{"id":2451,"date":"2015-05-06T16:50:27","date_gmt":"2015-05-06T22:50:27","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2451"},"modified":"2015-05-06T16:50:27","modified_gmt":"2015-05-06T22:50:27","slug":"cloudaccess-net-stores-non-hashed-ftpsftpssh-passwords","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2015\/05\/06\/cloudaccess-net-stores-non-hashed-ftpsftpssh-passwords\/","title":{"rendered":"CloudAccess.net Stores Non-Hashed FTP\/SFTP\/SSH Passwords"},"content":{"rendered":"<p>One of the ways that security issues at a web host can lead to hosted websites getting hacked is if there is breach that reveals users\u00a0login details\u00a0and then the hacker\u00a0uses those to\u00a0log in to customer accounts. Not getting breached in the first place is the best way to prevent this type of thing from occurring, but other measures should be taken to limit the potential impact of a breach.<\/p>\n<p>One of the measures that needs\u00a0to be taken\u00a0is to\u00a0store passwords as securely as possible, which means storing them in hashed form. You can think of a password hashing as one-way encryption. That is, the data is encrypted, but it cannot be decrypted, so the underlying password is not retrievable in normal circumstances.\u00a0With this type of password storage when someone tries to log in the password they input is hashed and then compared with the stored password hash to see if they are the same. With hashed passwords even if someone gets access to the stored passwords it would be difficult for them to do anything with them, since they would first have to crack the hashes.<\/p>\n<p>One way to spot if a password is being stored in non-hashed form\u00a0somewhere in a web host systems\u00a0is if it can be displayed to you, since if they were only stored in hashed form they wouldn&#8217;t know what the underlying password is to be able to show it to you. While we were working on a website hosted with CloudAccess.net recently we\u00a0spotted this page in their control panel:<\/p>\n<p><a href=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/05\/cloudaccess-net-non-hashed-password.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2452\" src=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/05\/cloudaccess-net-non-hashed-password.png\" alt=\"CloudAccess.net control panel FTP\/SSH page\" width=\"857\" height=\"639\" srcset=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/05\/cloudaccess-net-non-hashed-password.png 857w, https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/05\/cloudaccess-net-non-hashed-password-300x224.png 300w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/a><\/p>\n<p>When you click on the &#8220;View hidden password&#8221; it will in fact show the password for\u00a0FTP\/SFTP\/SSH, which wouldn&#8217;t be possible if the password was properly stored. Since we can&#8217;t see the underlying\u00a0systems\u00a0we don&#8217;t know if they are storing the password in plaintext somewhere, which would be the worst case, or if they are at least encrypting it.<\/p>\n<p>Such bad security doesn&#8217;t match <a href=\"http:\/\/www.cloudaccess.net\/platform-security.html\">CloudAccess.net&#8217;s\u00a0claims about their security<\/a>. For example they claim that:<\/p>\n<blockquote><p>The CloudAccess.net Platform is continually monitored and managed by specialized security experts who understand the security requirements of both the server and application.<\/p><\/blockquote>\n<p>Another claim that sounds bad, but could\u00a0be an indication that other web hosts have even worse security is that:<\/p>\n<blockquote><p>Our managed hosting service is widely considered to be more secure than the many alternatives.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>One of the ways that security issues at a web host can lead to hosted websites getting hacked is if there is breach that reveals users\u00a0login details\u00a0and then the hacker\u00a0uses those to\u00a0log in to customer accounts. Not getting breached in the first place is the best way to prevent this type of thing from occurring, &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2015\/05\/06\/cloudaccess-net-stores-non-hashed-ftpsftpssh-passwords\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;CloudAccess.net Stores Non-Hashed FTP\/SFTP\/SSH Passwords&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-2451","post","type-post","status-publish","format-standard","hentry","category-bad-security"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2451"}],"version-history":[{"count":3,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2451\/revisions"}],"predecessor-version":[{"id":2455,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2451\/revisions\/2455"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}