it then the store encrypted (maybe)

Unbelievable…such a prominent web host can’t follow basic password security? How do we bring more attention to this? I tried posting on the CEO’s blog and no response…

Nope. They keep in plain passoword. I just did forgot password and they sent me the password in plain text.