I’ve had my sites hosted by Dreamhost for long enough now to be pleased with the company. It may not seem it once you finish reading this, but I do highly recommend them.
Something I’m not pleased with, however, is Dreamhost storing historical support information for each user… including any passwords… in clear readable text. It’s quite possible a majority of Dreamhost customers are not even aware this is happening. More unfortunate, it’s very likely the customers don’t comprehend “what the big deal is.”
I’ve been doing UNIX, networking and security work professionally for 13 years now. There has never been a single instance where I needed to know a user’s password for anything. Under very rare circumstances I have had to change the user’s password to something I knew, perform some tests, then have the user set his or her password back however it was. None of it has ever required me knowing the actual password.
How did I find out about the Dreamhost practice? I didn’t have to go to any trouble at all. Any customer can access his or her “Panel” (a web-based Control Panel-like area), select “Support” from the menu on the left, then select “Support History” under that menu area. This will display a paginated record of all electronic communication the customer has had with Dreamhost support.
Here was my first eye-widening experience:
Here are the 2 responses I received from Dreamhost support staff when I pointed out the bogusness:
It was pretty clear to me from those responses that I wasn’t going to make any progress.
“But the Panel’s transactions are encrypted via SSL and getting at your information requires you to authenticate.”
Yes, and if I tell the Panel that I forgot my password, it is emailed to me over the Internet in clear text.
“Who cares? They’re support staff. They’re not going to do anything with your info.”
You sure about that? How about a hypothetical ex-Dreamhost staff member who collects data on the last day of his employment? This isn’t 1995 anymore. Situations like this occur on a daily basis. I’m sure you use a completely different password for every single need, too, right? Of course you do. I doubt you would be foolish enough to use your Dreamhost Panel password for your databases there, your GMail account, and other websites.
There is zero reason for anyone but me to know any password of mine. I don’t care who you are, what your role is, or how trivial you think the password-secured data is. This is Security Basics 201, and this is why every self-respecting and knowledgable IT person in your presence will turn his or her head while you type your password and get angry with you if you blurt out your password to him or her. We vehemently do NOT WANT to know your password. It is legally damning information.
Not only do you not need to know my password, you most definitely should not be storing them as clear text in a “Support History” database at your hosting company.
I love you Dreamhost, but it’s time to fix this.
One Comment
That makes me very glad that I am lazy… I find it easy to memorize passwords, so most of my passwords are different auto-generated ones (the lazy part is that I was too lazy to change them to something easier).
I agree with you about them really having no need for your password. In most cases they can use a test user and, when necessary, they can change the user password of the person in question and then have the user change it back as you said.