Results 1 to 25 of 26
-
02-08-2014, 02:32 PM #1Junior Guru
- Join Date
- Jul 2013
- Posts
- 186
Can Hosting Companies Access My Passwords?
Hey
I have recently moved to SiteGround after I tried GoDaddy and Bluehost and I was amazed that when I submitted a support ticket for an issue concerning my account the customer support guy knew my account's password and shared it with me
so is that normal? because I know that usually passwords are protected and even the staff can't look at them but just wanna make sure and know ur opinions
Isa Al.
-
02-08-2014, 02:44 PM #2
This isn't unusual. Many providers can easily view SERVICE passwords (not client account login ones, in most cases).
For instance, WHMCS, a popular billing system used by many hosts shows service passwords in clear text visible by staff.~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
~]# Try out our WordPress speed tests for yourself!
~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
~]# Don't settle for any less than the very best - come & join our family today!
-
02-08-2014, 03:19 PM #3
The support guy sharing it with you, now that's a cause for concern. They should not be handing that out under any circumstances, IMHO.
Your one stop shop for decentralization
-
02-08-2014, 03:29 PM #4Junior Guru
- Join Date
- Jul 2013
- Posts
- 186
I was asking about my new FTP account after the migration so he told me the steps which are
FTP Host:the server's IP address......
Port: ....
Username: ....
Password: and here he said the password of my own cpanel account which turned out to be the same as my FTP
so I was afraid of privacy issues with them like my creditcard number or personal emails and etc
do you think that is dangerous or may cause problems like I may think of moving from siteground or not?
-
02-08-2014, 03:48 PM #5Web Hosting Master
- Join Date
- Nov 2007
- Location
- Dallas, TX
- Posts
- 9,064
It's potentially worth having a discussion with your host about this. They might be able to add a note to your account instructing agents to -not- share your password via plaintext in a ticket.
-mike
-
02-08-2014, 03:55 PM #6
On Cpanel servers the main account password is the same for the default email account, Cpanel and FTP. My point was, that should not be given out. If in a ticket, that's probably passed to you via email and "out there" if someone happened to be listening/reading (admittedly rare) to the server as the email passed thorough it. Via phone, did he make sure you were the account holder?
I'm not recommending you leave or stay, but it's a concern that he was willing to hand that out. It would be better to tell the user it's the "same as you chose when you signed up" instead of handing it out. If they don't know it, they should carefully verify the account before helping reset it.Your one stop shop for decentralization
-
02-09-2014, 10:33 PM #7Newbie
- Join Date
- Jan 2012
- Posts
- 14
Isa,
Often hosts have access to password for overall accounts. This is why it is recommended to change your password when you log in for the first time. Regardless of the Control panel the hosts uses, they can access your account without your password by using the root password.
I agree that the support tech should not have have given this information out. They should have a password recover system in place for such items that resets that password for you after verification of ownership. I agree with the fact that you should contact the host and bring this fact to their attention.
<<Signature to be setup in your profile>>Last edited by anon-e-mouse; 02-10-2014 at 05:34 AM.
-
02-09-2014, 10:43 PM #8Web Hosting Master
- Join Date
- Mar 2012
- Posts
- 1,421
I can confirm SiteGround do have access to the credentials related to their custom made customer control panel and cPanel. Remember their control panel is custom made, not like other host providers using WHMCS or any equivalent generic in the market.
But that is not something negative. They are doing what they do best, hosting for non experienced customers. While you might not like that practice, a person with less knowledge than you will find that reply (the one with the login details and the ftp) fabulous.
--
Edit: Shared hosting is not something you will use to share or store confidential information. If you do so, then you have a pretty bad practice there and bigger problems.Last edited by HRR--; 02-09-2014 at 10:48 PM.
--
-
02-09-2014, 10:49 PM #9Newbie
- Join Date
- Jan 2012
- Posts
- 14
Last edited by anon-e-mouse; 02-10-2014 at 05:34 AM.
-
02-10-2014, 09:56 AM #10Junior Guru
- Join Date
- Jul 2013
- Posts
- 186
My problem isn't accessing my cpanel or my website, but it is seeing my own password that should be private like what if I use for many accounts ( hosting and other things) the same password? so they will be able to access all my other accounts like fb or email. I know using the same password is bad and I don't do it but I am just saying that the passwords are set to be private and as you said they can access my hosting account without any password so why do they see my password and share it?
-
02-10-2014, 10:34 AM #11Web Hosting Master
- Join Date
- Mar 2012
- Posts
- 1,421
Well, again bad practice. You should always use a new password for everything.
--
-
02-10-2014, 10:42 AM #12Junior Guru
- Join Date
- Jul 2013
- Posts
- 186
-
02-10-2014, 10:53 AM #13Web Hosting Master
- Join Date
- May 2011
- Location
- /root
- Posts
- 630
Sharing the password is a bad practice indeed. However, with most billing systems, the passwords are viewable to the support agents. Either directly via the billing system or by viewing the welcome email sent you with your account details. A good practice is to always change the default passwords provided and not share it unless there is a valid reason for you to share it.
Most hosts also have a temporary password reset script to troubleshoot support issues which require account or email level access.|| Tecsys Solutions LLC | Outperforming the Performers!! ||
|| Outsourced Server Management and Technical Support Solutions ||
|| Now Offering Secure Managed VPS and Dedicated Servers specially setup for Hosting Providers ||
|| https://www.24x7TechnicalSupport.net || https://www.mxv.net ||
-
02-11-2014, 01:17 AM #14Newbie
- Join Date
- Feb 2014
- Posts
- 6
Some company stores the password as is but this is not a good practice to do it. If there is a security breach with the database an hacker could have access to every passwords... Leave that company
-
04-02-2014, 10:14 AM #15Temporarily Suspended
- Join Date
- Aug 2010
- Location
- Kuala Lumpur
- Posts
- 1,632
In C panel, your password is not visible. Provider has to change the password, then he can save it for future.
-
04-04-2014, 01:20 AM #16Web Hosting Master
- Join Date
- Jun 2009
- Location
- 127.0.0.1
- Posts
- 561
Yes, providing/sharing password through email is unacceptable provided the webhost has confirmed that it is the authorized user who has requested for the login credentials.
Exchanging it through ticketing system is fine.If you steal from one author, it’s plagiarism; if you steal from many, it’s research
-
04-04-2014, 07:52 AM #17
-
04-04-2014, 08:42 AM #18Web Hosting Master
- Join Date
- Jun 2009
- Location
- 127.0.0.1
- Posts
- 561
That's correct. But I've seen hosts to manually create ticket(s) for users which includes password and other vital information and only send an 'auto responder' instead of the original email itself saying a ticket is generated and they will need to login to view them.
This can be done if you're using Kayako or something similar.If you steal from one author, it’s plagiarism; if you steal from many, it’s research
-
04-04-2014, 09:06 AM #19Junior Guru Wannabe
- Join Date
- Nov 2013
- Posts
- 67
While sharing the password via support ticket may be a bad practice, your host has complete and ultimate access to every part of your account and all your files via the root user. They can log into your cPanel account, email and ftp any time they wish. A host should never do this of course but they have the ability. Basically if you don't trust your host, you should move to a company you trust, but where ever you host, the host will still have complete access.
-
04-06-2014, 12:28 PM #20
-
04-06-2014, 12:37 PM #21Web Hosting Master
- Join Date
- Jun 2009
- Location
- 127.0.0.1
- Posts
- 561
-
04-06-2014, 12:49 PM #22
Not really.
If you're using a billing system and they need access to their Cpanel account, create a text file with the info and place it in their download section in the billing system. Make sure to specify they immediately change it on logging into Cpanel so the risk is mitigated. If they can't log into the billing system, it has a password reset feature they can use to get back in.
*Never* via email or an emailed attachment.Your one stop shop for decentralization
-
04-06-2014, 01:02 PM #23Web Hosting Master
- Join Date
- Jun 2009
- Location
- 127.0.0.1
- Posts
- 561
-
04-06-2014, 01:46 PM #24Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
In theory, passwords are temporarily stored obfuscated in sessions files so with some effort they can be reversed.
Same goes with things like dovecot, they can enable mail auth debugging and view your password.
Its not just limited at that.
Plesk even has a command that can be ran to display all your passwords in plain text.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-06-2014, 03:01 PM #25Web Hosting Master
- Join Date
- Mar 2013
- Posts
- 1,328
Unfortunately there are companies out there that store them as plain text.
Similar Threads
-
Hosting suggestions that allow spaces in passwords
By c2clw in forum Web HostingReplies: 18Last Post: 01-27-2013, 07:11 PM -
Rant: Off-line companies that add on-line access
By Mike - Limestone in forum Web Hosting LoungeReplies: 15Last Post: 02-13-2009, 12:32 PM -
Hosting Reseller could steal your data & passwords ?
By denis_sianto in forum Reseller HostingReplies: 10Last Post: 12-03-2008, 05:16 AM -
Plesk for Windows hosting passwords
By webizyum in forum Dedicated ServerReplies: 0Last Post: 01-22-2006, 03:57 AM -
Access Cpanel Passwords
By [UN]Jake in forum Programming DiscussionReplies: 14Last Post: 07-22-2003, 12:11 AM