[geuis]

I've considered using Hover and switching away from Godaddy, particularly since Hover is recommended frequently on the TWiT network. That thought has instantly evaporated.

You absolutely cannot store passwords in plain text. There is no level of security you can wrap around the database that will ever be 100%. It only takes one mistake for everything to get exposed.

To try and reason that there is a trade off between customer support and security is ludicrous. Your reset emails aren't getting through? Work on fixing that damn system instead of exposing your customers to a world of hurt down the road.

[xorglorb]

DreamHost also stores passwords in a recoverable fashion, FYI.

[dsl]

I dropped DreamHost after a week when I called up about an issue and the customer service person wanted me to verify my identity by telling him my password.

I explained that I didn't trust him to know my password (assuming he was just typing it into a box), and he said "well its right here in front of me, im just making sure it matches."

[masterzora]

Disclaimer: I am an ex-DH intern and my information is only as good as August 2010, but it is likely to still be accurate.

At the very least, DH does not store passwords as plaintext, but it's only very marginally better than that. Passwords are stored using a custom-rolled symmetric encryption algorithm created by... I never found out if it was a founder or just one of the earlier admins, but that doesn't really change much. For what it's worth, I never ran across the key to this, which is at least somewhat good in terms of security, but it's quite possible that this is true only because I never actually went searching for it, especially given that all of the devs and dev interns have root on most of the systems.

[boot13]

I can confirm that they're still doing this. I recently had a conversation with their support staff about it and I don't think they'll be changing it any time soon. I like Dreamhost, but if they don't change this I'll probably bail.

[Dylan16807]

Can you explain why you would leave over that? As long as you are aware of it and use a unique password how does it impact you? They would have to have a very specific and unnoticed breach that gets database and key.

Is it worry that they are lax in security elsewhere?

[masterzora]

I'm not one such person (although I've never used DH's services for other reasons, even while I was employed by such), but I could imagine a reasonable person saying "if they take part in bad practice X of which I know, what other bad practices might they take part in of which I don't know?"

[yuhong]

As I said, it would probably protect against a simple SQL injection, but if the attacker can get root it won't help. Better than nothing, but...

[shennyg]

Which ones? the panel?

[xorglorb]

Yes. They will email your password to you if you click the "forgot my password" link.

[pakeha]

ARGH! I just confirmed this. So disappointed. I've changed it now to be completely unique but I wouldn't be surprised if it's logged somewhere.

[jrp]

Change the other places you used the old one.

[pavel_lishin]

Change all passwords that are non-unique.

[frankdenbow]

Damn! Confirmed this as well :(

[scottkrager]

One word: sendgrid

[davidkatz]

scottkrager: do you have any experience with postmark? any thoughts on how they compare? thanks!

[PonyGumbo]

I use Postmark, and I like them very much.

[scottkrager]

I don't sorry. I just know our mail gets inboxed and we use sendgrid.