Potential security vulnerability if you use 1and1 internet hosting

[Phil Graham]

Hello all,

Yesterday I called 1and1.com's customer service to change my hosting package (I am moving off of their servers and only using them as registrar). To complete my transaction they needed my account password, which I could not remember as I use LastPass.com to setup website passwords.

1and1 therefore sent me an email that contained my full password in plaintext, which means that their servers must store my password either in plain text, or with a reversibly decryptable storage scheme. This was not a reset request.

Storing the plain text of a password, or an encrypted variant of it, is not considered good security policy, as that renders those passwords accessible in the event of an attack on the servers storing the passwords.

If you use 1and1 hosting, make sure that your customer login password is a unique string that reveals nothing about your other passwords on any other website. Also be aware that in the event 1and1's password storage was ever compromised, an attacker would be able to log into your 1and1 account looking like you and using your real password.

--

The best practices method for login authentication is using a "salted hash." A "salt" is random characters that are appended to your core password, and a "hash" is a one way mathematical function that produces a fixed length string from calculations on your salt+password. The common hashes are MD5, SHA1, and SHA256.

The server then stores the value of the hash, and when you login, the hashed value of your salted password is passed to the server, which checks if the hashes match. Most major internet frameworks, like vBulletin here, Wordpress, Drupal, Joomla, etc. use salted hashes.

No site admin should ever be able to send you your password, they should only be able to reset it (i.e. clear the expected hash value). Any site that can send you your password is also storing it, and you are then unfortunately dependent on the server's security to protect that password.

Also, choose long, strong passwords that include as many character classes as a website will allow. There are "rainbow tables" that allow lookup of hash values for common words/phrases/known passwords.

 

[Tim McCulloch]

Re: Potential security vulnerability if you use 1and1 internet hosting

Interesting and useful... I had my password list on a machine that has since crashed and so far have been unable to recover the file... my hosting is with 1and1 and the credit card that pays for it has been replaced. I'm unable to access my admin account to change things, so I'll be calling them for a password reset.

I'll be changing my PW to something more robust, too. Thanks for the heads up, Phil.

Tim Mc

 

[Charlie Zureki]

Re: Potential security vulnerability if you use 1and1 internet hosting

Hello Phil,

Thanks for that info. By the way....I'd always use something simple for my password like.... "hello, it's me" or "123abc" ...just teasing.

I'm not, by any means a computer guru...but, MSN is definitely spying on users of "hotmail.com" addresses. Depending how the account was setup...when a user logs off after checking Emails...they're not logged off.

Hammer

 

[John Roberts]

Re: Potential security vulnerability if you use 1and1 internet hosting

Yes that seems a little amateurish for 1&1, I hope you told them too. IIRC they are using some german registrar for domains and are now whining about costs (perhaps because the dollar is losing so much relative value). Funny coincidence, 1&1 called me yesterday or the day before tying to sell me some email service... nah. Note: to hackers, my servers are elsewhere too... but I still have an old acct with 1&1 and a few domains.

[rant] Passwords... Surely it isn't just me, how are we expected to possibly remember a bazillion different passwords. To make matters worse, now some high value websites, are forcing us to change these passwords every few months. The number of passwords must drive typical users to write down passwords or use some equivalent storage method, that exposes entire collections of passwords to risk.

We need facial recognition, voice , fingerprint, eyeball, whatever... if they can put movie cameras inside every telephone, how expensive is personal recognition technology?

While we will always be at risk, and no system is perfect. [/rant]

JR

 

[Silas Pradetto]

Re: Potential security vulnerability if you use 1and1 internet hosting

John, 1&1 is a German company, so the 'german registrar' is actually just them.

I am annoyed that every time I call them with a problem, they ask for my password so they can do it for me online! That is just completely unbelievable!

 

[John Roberts]

Re: Potential security vulnerability if you use 1and1 internet hosting

United Internet, their parent company is indeed German and publicly traded. There are several 1&1 subsidiaries in different countries. They only appear to have one accredited internet registrar "1&1 Internet AG" based in Germany.. My recollection is their old website information claimed a different name for the domain registrar. It might have been Schlund+Partner, one of several brands they bought, That name sounds familiar... but it has been years since I researched this and I didn't keep my old notes.

Having operations on different continents was one of the things that seemed attractive about them. Not exactly a mom and pop shop like so many web hosts out there, so the security lapse seems interesting.

JR

 

[Phil Graham]

Re: Potential security vulnerability if you use 1and1 internet hosting

Interesting and useful... I had my password list on a machine that has since crashed and so far have been unable to recover the file... my hosting is with 1and1 and the credit card that pays for it has been replaced. I'm unable to access my admin account to change things, so I'll be calling them for a password reset.

I'll be changing my PW to something more robust, too. Thanks for the heads up, Phil.

Tim Mc

Let me suggest lastpass.com

 

[Phil Graham]

Re: Potential security vulnerability if you use 1and1 internet hosting

Hello Phil,

Thanks for that info. By the way....I'd always use something simple for my password like.... "hello, it's me" or "123abc" ...just teasing.

Hammer

"hello, it's me" is an ok password, it is fairly long and has two character classes (but still uses dictionary words).

More robust would be "He110 1t's me!" as it has three character classes and only one dictionary word.

 

[John Roberts]

Re: Potential security vulnerability if you use 1and1 internet hosting

They last time my website was hacked, the puke left behind a file of dummy passwords, and while i didn't study it, IIRC they already include some common number for letter substitutions.

All technology is a double edged sword.. don't cut yourself.

JR

 

[Phil Graham]

Re: Potential security vulnerability if you use 1and1 internet hosting

They last time my website was hacked, the puke left behind a file of dummy passwords, and while i didn't study it, IIRC they already include some common number for letter substitutions.

JR

JR,

Please take my post as merely instructional as to how a password's security against attack could be improved, and not condoning of that specific password.

When allowed, I will typically use 12 character passwords with three character classes randomly generated by lastpass on a per domain basis.

 

[Silas Pradetto]

Re: Potential security vulnerability if you use 1and1 internet hosting

I use 10 to 15 digits (out of 25) of Windows Product Keys (old ones, like Windows 98) as passwords. Back when I was an IT guy at another school, I installed Windows so many times I memorized the key!

However, I think a strong password means just about nothing these days. In most cases of hacking, the entire password requirement is completely bypassed by accessing the system another way, or by keylogging the password with a Trojan or other virus. The strongest password ever wouldn't have prevented an attack in these cases.