: Webhosting company able to unhash passwords? Tonight I was using the cPanel of a web-site I host and when I went to change the password I received a warning that I couldn't change the password
Tonight I was using the cPanel of a web-site I host and when I went to change the password I received a warning that I couldn't change the password to my desired password because it was too similar to my previous password.
Now these immediately raised my eyebrow because it means to be able to compare the string of my new password to previous password, they are either stored in plain text (surely not for a webhosting company), or stored with an algorithm that can be decrypted (which isn't really much better)?
Or is this an issue with cPanel as a whole? Earlier this week I signed up for a plan with a .com company that uses cPanel and I noticed when I entered my password on the next screen it said your password was successfully changed to "xxxxx"... I don't know if this data was ever stored but I haven't put anything on this site due to this concern.
Is it possible that they are using an encryption technology like PGP to decrypt the password?
I have e-mailed both companies asking for clarification on this issue but I fear I'll only get "company speak" back from them.
I'm not sure this question is exactly fits in with SO's Q&A structure however password security is one of the most important things on the internet IMO, and if the company hosting your websites has poor security then that is a serious issue.
More posts by @Welton855
4 Comments
Sorted by latest first Latest Oldest Best
Maybe they're storing hashes of portions of your passwords. That could allow them to detect similarities without storing your password, or any portion, as cleartext, but I think it also defeats the security of hashing the password, at least somewhat.
First of all PGP is used to encrypt using private and public keys. It has nothing to do with your password or the algorithm used to encrypt it on a hosting server. It's highly likely an MD5 hash is used to store the password. A clear text version may be stored for the sole reason to keep you from using the same or similar passwords in the future. My hosting company makes you use 8 chars minimum upper case, lower case, and a number.
While I don't agree with companies using parts of a password to verify you are the site owner when speaking with support. A better practice IMO is to hash the passwords, not store a clear text version and if you forget your pass use tokens to let you change your password. And matching md5 hashes from previous to new passwords is simple enough to prevent you from using the same password.
Before hashing a password companies can simply check if you've met their minimum requirements of character length and type.
If companies are using cPanel you're not likely going to find any variation in the password algorithm. So you can look at GoDaddy and others who have their own control panels.
Your assumptions are generally true. But without looking into the cPanel code myself, I don't know what the actual situation is. However, there is such a thing as locality-sensitive hashing.
Unlike a normal hashing algorithm, where you want even minimal changes to produce huge differences, locality-sensitive hashing produces hashes that reflect the similarity/distance between the original unhashed texts. But I don't believe these are actually meant to be used as cryptographic hashes. They're more often used for similarity searches (like image searching).
It sure seems that somehow a plaintext version of your password is retreivable, which is bad practise.
Hopefully your password is encrypted at least, but one should not count on it.
It's good that you point this out to your webhost!
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.