Page 1 of 2 12 LastLast
Results 1 to 25 of 26
  1. #1
    Join Date
    Jul 2013
    Posts
    186

    Can Hosting Companies Access My Passwords?

    Hey

    I have recently moved to SiteGround after I tried GoDaddy and Bluehost and I was amazed that when I submitted a support ticket for an issue concerning my account the customer support guy knew my account's password and shared it with me

    so is that normal? because I know that usually passwords are protected and even the staff can't look at them but just wanna make sure and know ur opinions

    Isa Al.

  2. #2
    Join Date
    Jun 2011
    Location
    USA/UK/SG
    Posts
    3,636
    This isn't unusual. Many providers can easily view SERVICE passwords (not client account login ones, in most cases).

    For instance, WHMCS, a popular billing system used by many hosts shows service passwords in clear text visible by staff.
    ~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
    ~]# Try out our WordPress speed tests for yourself!
    ~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
    ~]# Don't settle for any less than the very best - come & join our family today!

  3. #3
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    The support guy sharing it with you, now that's a cause for concern. They should not be handing that out under any circumstances, IMHO.
    Your one stop shop for decentralization

  4. #4
    Join Date
    Jul 2013
    Posts
    186
    Quote Originally Posted by bear View Post
    The support guy sharing it with you, now that's a cause for concern. They should not be handing that out under any circumstances, IMHO.


    I was asking about my new FTP account after the migration so he told me the steps which are

    FTP Host:the server's IP address......
    Port: ....
    Username: ....
    Password: and here he said the password of my own cpanel account which turned out to be the same as my FTP

    so I was afraid of privacy issues with them like my creditcard number or personal emails and etc

    do you think that is dangerous or may cause problems like I may think of moving from siteground or not?

  5. #5
    Join Date
    Nov 2007
    Location
    Dallas, TX
    Posts
    9,064
    It's potentially worth having a discussion with your host about this. They might be able to add a note to your account instructing agents to -not- share your password via plaintext in a ticket.

    -mike
    Mike G. - Limestone Networks - Account Specialist
    Cloud - Dedicated - Colocation - Premium Network - Passionate Support
    DDoS Protection Available - Reseller Program @LimestoneInc - 877.586.0555

  6. #6
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    On Cpanel servers the main account password is the same for the default email account, Cpanel and FTP. My point was, that should not be given out. If in a ticket, that's probably passed to you via email and "out there" if someone happened to be listening/reading (admittedly rare) to the server as the email passed thorough it. Via phone, did he make sure you were the account holder?

    I'm not recommending you leave or stay, but it's a concern that he was willing to hand that out. It would be better to tell the user it's the "same as you chose when you signed up" instead of handing it out. If they don't know it, they should carefully verify the account before helping reset it.
    Your one stop shop for decentralization

  7. #7
    Quote Originally Posted by Isa Al View Post
    Hey

    I have recently moved to SiteGround after I tried GoDaddy and Bluehost and I was amazed that when I submitted a support ticket for an issue concerning my account the customer support guy knew my account's password and shared it with me

    so is that normal? because I know that usually passwords are protected and even the staff can't look at them but just wanna make sure and know ur opinions

    Isa Al.
    Isa,

    Often hosts have access to password for overall accounts. This is why it is recommended to change your password when you log in for the first time. Regardless of the Control panel the hosts uses, they can access your account without your password by using the root password.

    I agree that the support tech should not have have given this information out. They should have a password recover system in place for such items that resets that password for you after verification of ownership. I agree with the fact that you should contact the host and bring this fact to their attention.

    <<Signature to be setup in your profile>>
    Last edited by anon-e-mouse; 02-10-2014 at 05:34 AM.

  8. #8
    Join Date
    Mar 2012
    Posts
    1,421
    I can confirm SiteGround do have access to the credentials related to their custom made customer control panel and cPanel. Remember their control panel is custom made, not like other host providers using WHMCS or any equivalent generic in the market.

    But that is not something negative. They are doing what they do best, hosting for non experienced customers. While you might not like that practice, a person with less knowledge than you will find that reply (the one with the login details and the ftp) fabulous.

    --

    Edit: Shared hosting is not something you will use to share or store confidential information. If you do so, then you have a pretty bad practice there and bigger problems.
    Last edited by HRR--; 02-09-2014 at 10:48 PM.
    --

  9. #9
    Quote Originally Posted by HRR1963 View Post
    I can confirm SiteGround do have access to the credentials related to their custom made customer control panel and cPanel. Remember their control panel is custom made, not like other host providers using WHMCS or any equivalent generic in the market.

    But that is not something negative. They are doing what they do best, hosting for non experienced customers. While you might not like that practice, a person with less knowledge than you will find that reply (the one with the login details and the ftp) fabulous.

    --
    This is a very valid point. In my opinion there are ways to accomplish the same results while there is more security for the end user. This is of course just my honest opinion.

    <<Signature to be setup in your profile>>
    Last edited by anon-e-mouse; 02-10-2014 at 05:34 AM.

  10. #10
    Join Date
    Jul 2013
    Posts
    186
    Quote Originally Posted by TandGWeb View Post
    Isa,

    Often hosts have access to password for overall accounts. This is why it is recommended to change your password when you log in for the first time. Regardless of the Control panel the hosts uses, they can access your account without your password by using the root password.

    I agree that the support tech should not have have given this information out. They should have a password recover system in place for such items that resets that password for you after verification of ownership. I agree with the fact that you should contact the host and bring this fact to their attention.

    <<Signature to be setup in your profile>>
    My problem isn't accessing my cpanel or my website, but it is seeing my own password that should be private like what if I use for many accounts ( hosting and other things) the same password? so they will be able to access all my other accounts like fb or email. I know using the same password is bad and I don't do it but I am just saying that the passwords are set to be private and as you said they can access my hosting account without any password so why do they see my password and share it?

  11. #11
    Join Date
    Mar 2012
    Posts
    1,421
    Well, again bad practice. You should always use a new password for everything.
    --

  12. #12
    Join Date
    Jul 2013
    Posts
    186
    Quote Originally Posted by HRR1963 View Post
    Well, again bad practice. You should always use a new password for everything.
    I always do that but I am just saying that they shouldn't see the customers' passwords because some use the same password which means the hosting company now can access all their personal account such as emails or facebook or others

  13. #13
    Join Date
    May 2011
    Location
    /root
    Posts
    630
    Sharing the password is a bad practice indeed. However, with most billing systems, the passwords are viewable to the support agents. Either directly via the billing system or by viewing the welcome email sent you with your account details. A good practice is to always change the default passwords provided and not share it unless there is a valid reason for you to share it.

    Most hosts also have a temporary password reset script to troubleshoot support issues which require account or email level access.
    || Tecsys Solutions LLC | Outperforming the Performers!! ||
    || Outsourced Server Management and Technical Support Solutions ||
    || Now Offering Secure Managed VPS and Dedicated Servers specially setup for Hosting Providers ||
    || https://www.24x7TechnicalSupport.net || https://www.mxv.net ||

  14. #14
    Some company stores the password as is but this is not a good practice to do it. If there is a security breach with the database an hacker could have access to every passwords... Leave that company

  15. #15
    Join Date
    Aug 2010
    Location
    Kuala Lumpur
    Posts
    1,632
    In C panel, your password is not visible. Provider has to change the password, then he can save it for future.

  16. #16
    Join Date
    Jun 2009
    Location
    127.0.0.1
    Posts
    561
    Yes, providing/sharing password through email is unacceptable provided the webhost has confirmed that it is the authorized user who has requested for the login credentials.

    Exchanging it through ticketing system is fine.
    If you steal from one author, it’s plagiarism; if you steal from many, it’s research

  17. #17
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    Quote Originally Posted by subhash View Post
    Yes, providing/sharing password through email is unacceptable...
    Exchanging it through ticketing system is fine.
    Most ticketing systems send responses to the end user via email.
    Your one stop shop for decentralization

  18. #18
    Join Date
    Jun 2009
    Location
    127.0.0.1
    Posts
    561
    That's correct. But I've seen hosts to manually create ticket(s) for users which includes password and other vital information and only send an 'auto responder' instead of the original email itself saying a ticket is generated and they will need to login to view them.

    This can be done if you're using Kayako or something similar.
    If you steal from one author, it’s plagiarism; if you steal from many, it’s research

  19. #19
    Join Date
    Nov 2013
    Posts
    67
    While sharing the password via support ticket may be a bad practice, your host has complete and ultimate access to every part of your account and all your files via the root user. They can log into your cPanel account, email and ftp any time they wish. A host should never do this of course but they have the ability. Basically if you don't trust your host, you should move to a company you trust, but where ever you host, the host will still have complete access.

  20. #20
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by subhash View Post
    Exchanging it through ticketing system is fine.
    No, it's not.
    It is NEVER 'fine' to send any confidential information (including CC #'s, passwords, etc) over email

  21. #21
    Join Date
    Jun 2009
    Location
    127.0.0.1
    Posts
    561
    Quote Originally Posted by twhiting9275 View Post
    No, it's not.
    It is NEVER 'fine' to send any confidential information (including CC #'s, passwords, etc) over email
    Its not fine over email. But yes from a ticketing tool which seems to be the only alternative.
    If you steal from one author, it’s plagiarism; if you steal from many, it’s research

  22. #22
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    Quote Originally Posted by subhash View Post
    Its not fine over email. But yes from a ticketing tool which seems to be the only alternative.
    Not really.
    If you're using a billing system and they need access to their Cpanel account, create a text file with the info and place it in their download section in the billing system. Make sure to specify they immediately change it on logging into Cpanel so the risk is mitigated. If they can't log into the billing system, it has a password reset feature they can use to get back in.

    *Never* via email or an emailed attachment.
    Your one stop shop for decentralization

  23. #23
    Join Date
    Jun 2009
    Location
    127.0.0.1
    Posts
    561
    Quote Originally Posted by bear View Post
    *Never* via email or an emailed attachment.
    Agree. That's a nice procedure for sharing critical information.

    Its worth a bit of extra work.
    If you steal from one author, it’s plagiarism; if you steal from many, it’s research

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by Shinjiru Technology View Post
    In C panel, your password is not visible. Provider has to change the password, then he can save it for future.
    In theory, passwords are temporarily stored obfuscated in sessions files so with some effort they can be reversed.

    Same goes with things like dovecot, they can enable mail auth debugging and view your password.

    Its not just limited at that.

    Plesk even has a command that can be ran to display all your passwords in plain text.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #25
    Join Date
    Mar 2013
    Posts
    1,328
    Unfortunately there are companies out there that store them as plain text.

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 18
    Last Post: 01-27-2013, 07:11 PM
  2. Rant: Off-line companies that add on-line access
    By Mike - Limestone in forum Web Hosting Lounge
    Replies: 15
    Last Post: 02-13-2009, 12:32 PM
  3. Hosting Reseller could steal your data & passwords ?
    By denis_sianto in forum Reseller Hosting
    Replies: 10
    Last Post: 12-03-2008, 05:16 AM
  4. Plesk for Windows hosting passwords
    By webizyum in forum Dedicated Server
    Replies: 0
    Last Post: 01-22-2006, 03:57 AM
  5. Access Cpanel Passwords
    By [UN]Jake in forum Programming Discussion
    Replies: 14
    Last Post: 07-22-2003, 12:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •