Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 66
  1. #26
    Join Date
    May 2004
    Posts
    143
    Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?

    Normally whenever I can't remember a password I pop into the control panel to look it up, and I was recently thinking that it wasn't safe practice. I had even forgotten that it is a simple thing to log on via SSH and change the password whenever you want, and it shouldn't show up in the DH control panel anymore.
    Unless their server retains the plain text passwords.

    Silly me

    It must be said that given how large a host dreamhost are, the administrative headache of people forgetting passwords would be unbearable, given the authentication process which would be required via either email or by phone.

  2. #27
    Dreamhost is by far the worst host I've ever used. Servers go down all the time! And they feel they can get away with it through their blog where they project a web2.0ish lack of formality and professionalism.

    This company is a joke.
    CouponShock.com - Web Hosting and Registrar Coupons

    Web Hosts, click here to add your coupons to our database!

  3. #28
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by CouponShock View Post
    Dreamhost is by far the worst host I've ever used. Servers go down all the time! And they feel they can get away with it through their blog where they project a web2.0ish lack of formality and professionalism.

    This company is a joke.
    What's their blog have to do with anything?

    At any rate I think Josh @ the blog does a great job So does Dreamhost 'on a whole' -- amazing operation for a company that large & with those sort of resource allocations.

    Kudos to them as always.

  4. #29
    Join Date
    Jun 2005
    Location
    CT, USA
    Posts
    620
    Quote Originally Posted by CouponShock View Post
    Dreamhost is by far the worst host I've ever used. Servers go down all the time! And they feel they can get away with it through their blog where they project a web2.0ish lack of formality and professionalism.

    This company is a joke.
    You cannot please everyone, but I think from the general reviews of DreamHost I have read here it seems they do a pretty good job for their customers.

    As David said, for the size of their company they do have quite a lot of work in maintaining things, more so than a small company as us.

    I wonder what they will be doing for those customers who will be sticking around with them after this, if they do anything at all. What do you do for or say to a customer when their password has been leaked out and possible compromising of their data?
    SwiftModders - Premium WHMCS Themes, Blesta Themes, and WordPress Development
    View my top-rated WHMCS Themes trusted by over 1,000 businesses!
    █ Now offering Blesta Themes to transform your Blesta client area!

  5. #30
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by AH-John View Post
    I wonder what they will be doing for those customers who will be sticking around with them after this, if they do anything at all. What do you do for or say to a customer when their password has been leaked out and possible compromising of their data?
    You do exactly what you would in any other situation.
    1. Reassure the clients the source of the leak is resolved.
    2. Ensure that it doesn't reoccur & explain the preventative measures put in place.

    3,500 for Dreamhost is a very tiny sliver of their clientbase. The company has over 500 thousand domains hosted on their service.

    They didn't get to that size making critical errors. This situation won't even make a dent in their clientbase nor should it. A large number of companies I know of wouldn't have even made a peep to the users affected.

  6. #31
    Join Date
    Aug 2001
    Location
    Canada
    Posts
    2,124
    Quote Originally Posted by MxHub View Post
    believe they have ftp into the user accounts through root pass.
    That's not possible on proftpd as far as I know.

    I've seen these same attacks on a smaller scale and they *never* involved the root password, always the user's FTP password.

    And hashing a password doesn't stop a determined person, just look for john the ripper.
    www.idologic.com - Reseller, VPS and dedicated hosting - Friendly Customer Service - DirectAdmin - cPanel - InterWorx

  7. #32
    im so glad that i have cancelled with them but its not a very good thing for their marketing, 3500 passwords is a huge amount and not to mention the fact that quite a few of them will use the same password for online banking etc

  8. #33
    not to mention the fact that quite a few of them will use the same password for online banking etc
    If you use the same password for online banking as you do for your webhosting then you pretty much are asking for trouble.

  9. #34
    Quote Originally Posted by voipfc View Post
    Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?
    It's not just your imagination


    Quote Originally Posted by MyfilePlaceServ View Post
    im so glad that i have cancelled with them but its not a very good thing for their marketing, 3500 passwords is a huge amount and not to mention the fact that quite a few of them will use the same password for online banking etc
    Any online banking service that doesn't use a double challenge password response system (preferrably an external codebox) is a service that you should not use under any circumstance.

    If the bank uses a single sign-on password that you on top of that is allowed to pick yourself as a client is just foolish

  10. #35
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,306
    Quote Originally Posted by voipfc View Post
    Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?
    They used to do that?! Holy Moly.

    Kevin

  11. #36
    Join Date
    Jul 2006
    Posts
    99

    Red face

    Quote Originally Posted by Hard Rock View Post
    If you use the same password for online banking as you do for your webhosting then you pretty much are asking for trouble.
    That's what I was worried about!

  12. #37
    Does dreamhost use anything like disabling ftp logins after X number of failed attempts?
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  13. #38
    Quote Originally Posted by plumsauce View Post
    Does dreamhost use anything like disabling ftp logins after X number of failed attempts?
    Probably, however bruteforce is not a cause of the problem.

    There's been an update to the Dreamhost status blog:
    UPDATE: 2007/06/07 6:49PM PDT - We are in the middle a more thorough investigation and some new information has turned up. While we did detect some unauthorized access to our user web control panel, in at least some cases it looks like that may not be to blame for the compromised ftp accounts. In some isolated cases it appears that there may be security problems on end-user computers as well. If you have been affected by this, please do whatever checks on your own computer you can as a precaution. Our investigation is covering all possible attack points and this is one of the possibilities.
    Also note that we now have confirmed information that these ftp account hijackings are happening on other web hosts as well and it looks very likely like there’s more to this situation than just the security problem we detected within our own system.
    We are now forcing all of the affected users who have not yet changed their passwords to do so before they will be able to upload anything again. This is necessary so we can continue to monitor the situation and see clearly what’s going on.

  14. #39
    The story made it to The Register (via digg).

  15. #40
    Frankly you got to give it to them to own up to it and take measures like a responsible company should. I am not saying being hacked is a good thing, just that many users do not understand the complexities in securing servers, especially shared servers choke full of 3rd party software such as control panels. As a sysadmin, you potentially need to block hundreds, or thousands of possible ways to exploit a system, but a hacker need only to find one hole to render all your other protections fruitless. That's not all, it's a moving target, with new exploits, vulnerabilities discovered daily, some of which are not even disclosed and simply used by hackers to do their dirty work.

    So I think you guys should give them a bit of credit for their response, and also think from the shoes of the host. Frankly this could have happened to any host, and I am personally sure that most host are probably vulnerable, just unknowingly so, or that the hackers aren't really interested in them to invest sufficient effort to break in.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  16. #41
    Yes, I agree in that Dreamhost has been fairly open about all of this. However, as it looks now it was a hole in their own control panel in combination with passwords being shown in cleartext that brought all of this on, which is quite a dodo on Dreamhost's behalf.

    But in any case; Dreamhost provides a super service for the price they are charging and there are a lot of knowledgeable people over at that company.

  17. #42
    Quote Originally Posted by voipfc View Post
    Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?

    Normally whenever I can't remember a password I pop into the control panel to look it up, and I was recently thinking that it wasn't safe practice. I had even forgotten that it is a simple thing to log on via SSH and change the password whenever you want, and it shouldn't show up in the DH control panel anymore.
    Unless their server retains the plain text passwords.

    Silly me

    It must be said that given how large a host dreamhost are, the administrative headache of people forgetting passwords would be unbearable, given the authentication process which would be required via either email or by phone.

    You're right, the panel did use to show the passwords, which means they were being stored in the 'central database' (the one connected to the panel, and to webmail - irregardless of which server your website runs off, which is often unresponsive or down).

    The update implies that evil hackers got into the panel (with elevated priviliges you would assume), but at the same time tries to blame users. Hmm.

    I've noticed that in their analog stats config files they exclude https://uebernet.dreamhost.com/ from the referrer stats. When you visit this URL now, you get an access denied error - before, there was a login screen identical to the panel for regular customers. So, it would appear that this 'ueber' control panel was hacked into, and also showed passwords in plain text.

  18. #43
    Join Date
    Nov 2004
    Location
    Dallas
    Posts
    740
    Geeez, just a few days ago I was considering hosting some backup files with them, but at the end I decided to go with hostgator.... close call hahaha, that sucks

  19. #44
    Quote Originally Posted by osphere View Post
    Geeez, just a few days ago I was considering hosting some backup files with them, but at the end I decided to go with hostgator.... close call hahaha, that sucks
    Even if Dreamhost is our competitor , I feel everyone should cut them some slack for the way DH handled after getting the hint, some determined hacker did this and DH have their own panel , they came open about it and thing is being sorted. so this should not be held as benchmark but a incident.

    I feel for the companies/users who suffered. apparently some big names hosting the webpages got affected too. theregister.co.uk has good coverup on this. i cant post URLs ( i will sooon).

  20. #45
    Join Date
    Jan 2007
    Posts
    1,107
    Quote Originally Posted by hzAndrew View Post
    Even if Dreamhost is our competitor , I feel everyone should cut them some slack for the way DH handled after getting the hint, some determined hacker did this and DH have their own panel , they came open about it and thing is being sorted. so this should not be held as benchmark but a incident.

    I feel for the companies/users who suffered. apparently some big names hosting the webpages got affected too. theregister.co.uk has good coverup on this. i cant post URLs ( i will sooon).
    I agree here. As a former DreamHost client, I don't see any indication that they have failed to properly secure their service. Stuff happens. I just hope everyone learns from the experience and does better next time.

    Meantime, it doesn't hurt to change your passwords from time to time. I notice that the new cPanel 11 -- something I've only used a short time -- rates passwords when you establish one for, say, an email account. That's helpful for those that have the new version. Maybe DreamHost should incorporate something like that in their home-grown control panel.
    Best,
    Captain Marvel
    Host/Executive Producer, The Paracast, www.theparacast.com
    I do not represent the hosting industry!

  21. #46
    @gene,

    well, I am sure they are going to crank up on password system now... they might even start sending passwords to any requesting user in morse code... well ok not that much.

  22. #47
    Join Date
    Jan 2007
    Posts
    1,107
    Quote Originally Posted by hzAndrew View Post
    @gene,

    well, I am sure they are going to crank up on password system now... they might even start sending passwords to any requesting user in morse code... well ok not that much.
    Aha, Morse code! That's the ticket
    Best,
    Captain Marvel
    Host/Executive Producer, The Paracast, www.theparacast.com
    I do not represent the hosting industry!

  23. #48
    it doesn't hurt to change your passwords from time to time
    They got the password list at a single point in time. Changing passwords just gives you a false sense of security if it is not accompanied by surveillance.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  24. #49
    Join Date
    Jan 2007
    Posts
    1,107
    Quote Originally Posted by plumsauce View Post
    They got the password list at a single point in time. Changing passwords just gives you a false sense of security if it is not accompanied by surveillance.
    No disagreement. It has to be controlled at both ends of the scale.
    Best,
    Captain Marvel
    Host/Executive Producer, The Paracast, www.theparacast.com
    I do not represent the hosting industry!

  25. #50
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,082
    Why is everyone giving them the Thumbs up for stepping forward? This was reported "before" they stepped up. Their announcement was a reactionary measure at best.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •