What would you do if you realized your email hosting provider could see your passwords?

Austin ''Danger'' Powers asked:

We received an email last year from our hosting provider regarding one of our accounts- it had been compromised and used to deliver a rather generous helping of spam.

Apparently, the user had reset her password to a variation of her name (last name is something you could probably guess first time.) She promptly got hacked within a week- her account sent out a deluge of 270,000 spam emails- and was very quickly blocked.

So far, nothing particularly unusual. That happens. You change your passwords to something more secure, educate the user and move on.

However, something concerned me even more than the fact one of our accounts had been compromised.

Our hosting provider, in an effort to be helpful, actually quoted the password to us in the following email:

enter image description here

I am astonished. We are due to renew our contract soon- and this feels like a dealbreaker.

How common is it for a hosting provider to be able to find out the actual password used on an account?

Do most hosting providers have an account abuse department that has more access than front-line reps (and can look up passwords if necessary), or are these guys just not following best-practice in making it possible for any of their staff to access user passwords? I thought passwords were supposed to be hashed and not retrievable? Does this mean they store everyone’s passwords in plain text?

Is it even legal for a hosting provider to be able to discover account passwords in this fashion? It just seems so incredible to me.

Before we look into changing provider, I would like some reassurance that this is not common practice, and that our next hosting provider wouldn’t also likely have things set up the same way.

Looking forward to hearing your views on this.

My answer:

Yes, it is common for ISPs and email service providers to store your password in plain text, or a format which is easily recoverable to plain text.

The reason for this has to do with the authentication protocols used with PPP (dialup and DSL), RADIUS (dialup, 802.1x, etc.) and POP (email), among others.

The tradeoff here is that if the passwords are one-way hashed in the ISP’s database, then the only authentication protocols that can be used are those that transmit the password over the wire in plain text. But if the ISP stores the actual password, then more secure authentication protocols can be used.

For instance PPP or RADIUS authentication might use CHAP, which secures the authentication data in transit, but requires a plain text password to be stored by the ISP. Similarly with the APOP extension to POP3.

Also, all of the various services which an ISP offers all use different protocols, and the only clean way to have them all authenticate to the same database is to keep the password in plain text.

This doesn’t address the issues of who among the ISP’s staff has access to the database, and how well it is secured, though. You still should ask hard questions about those.

As you’ve probably learned by now, though, it’s almost unheard of for an ISP’s database to be compromised, while it’s all too common for individual users to be compromised. You have risk either way.

See also Am I wrong to believe that passwords should never be recoverable (one way hash)? on our sister site IT Security

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.