Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Embarrassingly... no. Our login/authentication system was written in 1999, and it shows -- we store panel login passwords using symmetric encryption, and send out the decrypted password when you request it.

Getting this fixed was already on our to-do list. This incident has moved it up to near the top of the list (competing with a few other security-related tasks).



I have always been bothered about cpanel passwords coming through in plain text. To confirm, is this the same storage system with mail passwords also?

Shell passwords - they're hashed, but are they salted? If not, can they be in future?

Thanks for your time.


I've been happy with Dreamhost's service, but becoming aware of this in the last few months has forced me to look into other registrars. If this is fixed, I would be much more inclided to stay.

If you could forward these articles to whoever's working on security, I'd appreciate it (and they're a good read): http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracki... http://chargen.matasano.com/chargen/2007/9/7/enough-with-the...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: