Is HostGator storing my password in plaintext?Is it better to hash n*x times in sha1 or n times in sha512 on the client side?Definitely safest password storage scheme?Forgot Password? - sends email with plaintext passwordIs it ok for software to store passwords locally in plain-text?Finding Plaintext Password RepositoriesHow to avoid storing plaintext during CHAP authenticationReceived an email about an “Etsy” Password Reset due to the “Linkedin Breach…” is this a phishing attempt?Storing Password Hash plaintextThird party program is storing a password in a DSN. Is it a security threat?Methods for storing plaintext passwords on a client

Should my PhD thesis be submitted under my legal name?

Efficiently merge handle parallel feature branches in SFDX

How was Earth single-handedly capable of creating 3 of the 4 gods of chaos?

Can somebody explain Brexit in a few child-proof sentences?

What is the opposite of 'gravitas'?

Do I need a multiple entry visa for a trip UK -> Sweden -> UK?

How does it work when somebody invests in my business?

Applicability of Single Responsibility Principle

What is difference between behavior and behaviour

Star/Wye electrical connection math symbol

Is there a good way to store credentials outside of a password manager?

Can I use my Chinese passport to enter China after I acquired another citizenship?

What defines a dissertation?

How do I rename a LINUX host without needing to reboot for the rename to take effect?

How could Frankenstein get the parts for his _second_ creature?

Curses work by shouting - How to avoid collateral damage?

How can I get through very long and very dry, but also very useful technical documents when learning a new tool?

Is HostGator storing my password in plaintext?

Valid Badminton Score?

Increase performance creating Mandelbrot set in python

Have I saved too much for retirement so far?

Transcription Beats per minute

What is the intuitive meaning of having a linear relationship between the logs of two variables?

What's the purpose of "true" in bash "if sudo true; then"



Is HostGator storing my password in plaintext?


Is it better to hash n*x times in sha1 or n times in sha512 on the client side?Definitely safest password storage scheme?Forgot Password? - sends email with plaintext passwordIs it ok for software to store passwords locally in plain-text?Finding Plaintext Password RepositoriesHow to avoid storing plaintext during CHAP authenticationReceived an email about an “Etsy” Password Reset due to the “Linkedin Breach…” is this a phishing attempt?Storing Password Hash plaintextThird party program is storing a password in a DSN. Is it a security threat?Methods for storing plaintext passwords on a client













2















I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    3 hours ago






  • 1





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    3 hours ago











  • Ok, that all good info to have.

    – schroeder
    3 hours ago











  • It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    1 hour ago











  • The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    1 hour ago















2















I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    3 hours ago






  • 1





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    3 hours ago











  • Ok, that all good info to have.

    – schroeder
    3 hours ago











  • It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    1 hour ago











  • The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    1 hour ago













2












2








2








I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here










share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.



I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:



enter image description here



I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?



enter image description here







passwords databases web-hosting






share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 3 hours ago







Marquizzo













New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 3 hours ago









MarquizzoMarquizzo

1135




1135




New contributor




Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Marquizzo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 1





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    3 hours ago






  • 1





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    3 hours ago











  • Ok, that all good info to have.

    – schroeder
    3 hours ago











  • It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    1 hour ago











  • The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    1 hour ago












  • 1





    Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

    – schroeder
    3 hours ago






  • 1





    @schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

    – Marquizzo
    3 hours ago











  • Ok, that all good info to have.

    – schroeder
    3 hours ago











  • It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

    – Patrick Mevzek
    1 hour ago











  • The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

    – Future Security
    1 hour ago







1




1





Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

– schroeder
3 hours ago





Welcome emails tend to have a temporary password that is sent in plaintext. The system generates that and sends it to you. But even then, it is likely to be hashed (not encrypted) in their systems. The reason they know it is because they generated it.

– schroeder
3 hours ago




1




1





@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

– Marquizzo
3 hours ago





@schroeder They did not generate the password. I set it up over a year ago. This was not a "welcome e-mail", I've had an account with them for a while now. Today's chat with the representative was to ask for help with setting up an SSL certificate.

– Marquizzo
3 hours ago













Ok, that all good info to have.

– schroeder
3 hours ago





Ok, that all good info to have.

– schroeder
3 hours ago













It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

– Patrick Mevzek
1 hour ago





It can be encrypted in a database but in a way that it could be decrypted for whatever need. It is different if it was stored hashed in the database, in which case the plain text form could never be retrieved, only checking equality would be possible.

– Patrick Mevzek
1 hour ago













The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

– Future Security
1 hour ago





The opposite of encryption is decryption. Encryption converts plaintext to ciphertext. Decryption converts ciphertext to plaintext. If someone can tell you your password then it may or may not be encrypted on their end. The method which should be used, that isn't reversible (by any method other than guess and check), is called hashing.

– Future Security
1 hour ago










2 Answers
2






active

oldest

votes


















6














Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer























  • That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    1 hour ago











  • You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    1 hour ago



















-2














We aren't HostGator, but they said they aren't. Sending it to you in an email doesn't mean it's stored in plaintext on their servers, but no one other than them can be for sure.






share|improve this answer










New contributor




Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • I set up that password over a year ago. Could you explain to me how they sent it back to me in plaintext if it wasn't stored in plaintext?

    – Marquizzo
    3 hours ago











  • @Marquizzo again, I'm not them, but I am sure if they have some encryption scheme for passwords or other way to obfuscate it they have a way to decrypt it in case you loose your password. I use Digital Ocean and they allow me to get my password back if I lose it.

    – Jason Michaels
    3 hours ago











  • @Marquizzo, it literally says thank you for your order. Did they have to bill you again and it popped up bc of that?

    – Jason Michaels
    3 hours ago






  • 1





    @JasonMichaels that's kind of unusual, in general they should not be able to get your password back if you lose it, they should be only able to reset/overwrite the password with a new one.

    – Peteris
    2 hours ago











  • Lots of companies save passwords for legal reasons like if they were contacted by law enforcement or whatever, you are right that some don't believe in that though.

    – Jason Michaels
    2 hours ago










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









6














Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer























  • That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    1 hour ago











  • You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    1 hour ago
















6














Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer























  • That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    1 hour ago











  • You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    1 hour ago














6












6








6







Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.






share|improve this answer













Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).



Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.



Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.







share|improve this answer












share|improve this answer



share|improve this answer










answered 3 hours ago









CBHackingCBHacking

10.9k11627




10.9k11627












  • That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    1 hour ago











  • You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    1 hour ago


















  • That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

    – Marquizzo
    1 hour ago











  • You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

    – psosuna
    1 hour ago

















That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

– Marquizzo
1 hour ago





That's a very good point. Not only are they storing their passwords in a potentially insecure manner, they are also unnecessarily transmitting them to their users through an insecure protocol.

– Marquizzo
1 hour ago













You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

– psosuna
1 hour ago






You should absolutely bring this up. No decent current security system should be able to provide current credentials. Admins should have knowledge on how to reset to a default as necessary or provide reset instructions, but not retrieve and provide you with the private credentials that you, the user, created, and should only be known by you. You can bring this up as an exposure to a malicious insider or MITM.

– psosuna
1 hour ago














-2














We aren't HostGator, but they said they aren't. Sending it to you in an email doesn't mean it's stored in plaintext on their servers, but no one other than them can be for sure.






share|improve this answer










New contributor




Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • I set up that password over a year ago. Could you explain to me how they sent it back to me in plaintext if it wasn't stored in plaintext?

    – Marquizzo
    3 hours ago











  • @Marquizzo again, I'm not them, but I am sure if they have some encryption scheme for passwords or other way to obfuscate it they have a way to decrypt it in case you loose your password. I use Digital Ocean and they allow me to get my password back if I lose it.

    – Jason Michaels
    3 hours ago











  • @Marquizzo, it literally says thank you for your order. Did they have to bill you again and it popped up bc of that?

    – Jason Michaels
    3 hours ago






  • 1





    @JasonMichaels that's kind of unusual, in general they should not be able to get your password back if you lose it, they should be only able to reset/overwrite the password with a new one.

    – Peteris
    2 hours ago











  • Lots of companies save passwords for legal reasons like if they were contacted by law enforcement or whatever, you are right that some don't believe in that though.

    – Jason Michaels
    2 hours ago















-2














We aren't HostGator, but they said they aren't. Sending it to you in an email doesn't mean it's stored in plaintext on their servers, but no one other than them can be for sure.






share|improve this answer










New contributor




Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • I set up that password over a year ago. Could you explain to me how they sent it back to me in plaintext if it wasn't stored in plaintext?

    – Marquizzo
    3 hours ago











  • @Marquizzo again, I'm not them, but I am sure if they have some encryption scheme for passwords or other way to obfuscate it they have a way to decrypt it in case you loose your password. I use Digital Ocean and they allow me to get my password back if I lose it.

    – Jason Michaels
    3 hours ago











  • @Marquizzo, it literally says thank you for your order. Did they have to bill you again and it popped up bc of that?

    – Jason Michaels
    3 hours ago






  • 1





    @JasonMichaels that's kind of unusual, in general they should not be able to get your password back if you lose it, they should be only able to reset/overwrite the password with a new one.

    – Peteris
    2 hours ago











  • Lots of companies save passwords for legal reasons like if they were contacted by law enforcement or whatever, you are right that some don't believe in that though.

    – Jason Michaels
    2 hours ago













-2












-2








-2







We aren't HostGator, but they said they aren't. Sending it to you in an email doesn't mean it's stored in plaintext on their servers, but no one other than them can be for sure.






share|improve this answer










New contributor




Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










We aren't HostGator, but they said they aren't. Sending it to you in an email doesn't mean it's stored in plaintext on their servers, but no one other than them can be for sure.







share|improve this answer










New contributor




Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this answer



share|improve this answer








edited 3 hours ago









schroeder

78k30173209




78k30173209






New contributor




Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









answered 3 hours ago









Jason MichaelsJason Michaels

11




11




New contributor




Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Jason Michaels is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • I set up that password over a year ago. Could you explain to me how they sent it back to me in plaintext if it wasn't stored in plaintext?

    – Marquizzo
    3 hours ago











  • @Marquizzo again, I'm not them, but I am sure if they have some encryption scheme for passwords or other way to obfuscate it they have a way to decrypt it in case you loose your password. I use Digital Ocean and they allow me to get my password back if I lose it.

    – Jason Michaels
    3 hours ago











  • @Marquizzo, it literally says thank you for your order. Did they have to bill you again and it popped up bc of that?

    – Jason Michaels
    3 hours ago






  • 1





    @JasonMichaels that's kind of unusual, in general they should not be able to get your password back if you lose it, they should be only able to reset/overwrite the password with a new one.

    – Peteris
    2 hours ago











  • Lots of companies save passwords for legal reasons like if they were contacted by law enforcement or whatever, you are right that some don't believe in that though.

    – Jason Michaels
    2 hours ago

















  • I set up that password over a year ago. Could you explain to me how they sent it back to me in plaintext if it wasn't stored in plaintext?

    – Marquizzo
    3 hours ago











  • @Marquizzo again, I'm not them, but I am sure if they have some encryption scheme for passwords or other way to obfuscate it they have a way to decrypt it in case you loose your password. I use Digital Ocean and they allow me to get my password back if I lose it.

    – Jason Michaels
    3 hours ago











  • @Marquizzo, it literally says thank you for your order. Did they have to bill you again and it popped up bc of that?

    – Jason Michaels
    3 hours ago






  • 1





    @JasonMichaels that's kind of unusual, in general they should not be able to get your password back if you lose it, they should be only able to reset/overwrite the password with a new one.

    – Peteris
    2 hours ago











  • Lots of companies save passwords for legal reasons like if they were contacted by law enforcement or whatever, you are right that some don't believe in that though.

    – Jason Michaels
    2 hours ago
















I set up that password over a year ago. Could you explain to me how they sent it back to me in plaintext if it wasn't stored in plaintext?

– Marquizzo
3 hours ago





I set up that password over a year ago. Could you explain to me how they sent it back to me in plaintext if it wasn't stored in plaintext?

– Marquizzo
3 hours ago













@Marquizzo again, I'm not them, but I am sure if they have some encryption scheme for passwords or other way to obfuscate it they have a way to decrypt it in case you loose your password. I use Digital Ocean and they allow me to get my password back if I lose it.

– Jason Michaels
3 hours ago





@Marquizzo again, I'm not them, but I am sure if they have some encryption scheme for passwords or other way to obfuscate it they have a way to decrypt it in case you loose your password. I use Digital Ocean and they allow me to get my password back if I lose it.

– Jason Michaels
3 hours ago













@Marquizzo, it literally says thank you for your order. Did they have to bill you again and it popped up bc of that?

– Jason Michaels
3 hours ago





@Marquizzo, it literally says thank you for your order. Did they have to bill you again and it popped up bc of that?

– Jason Michaels
3 hours ago




1




1





@JasonMichaels that's kind of unusual, in general they should not be able to get your password back if you lose it, they should be only able to reset/overwrite the password with a new one.

– Peteris
2 hours ago





@JasonMichaels that's kind of unusual, in general they should not be able to get your password back if you lose it, they should be only able to reset/overwrite the password with a new one.

– Peteris
2 hours ago













Lots of companies save passwords for legal reasons like if they were contacted by law enforcement or whatever, you are right that some don't believe in that though.

– Jason Michaels
2 hours ago





Lots of companies save passwords for legal reasons like if they were contacted by law enforcement or whatever, you are right that some don't believe in that though.

– Jason Michaels
2 hours ago










Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.












Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.











Marquizzo is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206186%2fis-hostgator-storing-my-password-in-plaintext%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How should I use the fbox command correctly to avoid producing a Bad Box message?How to put a long piece of text in a box?How to specify height and width of fboxIs there an arrayrulecolor-like command to change the rule color of fbox?What is the command to highlight bad boxes in pdf?Why does fbox sometimes place the box *over* the graphic image?how to put the text in the boxHow to create command for a box where text inside the box can automatically adjust?how can I make an fbox like command with certain color, shape and width of border?how to use fbox in align modeFbox increase the spacing between the box and it content (inner margin)how to change the box height of an equationWhat is the use of the hbox in a newcommand command?

Doxepinum Nexus interni Notae | Tabula navigationis3158DB01142WHOa682390"Structural Analysis of the Histamine H1 Receptor""Transdermal and Topical Drug Administration in the Treatment of Pain""Antidepressants as antipruritic agents: A review"

inputenc: Unicode character … not set up for use with LaTeX The Next CEO of Stack OverflowEntering Unicode characters in LaTeXHow to solve the `Package inputenc Error: Unicode char not set up for use with LaTeX` problem?solve “Unicode char is not set up for use with LaTeX” without special handling of every new interesting UTF-8 characterPackage inputenc Error: Unicode character ² (U+B2)(inputenc) not set up for use with LaTeX. acroI2C[I²C]package inputenc error unicode char (u + 190) not set up for use with latexPackage inputenc Error: Unicode char u8:′ not set up for use with LaTeX. 3′inputenc Error: Unicode char u8: not set up for use with LaTeX with G-BriefPackage Inputenc Error: Unicode char u8: not set up for use with LaTeXPackage inputenc Error: Unicode char ́ (U+301)(inputenc) not set up for use with LaTeX. includePackage inputenc Error: Unicode char ̂ (U+302)(inputenc) not set up for use with LaTeX. … $widehatleft (OA,AA' right )$Package inputenc Error: Unicode char â„¡ (U+2121)(inputenc) not set up for use with LaTeX. printbibliography[heading=bibintoc]Package inputenc Error: Unicode char − (U+2212)(inputenc) not set up for use with LaTeXPackage inputenc Error: Unicode character α (U+3B1) not set up for use with LaTeXPackage inputenc Error: Unicode characterError: ! Package inputenc Error: Unicode char ⊘ (U+2298)(inputenc) not set up for use with LaTeX