[andfarm]

Embarrassingly... no. Our login/authentication system was written in 1999, and it shows -- we store panel login passwords using symmetric encryption, and send out the decrypted password when you request it.

Getting this fixed was already on our to-do list. This incident has moved it up to near the top of the list (competing with a few other security-related tasks).

[milkmiruku]

I have always been bothered about cpanel passwords coming through in plain text. To confirm, is this the same storage system with mail passwords also?

Shell passwords - they're hashed, but are they salted? If not, can they be in future?

Thanks for your time.

[jacktoole1]

I've been happy with Dreamhost's service, but becoming aware of this in the last few months has forced me to look into other registrars. If this is fixed, I would be much more inclided to stay.

If you could forward these articles to whoever's working on security, I'd appreciate it (and they're a good read): http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracki... http://chargen.matasano.com/chargen/2007/9/7/enough-with-the...