Page 1 of 2 12 LastLast
Results 1 to 40 of 48
  1. #1

    Help finding host that doesn't email passwords

    Hi,

    I recently attempted to switch to a new hosting company and in the process found that most of them automatically email your password back to you after you've registered. I found one that said they wouldn't, but after I registered they sent it anyway.

    I'm setting up an ecommerce site so a reasonable measure of security is required. (Sending passwords via clear text is not reasonable.)

    The excuse I got from the hosting company was to just change the password. But that doesn't work because it has already been potentially compromised by then.

    Anyway, I need a new hosting company that:

    1. Provides a reasonable measure of security.
    2. Will answer the phone and answer emails.
    3. Is never down. (or close to never down)
    4. Provides quick performance with their servers.

    Suggestions?

  2. #2
    when you regester for an account you can simply contact the host and tell them you would not like your password emailed to you.most host will do this for you by phone.

  3. #3
    I called about a half dozen and asked if they could do that, but only one said they could and they sent it anyway.

  4. #4
    they need to set up your account manually. this way it is not emailed to you.

  5. #5
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    May be you can ask and obtain your password by phone. But this doesn't mean more security. If you are not on a dedicated or a VPS at least, your are at risk. Anyway, there are many other important security conerns than emailing passwords...
    .:. Enterprise SAN Consultant .:.

  6. #6
    Join Date
    Apr 2004
    Posts
    191
    What exactly is compromised before anything is on the server?

    Simply change the password when you get it, before you put any files on the server.

    I belive you are being "tin foil hat" about security prior to there being anything to secure.

  7. #7
    well i do think emailing passwords are a problem.makes me think about changing ways of doing things

  8. #8
    Join Date
    Apr 2004
    Posts
    191
    How else do you want to provide a TEMP password to clients? Make sure you are letting them know it should be changed as soon as they login the first time.

  9. #9
    Originally posted by mr_wuss
    How else do you want to provide a TEMP password to clients? Make sure you are letting them know it should be changed as soon as they login the first time.
    Check box if you don't want your password emailed.

    Better --> Ask your customer to supply the password to a secure form.

    It's a more general issue. I was surprised at the lackadaisical response to security breaches, e.g., I reported a security issue to the host (not related to password emailing), and his response was "it's not our code -- report it to cpanel."

    Aren't there any hosts that take security seriously?

  10. #10
    Join Date
    Apr 2003
    Location
    Atlanta, Jawja
    Posts
    3,066
    I actually stopped that practice a long time ago and started putting it in our SSL'd support page. I had people sign up for an account on the forums, and they had an activation link. Then I'd tie their forum account into my support system, and give them specific instructions on how to retrieve their password with my welcome emails.

    More hosts should get away from emailing passwords and have them set up in a secured area (SSL encrypted, as well as other security measures).

    Note, this is not a plug for my services, as I've stopped accepting normal hosting accounts as of November. Just saying that it CAN be done, if a host will take that extra time to do things properly.
    Douglas Hazard - Certifiable Sports Junkie and Sports Community Enthusiast

    Host of Two Cents Radio - Follow @TwoCentsRadio on Twitter (@BearlyDoug on Twitter)

  11. #11
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,304
    Originally posted by The Bear
    Just saying that it CAN be done, if a host will take that extra time to do things properly.
    E-mailing the original password really isn't "wrong". Since it will then be changed over a secure interface, it becomes useless thereafter. I believe you'll also find that pretty much every commerce interface out there will send a new or temporary password via e-mail, or a link to generate same, when the customer has lost their password. Think eBay, Amazon, Yahoo, etc.

    Kevin

  12. #12
    concerning the CPanel issue, what did you expect them to do? It truly isn't their software, so they can't do anything about it except for report it to CPanel.

  13. #13
    Join Date
    Dec 2004
    Location
    US
    Posts
    597
    You could choose a temporary password then change it after they setup the account.

  14. #14
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    kindfork, although eMailing PW may seem insecure to you, you have to remember that some Control Panels (WHM/Cpanel for one) will eMail it to the ServerAdmin and/or Reseller account whenever a new account is setup. What to do there?

    Also, the PW itself is only half the combination. Without the Username the PW is useless. What I personally dislike is how Control Panels (WHM/Cpanel for one) automatically uses the first 8 characters of a Domain name for the Username but at least that I can override.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  15. #15
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,601
    Actually if you are using C-Panel/WHM as root I can just login to any account on the server without a password from WHM or alternativly just use their username/root or reseller password if I need access to their control panel

    Rus
    Russ Foster - Industry Curmudgeon

  16. #16
    I think Webmasters.com don't email passwords.

  17. #17
    I don't see how this could be an issue. 90% of the time the user would change their password immediately after receiving a welcome email from their host with the password.

  18. #18
    Join Date
    Sep 2001
    Location
    Texas
    Posts
    878
    If a website needs that level of security (where emailing a temporary password causes concern before the website has been uploaded ), that website should not be in a shared hosting environment.

    We have emailed passwords for going on 6 1/2 years now. There has never been a reported issue. However, I suppose that we are an uncaring, wanna-be, non-professional webhosting company that just doesn't take time to do things the proper way.

    -Lamar
    Going out of business in our 10th year.

  19. #19
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,299
    Originally posted by Perfecthost
    If a website needs that level of security (where emailing a temporary password causes concern before the website has been uploaded ), that website should not be in a shared hosting environment.

    We have emailed passwords for going on 6 1/2 years now. There has never been a reported issue. However, I suppose that we are an uncaring, wanna-be, non-professional webhosting company that just doesn't take time to do things the proper way.

    -Lamar
    That was my exact thought. Shared hosting is the absolute beginning, and truthfully I don't think any kind of eCommerce based site should be on it, especially when products such as VPS's are available on the market now and Dedicated Server's being so affordable. Lately it seems (probably just my bad luck right now) that some people expecting far too much out of a shared hosting solution, security wise, stability wise, versatility wise, and resource wise.

  20. #20

    Re: Help finding host that doesn't email passwords

    Originally posted by kindfork
    Hi,

    I recently attempted to switch to a new hosting company and in the process found that most of them automatically email your password back to you after you've registered. I found one that said they wouldn't, but after I registered they sent it anyway.

    I'm setting up an ecommerce site so a reasonable measure of security is required. (Sending passwords via clear text is not reasonable.)

    The excuse I got from the hosting company was to just change the password. But that doesn't work because it has already been potentially compromised by then.

    Anyway, I need a new hosting company that:

    1. Provides a reasonable measure of security.
    2. Will answer the phone and answer emails.
    3. Is never down. (or close to never down)
    4. Provides quick performance with their servers.

    Suggestions?
    Here's a suggestion: don't bother setting up your site at all, because you're low on the clue scale.

    You're so concerned about a nonexistent account being "compromised" that you totally overlook the fact that you're not just asking about shared hosting and all the issues that potentially go along with it, but you're setting up some sort of ecommerce site? Tell us this: do you intend to have a shopping cart on the site? If so, how exactly do YOU intend to get passwords to people? Osmosis? ESP? Or will you make them jump through an ungodly number of hoops to do something as simple as a password reset when the reality is that if you put a bunch of obstacles in front of people, they're much more likely to tell you to forget it. If you're as intent on security as you claim, it wouldn't even enter your head to go with shared hosting in the first place and you'd be more concerned with the real issues involved in running such a site.

    I love how some hosts immediately jump on this sort of thing and say it makes them rethink the way they do this. Ridiculous. If you're more worried about resetting someone's password in this way rather than having a user set an insecure password (more likely) or unsecured scripts creating havoc on a server (more likely), you have more problems than this issue, namely prioritization of what true worries should be.

  21. #21
    I would just email the host first. I have done this before where I recieve an email not to email any passwords, then after the user signs up I just cancel the welcome emails and send them to a page that contains all the server information without any user information. For the password we would just use what the user entered for the client area so they would know it and it wouldn't have to be emailed. I'm not sure if your worried about the text being stolen in the email, but if you are couldn't the password just be placed on an image and sent to you?
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  22. #22
    Join Date
    Aug 2003
    Location
    Vancouver, BC
    Posts
    1,891
    Sorry but no matter what you send them there is going to be a password of some sort. If it is a secure part of your site they are still going to need something to be a password to retrieve there site password. The only way around this is to have them create the password at signup time. That of course causes other issues but I honestly think that the few minutes before you get an email and can update your password are very unlikely that you will get hacked.
    Gary Jones

    BlueFur.com - Canada Web Hosting

  23. #23
    Join Date
    Feb 2001
    Location
    West Michigan, USA
    Posts
    9,675
    Originally posted by mr_wuss
    What exactly is compromised before anything is on the server?

    Simply change the password when you get it, before you put any files on the server.

    I belive you are being "tin foil hat" about security prior to there being anything to secure.

    Exactly. Sites that are compromised don't get that way because of an email that contained your password. In the 8 years that I've been in this business, every single case of an account being compromised has been due to the fact that the user had an insecure script running on their account.

    Think about it. Why would a "hacker" waste time scanning zillions of emails...just hoping to get one that had your hosting account password, when they could find 100s of insecure accounts just by running a simple search on a few 100 servers?

    --Tina
    Last edited by Tina J; 05-28-2005 at 06:11 PM.
    ||| 99.999% Uptime SLA!!!
    Plenty of space and bandwidth to fit your needs!
    www.AEIandYou.com - - (WP Friendly - Premium Reseller Hosting and Cheap Dedicated Servers)

  24. #24
    As someone who works in security I think this is rates high on the paranoid scale. How else would you like to receive the password? How do you know that your phone line isn't being tapped and they can hear it over the phone? How do you know "they" don't have spyware on your machine with a shim that ships all information sent over ssl to a server in russia before it is sent to the destination site?

    I would be more concerned that the vendor you host with actually has real security practices such as patching etc. than the moments from getting the initial password via email before you can change it.

  25. #25
    Join Date
    Jan 2003
    Location
    Texas, where else?
    Posts
    1,571
    I agree with the last couple of posts and the one regarding E-commerce.
    The e-mailing of a password to an empty account is useless to worry about since you can change it before uploading anything anyway.
    The biggest concern is what you are going to do about your customer's data security. I presume you are "shopping" for someone who also offers dedicated IPs for your security certificate and you will not be doing any serious level of on-line transactions. (You may just be talking about a PayPal shopping cart or something which is "off-server" from the host anyway as far as payment data)
    There would be a lot more important questions to be asking a service provider for e-commerce that are security related than the fact they e-mail you an initial password.
    While all our customers choose their own passwords during the order process we still check them on our order logs and advise (sometimes insist) they change them if they have used something obviously insecure. (and it never ceases to amaze me how many people do, not necessarily e-commerce).
    New Idea Hosting NO Overselling-Business-Grade, Shared Only! New-In House Design Team.
    High Speed & Uptime; , DIY Pro-Site Builder-Daily Backups-Custom Plans, All Dual Xeon Quad Intel servers w/ ECC DDR3 RAM SCSI RAID minimums.
    We Concentrate on Shared Hosting ...doing one thing and doing it VERY well

  26. #26
    For security reasons, I would think many hosts would NOT do this. I never took part in, or would never e-mail passwords. I know how often e-mails are hacked, browsed through, etc. and it's not a safe thing.

    Also our cPanel (for some reason.. some people say they do) doesn't send passwords or any account information. The only account information that is sent through e-mail is login name, IP, and how to access the cPanel, as the password is provided during registration.

    Edit: As someone said above, the thing with the "empty account - doesn't matter", is most users don't often change their passwords for a long time, if not ever. So many hosts just play it safe from the beginning (or should) and not send the password in the e-mail. The only time I give passwords is after verification of the client and over phone or in a support ticket.

  27. #27
    Join Date
    Aug 2003
    Location
    Vancouver, BC
    Posts
    1,891
    Originally posted by Nate-o-Tomato
    The only account information that is sent through e-mail is login name, IP, and how to access the cPanel, as the password is provided during registration.
    Okay so they have forgotten their password now what? They do not remember what password they typed in or it was a typo.
    Gary Jones

    BlueFur.com - Canada Web Hosting

  28. #28
    MH-Gary, as I said above, they have access to a support ticket system were they can reset passwords or retrieve it if it's the same as used in order. They can also call in (we see their phone # matches their account), verify them, and then reset passwords.

    Not many people actually forget the passwords they use, as it specifically states "This WILL be your account password - do not forget it".

  29. #29
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    webster13045,

    Phone is more insecure than e-mail.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  30. #30
    Join Date
    Aug 2003
    Location
    Vancouver, BC
    Posts
    1,891
    Originally posted by Nate-o-Tomato
    MH-Gary, as I said above, they have access to a support ticket system were they can reset passwords or retrieve it if it's the same as used in order. They can also call in (we see their phone # matches their account), verify them, and then reset passwords.

    Not many people actually forget the passwords they use, as it specifically states "This WILL be your account password - do not forget it".
    Sorry so if I were to phone you and say I lost my password for my domain (found from reverse IP) and my phone number is XXX-XXX-XXXX (found from whois) you would reset it and tell me?

    Note I'm not picking on you, just trying to understand how your system is more secure so me and everyone else here can maybe improve security.

    The only way I would say the above should be done is if you implement a security question and answer. We did this over a year ago to confirm who people are.
    Gary Jones

    BlueFur.com - Canada Web Hosting

  31. #31
    Bottomline is: you need to understand what are the real entry points or weaklinks that hackers or script kiddies go for. And let me offer a hint: it's not by scanning all the emails in the world.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  32. #32
    Join Date
    Jun 2004
    Location
    Northamptonshire, UK
    Posts
    324
    Why not simply always register with a different password, then log in to your CP and update to the real one you want to use? That way the first emailed password will not be any good to anyone as it will be changed immediately.

    Most hosts will email passwords out and I cans ee your concern, so maybe this method would solve your problem.
    Mick Beeby
    www.reyaltec.com - Quality Helm Dedicated, Reseller & Shared Windows 2003 Hosting. UK & US based servers.
    www.aspbite.com - Modular ASP Content Management System

  33. #33
    Join Date
    Nov 2004
    Location
    England
    Posts
    513
    But that doesn't work because it has already been potentially compromised by then.
    Tin foil hat alert

    Serioously, you're looking at the wrong aspects of security if you expect people will sniff the specific e-mail and cause havoc before you change the password.

    Virtually every site in the world will e-mail you your username/password upon account activation, and if not that, then they'll send a temporary hash, or something, which equates to a password, because it still allows access to your account.

    And if you're needing such security, then you've already failed by going for shared hosting - go for V*S or dedicated.

  34. #34
    No, I mean we try to first verify it with caller ID, and if not able to do so that way, we'd make sure we could prove the identity of the caller. We have a system like a "Question & Answer", which is one of the ways they can identify themselves. If they pay with credit cards, they are able to provide the last 4 digits, exp. date, etc.

    We wouldn't just go by their word on what their phone number is, because like you said it's easily obtainable information, unlike credit card details.

  35. #35
    Originally posted by mr_wuss
    What exactly is compromised before anything is on the server?

    Simply change the password when you get it, before you put any files on the server.

    I belive you are being "tin foil hat" about security prior to there being anything to secure.
    Paranoid maybe as you simply change the password as stated. it does not matter if you get it on the phone. there are more security concerns than this you should be looking at.

  36. #36
    Thank you for your comments.

    Emailing passwords isn't the highest security priority, but it is prominent to the customer. Even a causual user realizes that email can be read in-route. If a prospective host says they understand the concern about emailing passwords, then it's more likely that their back-end operation is safe, also.

    Changing the password? Well, if you can get your customers to change the password in six seconds, then they'll be okay because that's about the time it would take an automated upstream sniffer to install a trojan.

  37. #37
    Join Date
    Feb 2005
    Posts
    1,128
    Originally posted by kindfork
    Thank you for your comments.

    Emailing passwords isn't the highest security priority, but it is prominent to the customer. Even a causual user realizes that email can be read in-route. If a prospective host says they understand the concern about emailing passwords, then it's more likely that their back-end operation is safe, also.

    Changing the password? Well, if you can get your customers to change the password in six seconds, then they'll be okay because that's about the time it would take an automated upstream sniffer to install a trojan.
    With all your security concerns, just get a dedicated server.
    Daily Updated Web Hosting News Blog
    Including an RSS feed that you can syndicate!
    Daily Updated Web Hosting News Blog
    Unlimited vs. Unmetered bandwidth

  38. #38
    Join Date
    Nov 2004
    Location
    England
    Posts
    513
    Originally posted by kindfork
    Thank you for your comments.

    Emailing passwords isn't the highest security priority, but it is prominent to the customer. Even a causual user realizes that email can be read in-route. If a prospective host says they understand the concern about emailing passwords, then it's more likely that their back-end operation is safe, also.

    Changing the password? Well, if you can get your customers to change the password in six seconds, then they'll be okay because that's about the time it would take an automated upstream sniffer to install a trojan.
    Jesus did you even take onboard any of our comments?

    Your concern about security from the point of view of e-mailing passwords is entirely misplaced.

    I'll say it again...if you're needing such security, then you've already failed by going for shared hosting - go for V*S or dedicated.

  39. #39
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,830
    Originally posted by kindfork
    Thank you for your comments.

    Emailing passwords isn't the highest security priority, but it is prominent to the customer. Even a causual user realizes that email can be read in-route. If a prospective host says they understand the concern about emailing passwords, then it's more likely that their back-end operation is safe, also.
    It may be prominent to you, it isn't to every user. If even the majority of people felt this way then there would be more people complaining about it here. Virtually any site on the Internet uses some form of access code by e-mail.

    A casual user realises you can get cross lines on a telephone, yet I have never heard of anyone not using the phone to pass on CC details because of that.

    Originally posted by kindfork
    Changing the password? Well, if you can get your customers to change the password in six seconds, then they'll be okay because that's about the time it would take an automated upstream sniffer to install a trojan.
    So you really think an automated sniffer is going to:

    1) scan the email
    2) find the password
    3) know its for a hosting account
    4) find the control panel login URL
    5) login to the control panel
    6) create an FTP account
    7) find the FTP IP
    8) Connect to FTP
    9) Upload stuff

    Now, all I ask is that you look at that list and then think twice about your 6 second sniffer.

  40. #40
    I can really understand kindfork's perspective.

    Even though emailing passwords is no greater security risk (you can always clear the contents of your root folder after changing the password to get rid of any uploaded material), then it is remarkable that NOT EVEN ONE hosting company is able to create the account without emailing the password as he/she requests...

    I mean, how hard can that be! When a company can't do anything THAT SIMPLE, I would't sign up with them even for hosting my dogs homepage...
    MP Hosting
    http://mphosting.net

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •