# Security: New VPS Account Info and Emails



## tonyg (Jan 4, 2014)

I just recently signed up for a few new VPS and received the customary new VPS info.

What I could not believe was all the nitty, gritty info was there for all to see...complete with username and password.

These VPS were through some of the best known and reputable VPS providers around.

How can in this day and age this still be part of the normal business practice?

Why not a link back and retrieve all the juicy details from the actual provider's site via https?

Tony


----------



## cubixcloud (Jan 4, 2014)

Most providers simply urge you to change your password immediately once you are given credentials you input at the time of order. Any person worried about security would IMO.


----------



## tonyg (Jan 4, 2014)

cubixcloud said:


> Most providers simply urge you to change your password immediately once you are given credentials you input at the time of order. Any person worried about security would IMO.


I understand that, but my point is:

Why send the username and password to begin with...just send a link back to the provider's site and then you can retrieve this info.


----------



## Virtovo (Jan 4, 2014)

tonyg said:


> I understand that, but my point is:
> 
> Why send the username and password to begin with...just send a link back to the provider's site and then you can retrieve this info.


If you could sniff the user/pass, you could sniff the link and retrieve anyway?


----------



## tonyg (Jan 4, 2014)

Virtovo said:


> If you could sniff the user/pass, you could sniff the link and retrieve anyway?


What...sniff the link? How would sniffing the link get them in without a username and password?

Unless they are sniffing with SSLStrip you wil be fine, but that is another story.


----------



## SrsX (Jan 4, 2014)

That is why when you register you use stupid passwords, for example I usually use (not anymore): [email protected]#

Once I get given the information, I change all my passwords at the provider including server password.


----------



## BlueVM (Jan 4, 2014)

Feathur doesn't email sensitive information like passwords. Feathur uses a one-time activation link where the user sets their own password. Thus if someone were to get the URL via email it would be blatantly obvious and we'd simply issue a new unique link to the correct owner of the account.

I was hoping that other panels would change to help improve security... maybe they still will.


----------



## WebSearchingPro (Jan 4, 2014)

Unfortunately when you have thousands of customers and you do not send the password, a large bulk of your sales tickets will be resetting passwords or answering password related questions.

Keep in mind most low end customers are not security experts and a vast majority do not learn English as their primary language so warnings at checkout are often ignored, not translated, or read. 

Edit: Of course if you allow users to set their own passwords and not deal with it at all, you will inevitably get passwords like "1234".


----------



## perennate (Jan 4, 2014)

Oh yeah, you should never enter a password you care about, because many providers store it in plaintext (SolusVM) even though the password should not be stored at all (I mean, only on the VM with the operating system's native hashing).

Our panel generates a random password and gives users the option if they want the initial VM information emailed to them (otherwise you can view it on the panel over HTTPS). Because for some people, especially if you're ordering multiple servers, it's easier to manage if everything is in your email inbox).

The best would be to show the initial password on order page and never store it again, but that'd be inconvenient for some users who don't pay attention, and then they'd have to reimage their VM.

Also all providers should provide a way for users to get their email sent with PGP encryption (if you're using Postfix, see gpg-mailgate-web). PGP should be standard.



BlueVM said:


> It also stores passwords with far better encryption than most panels offer.


Encrypting passwords in the database is useless, you could just decrypt it with whatever the panel decrypts it with. Unless you mean hashing of course. But why store the VM password in the first place?


----------



## perennate (Jan 4, 2014)

BlueVM said:


> Feathur doesn't email sensitive information like passwords. Feathur uses a one-time activation link where the user sets their own password. Thus if someone were to get the URL via email it would be blatantly obvious and we'd simply issue a new unique link to the correct owner of the account.
> 
> I was hoping that other panels would change to help improve security... maybe they still will.


You edited your post but as far as I can tell you're still talking about the control panel password and not the VM password. What do you do with the VM password?


----------



## BlueVM (Jan 4, 2014)

perennate said:


> You edited your post but as far as I can tell you're still talking about the control panel password and not the VM password. What do you do with the VM password?


Feathur doesn't store the VM password at all. The user can change their VM password in Feathur, but Feathur just issues the commands to set it then drops the password from memory. 

The only passwords stored by Feathur are the account passwords and they're hashed with SHA256 at 50,000 rounds with a global and a user unique salt.


----------



## willie (Jan 4, 2014)

Yeah, emailing passwords is pretty common practice.  It's also typical to have a link to reset your password by email.  That lets someone with access to your email get to your control panel and take over your VPS anyway.  Most KVM hosts I know of also make you configure your server through unencrypted VNC.   

Usually when I set up a VPS the first thing I do is install SSH public keys and then lock out all the ssh passwords.  The web passwords get reset to random ones through the (hopefully) SSL web server.  Sure it would be an improvement for hosts to stop sending passwords in the clear and to have 2-factor auth for control panels etc. But there is still that password reset link and I've had to use it a few times.  Any much more secure way to authenticate a user who has locked himself/herself out would be outside the price range for this type of service.  

Budget VPS's are great for the money but it's not really sensible to think of them as high-security products.


----------



## tragic (Jan 4, 2014)

Just like other providers, we urge out customers to change their password and we mention this in the email.


----------



## cubixcloud (Jan 4, 2014)

tonyg said:


> I understand that, but my point is:
> 
> Why send the username and password to begin with...just send a link back to the provider's site and then you can retrieve this info.


Mostly due to limitations of the software and as others said many tickets with hey change my password. Back in the old days that was something you were accustomed too and some had scripts then. But now days is so trivial why even mess around with reset password tickets.

@BlueVM since you mentioned it, Feathur might be something to look at in the future then.


----------



## tonyg (Jan 4, 2014)

perennate said:


> Oh yeah, you should never enter a password you care about, because many providers store it in plaintext (SolusVM) even though the password should not be stored at all (I mean, only on the VM with the operating system's native hashing).


That is good info, definately something to keep in mind.

It's incredible how professinal software developers can skim basic security.


----------



## Shados (Jan 4, 2014)

BlueVM said:


> Feathur doesn't store the VM password at all. The user can change their VM password in Feathur, but Feathur just issues the commands to set it then drops the password from memory.
> 
> The only passwords stored by Feathur are the account passwords and they're hashed with SHA256 at 50,000 rounds with a global and a user unique salt.


Why not use bcrypt?


----------



## budi1413 (Jan 5, 2014)

Learn from mistake. Next time when you first register the account just use simple password then after you succesfully registered and get confirmation email, login and change the password to a super complex one. I do this everytime for every website registration. Because i know most of them share common characteristic to send password in plain text over email.


----------



## tonyg (Jan 5, 2014)

budi1413 said:


> Learn from mistake. Next time when you first register the account just use simple password then after you succesfully registered and get confirmation email, login and change the password to a super complex one. I do this everytime for every website registration. Because i know most of them share common characteristic to send password in plain text over email.


My post was not because of a "mistake" I made.

I was pointing out an obvious flaw in the system which in today's world should not be part of normal operations.


----------



## BlueVM (Jan 5, 2014)

Shados said:


> Why not use bcrypt?


Everyone has their own preference when it comes to hashing passwords.  The point of hashing passwords is to make sure it's very hard, if not impossible to determine the original text. SolusVM stores the client passwords in MD5, which takes about 20 minutes to generate a rainbow table and discover 90% of the passwords listed. Compare that with SHA 256 with a global and a unique salt... it'd take weeks or months to determine every password. Thus giving administrators plenty of time to make sure their clients passwords are reset.

On top of that Feathur is open source unlike SolusVM. So if you wanted to change to a password encryption you prefer more the code is right there... Heck you could even make a upgrade out of it and release it so other people can use it...


----------



## willie (Jan 5, 2014)

1. Current preference is to use scrypt rather than bcrypt.  Of course if you can hash with a secret key that's even better.

2. sha256 as a hash primitive may be disadvantaged by its popularity ;-).  There's a heck of a lot of last-generation bitcoin mining hardware out there, some of it in disreputable places, that's not really competitive for mining any more, but that still does sha256 orders of magnitude faster than is possible on normal computers.  I can't help wondering if any of it will be / has been repurposed towards breaking sha256/bcrypt which is in wide use.  I'd consider another hash function (truncated sha512t maybe) just to get in the way of that.


----------



## BlueVM (Jan 5, 2014)

@willie - Most of the ASICs are only good for generating bitcoin. You literally can't do anything else with them.

I've done some math for everyone's viewing pleasure.

In a given hunt for one 12 character password you might end up going through 2^256 hashes to find the user's password among them:

That's: 115792089237316195423570985008687907853269984665640564039457584007913129639936 hashes

---

Let's say you had 10 FPGA mining modals which could theoretically be converted for your purpose and you were able to store every single hash you generate (something bitcoin mining doesn't do). You would be generating 5,000,000 hashes per second... so at that rate you'd be able to find every password known to man in:

~734348612616160549363083365098223667258181029081941679600821816 years

(Proof: http://www.wolframalpha.com/input/?i=round%5B%28%28%28%28%282%5E256+%2F+5000000%29+%2F+60%29+%2F+60%29+%2F24%29+%2F+365%29%5D)

--

Let's say you magically came across the sum total of all mining hardware in existence and magically converted it for your purpose. Then you'd have 600 Trillion hashes per second (to my knowledge, willing to be proven wrong)... Your hardware would then be able to determine every hash in:

6119571771801337911359028042485197227151508575682847330 years

(Proof: http://www.wolframalpha.com/input/?i=round%5B%28%28%28%28%282%5E256+%2F+600000000000000%29+%2F+60%29+%2F+60%29+%2F24%29+%2F+365%29%5D)

--

So I'd say that our password hashing is safe for a while...


----------



## manacit (Jan 5, 2014)

I always set my password to something stupid, one time I did "rootpassword" because I was in a hurry. Usually I change the pass and disable pw auth completely after I get my key on there, but this time I forgot.

Two days later it was suspended because it was taking part in Chinese DDoS attacks. OOPS.


----------



## happel (Jan 5, 2014)

I would like to note that if you can't trust your email you're screwed any way. Ever thought about the password reset function of the billing/control-panel of your provider? That usually sends you a password reset link/url in plain text! <sarcasm>All providers must turn off password reset functionality!</sarcasm>


----------



## tonyg (Jan 5, 2014)

happel said:


> I would like to note that if you can't trust your email you're screwed any way.


That's the issue at stake...when email is sent, it travels through unsecure connections (server to server) before it reaches its destination.

So no, email can't be trusted.


----------



## dcdan (Jan 5, 2014)

tonyg said:


> That's the issue at stake...when email is sent, it travels through unsecure connections (server to server) before it reaches its destination.
> 
> So no, email can't be trusted.


The majority of the e-mail transfers  I see in our logs (server to server) are encrypted.


----------



## tonyg (Jan 8, 2014)

Thank you BuyVM for no usernames or passwords on the the new VPS email!!!


----------

