Comments on: Bluehost stores your password in plain text http://yanpritzker.com/2008/07/10/bluehost-stores-your-password-in-plain-text/ photographer, entrepreneur, software engineer, musician, skier Sat, 04 Sep 2010 20:29:08 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Ritesh Nadhani http://yanpritzker.com/2008/07/10/bluehost-stores-your-password-in-plain-text/comment-page-1/#comment-42824 Ritesh Nadhani Fri, 07 May 2010 19:10:46 +0000 http://skwpspace.com/?p=176#comment-42824 Nope. They keep in plain passoword. I just did forgot password and they sent me the password in plain text. Nope. They keep in plain passoword. I just did forgot password and they sent me the password in plain text.

]]> By: yan http://yanpritzker.com/2008/07/10/bluehost-stores-your-password-in-plain-text/comment-page-1/#comment-40575 yan Sun, 14 Mar 2010 19:00:42 +0000 http://skwpspace.com/?p=176#comment-40575 Unbelievable...such a prominent web host can't follow basic password security? How do we bring more attention to this? I tried posting on the CEO's blog and no response... Unbelievable…such a prominent web host can’t follow basic password security? How do we bring more attention to this? I tried posting on the CEO’s blog and no response…

]]> By: stinga http://yanpritzker.com/2008/07/10/bluehost-stores-your-password-in-plain-text/comment-page-1/#comment-40567 stinga Sun, 14 Mar 2010 16:39:41 +0000 http://skwpspace.com/?p=176#comment-40567 Nope, they still store in plain text, I know this because they just sent it to me! Only 8 more domains and we will no longer be giving Bluehost any money.. yaaaa! BTW: Any service that offers a 'forgot your password' store password unencrypted, if they offer to reset it then the store encrypted (maybe) Nope, they still store in plain text, I know this because they just sent it to me!
Only 8 more domains and we will no longer be giving Bluehost any money.. yaaaa!

BTW: Any service that offers a ‘forgot your password’ store password unencrypted, if they offer to reset it then the store encrypted (maybe)

]]> By: yan http://yanpritzker.com/2008/07/10/bluehost-stores-your-password-in-plain-text/comment-page-1/#comment-40538 yan Sat, 13 Mar 2010 23:39:53 +0000 http://skwpspace.com/?p=176#comment-40538 I am curious how this new functionality works. In order to compare 4 characters of your password wouldn't they still have to have the plaintext password? If they were storing your password as they should, encrypted with a one way hash function there would be no way (as far as I know) for them to verify 4 chars of the password, unless they were also storing the last 4 characters separately hashed. It would be great to hear directly from bluehost on how they do store your password now, however as with all other things they never tell customers what they are doing, never own up to any problems, and prefer to fix things quietly and secretly. So maybe they did fix this, but they sure didn't tell the world (imagine how many people would be up in arms if they actually knew and understood the ramifications of having their password stored plaintext and known by any support employee). I am curious how this new functionality works. In order to compare 4 characters of your password wouldn’t they still have to have the plaintext password? If they were storing your password as they should, encrypted with a one way hash function there would be no way (as far as I know) for them to verify 4 chars of the password, unless they were also storing the last 4 characters separately hashed.

It would be great to hear directly from bluehost on how they do store your password now, however as with all other things they never tell customers what they are doing, never own up to any problems, and prefer to fix things quietly and secretly. So maybe they did fix this, but they sure didn’t tell the world (imagine how many people would be up in arms if they actually knew and understood the ramifications of having their password stored plaintext and known by any support employee).

]]> By: Roger Brown http://yanpritzker.com/2008/07/10/bluehost-stores-your-password-in-plain-text/comment-page-1/#comment-40534 Roger Brown Sat, 13 Mar 2010 19:46:30 +0000 http://skwpspace.com/?p=176#comment-40534 For what its worth, that has since changed. Now their support can ask for the last 4 of the password, enter it into a form, and then it reports whether it was correct or not. For what its worth, that has since changed. Now their support can ask for the last 4 of the password, enter it into a form, and then it reports whether it was correct or not.

]]> By: Bookmarks about Ruby http://yanpritzker.com/2008/07/10/bluehost-stores-your-password-in-plain-text/comment-page-1/#comment-15082 Bookmarks about Ruby Wed, 01 Oct 2008 09:45:13 +0000 http://skwpspace.com/?p=176#comment-15082 [...] - bookmarked by 4 members originally found by Aoi on 2008-09-11 Bluehost stores your password in plain text http://skwpspace.com/2008/07/10/bluehost-stores-your-password-in-plain-text/ - bookmarked by 4 [...] [...] – bookmarked by 4 members originally found by Aoi on 2008-09-11 Bluehost stores your password in plain text http://skwpspace.com/2008/07/10/bluehost-stores-your-password-in-plain-text/ – bookmarked by 4 [...]

]]>