Results 1 to 19 of 19
  1. #1
    Join Date
    May 2004
    Posts
    448

    Root Password through Email

    How will you feel if your host asks you to send the root password through email everytime you contact support? Is it safe and sensible? Please post your opinions here. Thanks.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    I think its better if its done through a secure helpdesk.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    May 2003
    Posts
    475
    I think you can use public key encryption to protect the emails
    Dixiy.com - Professional Web Hosting Provider since 2002
    AutoCreation.net - Automation Solution for cPanel Hosting! + Illegal File Scanner
    WHDir.net - Your complete Web Hosting Directory with Hosting/Server Tutorials

  4. #4
    Join Date
    May 2004
    Posts
    448
    I am talking about plain email without any Excryption. I want to know how people take it.

  5. #5
    Join Date
    May 2003
    Location
    Philadelphia
    Posts
    968
    I'd not do it, if they need the root pass have them call you (or you call them) and give it to them over the phone.

    If that is not something you can do, you give them an account with a predefined password (account is locked when not needed) then when you need support/they need access to the box you can simply unlock the account, set the password to the predefined password.

    Now if they need root, reset your regular root password to something temp and place that password in a text file in their home directory. When they login to the account they'll have all the info they need to trouble shoot problem.

    when their done, remove the text file, lock the account and reset your root password.
    http://www.eBoundary.com - Let us help you expand your eBoundaries!
    Fast, Secure and reliable FreeBSD shared, reseller and dedicated hosting.
    FREE Peace of mind with every account!

  6. #6
    Join Date
    Aug 2002
    Location
    UK
    Posts
    1,040
    They certainly don't need it every time you contact them. If they will actually need to log into your server as root to solve your support problem, then of course that's a different matter.

    People do tend to email us in plain-text without prompting, but if they do that then we ask them to change the password as soon as the support query is closed.

    We suggest that our clients use PGP encrypted emails for sensitive information, but we're also working on a secure web page that'll encrypt the details and send them to us so the client doesn't have to do it manually.

    Hope that helps
    Robin Balen
    Gyron Internet Ltd - http://gyron.net/
    UK colocation, managed hosting and connectivity services with 100% uptime SLAs

  7. #7
    Join Date
    Dec 2003
    Location
    London | UK
    Posts
    234
    Cough, Cough.. I think where talking about AngelNetworkz.
    They need the password all the time becuase of the lack of helpdesks and remote support reps.

  8. #8
    Join Date
    Apr 2004
    Posts
    338
    Never had anyone working on it ask for it via email. Through helpdesks or over the phone yes. Dont think its a wise idea to send it via email. If I were asked I would email back asking for a phone number to call.

  9. #9
    Join Date
    Feb 2004
    Location
    Sofia
    Posts
    1,349
    When you sign with some Hosting Co., how are you expected to get your root password other than by plain mail? Of course, you can get first your logins to their helpdesk or whatever it is, then find your root pass there and change the helpdesk login, but I never met such simple-minded hosting guys. They always send you all their love in a letter.
    :: :: :: :: :: ::
    :: VDSP.Net :: Directory of virtual and dedi serv providers by location and price

  10. #10
    Originally posted by Imago
    When you sign with some Hosting Co., how are you expected to get your root password other than by plain mail? <snip>
    At ServInt I had to call on their toll free number for the password. That actually made a positive impression on me...

  11. #11
    Join Date
    May 2003
    Location
    Philadelphia
    Posts
    968
    Originally posted by Imago
    When you sign with some Hosting Co., how are you expected to get your root password other than by plain mail? Of course, you can get first your logins to their helpdesk or whatever it is, then find your root pass there and change the helpdesk login, but I never met such simple-minded hosting guys. They always send you all their love in a letter.
    Initial sing up is slightly different, the passwords in that email are *never* ment to be perm passwords. The 1st thing you should do when you get your account and login info is change all your passwords, obviously some people don't but that is the way it will always be ...
    http://www.eBoundary.com - Let us help you expand your eBoundaries!
    Fast, Secure and reliable FreeBSD shared, reseller and dedicated hosting.
    FREE Peace of mind with every account!

  12. #12
    Greetings:

    The Rfx incident leads me to believe that secure help desks may not be the answer.

    We typically provide our customers with choices:

    FAX
    Phone (though be slow and allow repetition)
    Separate emails
    Email

    Of note, I could be wrong, but I believe you would have to have a dedicated hacker having specific targets to be able to get email.

    In any event, for ongoing managed service customers, we keep the login credentials in encrypted, password protected format; and, we do encourage our customers to change the passwords often (use non dictionary words, et all).

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  13. #13
    Join Date
    May 2004
    Posts
    448
    Originally posted by dynamicnet

    Of note, I could be wrong, but I believe you would have to have a dedicated hacker having specific targets to be able to get email.
    I do agree you need a dedicated hacker to specifically target the emails to get the password. But then there is a non zero probablility that a random hacker can get it. Anyhow in my opinion it is a very bad practice.

  14. #14
    I would think that the individual that is actually looking for passwords to a dedicated server could be quite rare, however I would also think that the user's PC being comprmised would be a greater risk.

    An individual may not be looking for a root password to a dedicated server but if they were to gain access to someone's PC I am pretty sure they would know what to do with one if they found it while they were in there.

  15. #15
    Join Date
    May 2004
    Posts
    448
    Of course, if the user's PC is compromised it will be a big trouble. Then it becomes the user's responsibility. I am not talking about this scenario at all. But if the hosting company wants password by plain email and if the root password goes into a wrong hand, why should user suffer for it. In this case, the responsibility lies with the hosting company not user.

  16. #16
    Possible solution (feel free to critisize)

    Create a root clone just for use of the DC
    Change the password after each use.
    [AIM]: BhAaD99 :: [ICQ]: 79048062 :: [MSN/eMail]: [email protected]

  17. #17
    Join Date
    Jan 2002
    Location
    Atlanta, GA
    Posts
    1,249
    Originally posted by BhAaD
    Possible solution (feel free to critisize)

    Create a root clone just for use of the DC
    Change the password after each use.
    Well... Still didn't solve the problem of how to give them the password.

    Personally I think calling or having the host have a SSL form, PGP Email, some form of basic encryption in combination with the alias temporary root account would be my preferred method.
    char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
    I wear a gray hat

  18. #18
    Join Date
    Aug 2003
    Location
    Pittsburgh
    Posts
    3,479
    Originally posted by Studio64
    Well... Still didn't solve the problem of how to give them the password.

    Personally I think calling or having the host have a SSL form, PGP Email, some form of basic encryption in combination with the alias temporary root account would be my preferred method.
    I think he meant go ahead and send the pass plaintext as it would only be valid for so long.

  19. #19
    Yes i most certainly did.
    This also solves the problem of using a global root pass for multiple machines which doesnt have to be handed out to each host.
    There are other &/ better ways of doing so with 'sudo', this takes a lot more time to setup though.
    [AIM]: BhAaD99 :: [ICQ]: 79048062 :: [MSN/eMail]: [email protected]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •