Log in
Register
Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
News
Members
Current visitors
New profile posts
Search profile posts
Features
Log in
Register
Search
Search titles only
By:
Search titles only
By:
New posts
Search forums
Menu
Install the app
Install
Reply to thread
Home
Forums
Off Topic
The Basement
Potential security vulnerability if you use 1and1 internet hosting
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Message
<blockquote data-quote="Phil Graham" data-source="post: 1530" data-attributes="member: 430"><p>Hello all,</p><p></p><p>Yesterday I called 1and1.com's customer service to change my hosting package (I am moving off of their servers and only using them as registrar). To complete my transaction they needed my account password, which I could not remember as I use LastPass.com to setup website passwords.</p><p></p><p>1and1 therefore sent me an email that contained my full password in plaintext, which means that their servers must store my password either in plain text, or with a reversibly decryptable storage scheme. This was not a reset request.</p><p></p><p>Storing the plain text of a password, or an encrypted variant of it, is not considered good security policy, as that renders those passwords accessible in the event of an attack on the servers storing the passwords.</p><p></p><p>If you use 1and1 hosting, make sure that your customer login password is a unique string that reveals nothing about your other passwords on any other website. Also be aware that in the event 1and1's password storage was ever compromised, an attacker would be able to log into your 1and1 account looking like you and using your real password.</p><p></p><p>--</p><p></p><p>The best practices method for login authentication is using a "salted hash." A "salt" is random characters that are appended to your core password, and a "hash" is a one way mathematical function that produces a fixed length string from calculations on your salt+password. The common hashes are MD5, SHA1, and SHA256.</p><p></p><p>The server then stores the value of the hash, and when you login, the hashed value of your salted password is passed to the server, which checks if the hashes match. Most major internet frameworks, like vBulletin here, Wordpress, Drupal, Joomla, etc. use salted hashes.</p><p></p><p><em>No site admin should ever be able to send you your password, they should only be able to reset it (i.e. clear the expected hash value).</em> Any site that can send you your password is also storing it, and you are then unfortunately dependent on the server's security to protect that password.</p><p></p><p>Also, choose long, strong passwords that include as many character classes as a website will allow. There are "<a href="http://en.wikipedia.org/wiki/Rainbow_table" target="_blank">rainbow tables</a>" that allow lookup of hash values for common words/phrases/known passwords.</p></blockquote><p></p>
[QUOTE="Phil Graham, post: 1530, member: 430"] Hello all, Yesterday I called 1and1.com's customer service to change my hosting package (I am moving off of their servers and only using them as registrar). To complete my transaction they needed my account password, which I could not remember as I use LastPass.com to setup website passwords. 1and1 therefore sent me an email that contained my full password in plaintext, which means that their servers must store my password either in plain text, or with a reversibly decryptable storage scheme. This was not a reset request. Storing the plain text of a password, or an encrypted variant of it, is not considered good security policy, as that renders those passwords accessible in the event of an attack on the servers storing the passwords. If you use 1and1 hosting, make sure that your customer login password is a unique string that reveals nothing about your other passwords on any other website. Also be aware that in the event 1and1's password storage was ever compromised, an attacker would be able to log into your 1and1 account looking like you and using your real password. -- The best practices method for login authentication is using a "salted hash." A "salt" is random characters that are appended to your core password, and a "hash" is a one way mathematical function that produces a fixed length string from calculations on your salt+password. The common hashes are MD5, SHA1, and SHA256. The server then stores the value of the hash, and when you login, the hashed value of your salted password is passed to the server, which checks if the hashes match. Most major internet frameworks, like vBulletin here, Wordpress, Drupal, Joomla, etc. use salted hashes. [I]No site admin should ever be able to send you your password, they should only be able to reset it (i.e. clear the expected hash value).[/I] Any site that can send you your password is also storing it, and you are then unfortunately dependent on the server's security to protect that password. Also, choose long, strong passwords that include as many character classes as a website will allow. There are "[URL="http://en.wikipedia.org/wiki/Rainbow_table"]rainbow tables[/URL]" that allow lookup of hash values for common words/phrases/known passwords. [/QUOTE]
Insert quotes…
Verification
Post reply
Home
Forums
Off Topic
The Basement
Potential security vulnerability if you use 1and1 internet hosting
Top
Bottom
Sign-up
or
log in
to join the discussion today!