Is Lunarpages storing passwords in plaintext?

First of all, I want to state that these are serious claims. That what I am stating is based on my observations.  While I cannot confirm what I am saying is true, it is hard to claim the situation is much different than what I am stating.

Lunarpages, as I wrote in my previous post, has been my hosting provider for nearly 10 years. I’ve grown up from being that wacky teenager with limited technological understanding to now architecting and building infrastructure and development tools. I don’t claim to be an expert in any way and there is a lot I can learn.

Over the past year, I noticed some very shady things going on with my account. In part, my account was compromised at least twice where files were overridden. To this day, I still do not know how it has happened. But lately having to deal with support, I noticed a rather major flaw.  Lunarpages and it’s staff have access to your passwords in plain text.

To come up with the conclusion that Lunarpages in has access to your passwords in plain text comes from two separate emails I’ve received from them in the past week.  Frankly, I have lost all faith in them as a company.

The first email was one where I asked them to update my billing period from yearly to monthly. I am in the process of switching to SiteGround. I do not want to pay for another full year if I am only going to use 1 month.  One of the questions I was asked to confirm that I am indeed Francis Pelland is what is the first and last character of your password on file?

lp_password_confirm

Well that isn’t so bad. They could be taking your password before it is stored and take only the first and last character.  While this is still a flaw, especially if you have a shorter password than 9 characters as I did, I let it slip. But don’t think for one minute that it didn’t bother me. Sure companies who store your credit card number do something similar, the regulations for their handling is somewhat more standardized with PCI compliance. Assuming that I used numbers, lower case and upper case characters, it would take 3,521,614,606,208 attempts to figure out my password. My credit card’s remaining 12 digits would take 1,000,000,000,000.But when I went to confirm my password to support, they told me I was WRONG. So I typed it in my head again and sent back a response saying that I am certain it is correct. I should have looked at the email I originally sent, I would have noticed I typed the wrong character.  Lunarpages’ support got back to me saying that the character is wrong, they sent me an email containing my password.

lp_password

WHAT?! How on earth did they just send me my password by email in PLAIN text? Are Lunarpages staff all able to see my passwords?  In part, this is what fuel my paranoia for changing all my passwords after I started getting hack attempts literally 2 days after this email was sent out. Why is Lunarpages able to send me my passwords in plain text? There are a few logical explanations, but none should be considered acceptable by any means.

The first is that Lunarpages does store passwords in plain text.  This would be the biggest mistake. Surely no one is that stupid right? Then you search on Google and you notice many large companies are doing it themselves.  Here we have Sony, Google Chrome, Plenty of Fish, and Evernote. Maybe Lunarpages could actually be storing passwords in plaintext, as ridiculous as it sounds. What they are doing with their passwords is nearly identical to how Plenty of Fish sends their emails.

Storing in plaintext is quite troubling, but maybe we should give them the benefit of the doubt. Maybe they are encoding it prior to storage with a SALT that can be decrypted? This is also likely, but it really does not stop from anyone being able to decrypt the password. I’ve been working with various types of encryption over the past 5-10 years. They may seem strong, but anything you encrypt, once the hacker finds your secret, salt and IV, nothing stops them from getting everything out of you. Encrypted strings should never be used for passwords. Passwords should be hashed and don’t use MD5, that is easily defeated these days.

Based on the information I have provided above, I strongly believe that Lunarpages is storing their passwords in plain text. I cannot confirm with certainity of course. But this is a serious problem. How can companies today still be operating with passwords stored in plaintext?

  • Mr. Pelland,

    My name is Chad Riddle; I Manage Operations for Lunarpages Internet Solutions.

    Firstly I’d just like to say that we regret the loss of your hosting business and would be glad to serve as your web host again given the chance.

    Your concern with password storage is very understandable. Over the years, as you know, many issues have made their rounds through the media noting very large and reputable organizations having their clients passwords compromised, contact information compromised and even credit card information compromised on very large scales. Fortunately Lunarpages has never had such an issue due to our strict security standards.

    As you noted the PCI standard sets out very strict guidelines for credit card data storage. Lunarpages has maintained a fully audited PCI compliance environment for several years. The audit process, performed annually by a 3rd party, is quite in depth and should provide confidence to all our customers that their credit card data is being handled in a secure and PCI compliant manner.

    Customer data such as passwords and contact information do not have a “specific” standard like credit card data has PCI. This however did not stop Lunarpages from ensuring proper data security that ranges from the the hosted website(s) all the way down to the customer data and passwords. While we were very confident in the security measures that had been in place and augmented as necessary for over a decade we sought out to get confirmation that our environment was and is in fact secure. To this end we started to perform another annual audit called SAS70 type II. Over the last two years this standard was replaced by the SSAE16. This audit is an all encompassing audit of our entire environment to include, but not be limited to; network equipment, company PC’s and laptops, servers, internal systems (accounting, customer management systems, ticketing systems etc.), policies, procedures, authentication methods and even background checks on key staff members with elevated access.

    I firmly believe that if all organizations took their data security as seriously as Lunarpages that the media reports of compromised data would slow drastically. It is our hope that this information will help you feel more comfortable with the security standards used her at Lunarpages and maybe one day you might decide to return.

    Until then, we wish you the best!

    Regards,
    Chad Riddle
    Operations Manager
    Lunarpages Internet Solutions

  • Chad,

    I appreciate your reply.

    PCI compliance is great and is a proven standard. I’ve worked with PCI compliance and have implemented it in a number of products I’ve worked with.

    However you mention strict security standards without addressing why passwords are stored in plaintext. Even some of the largest networks and PCI compliant networks have been hacked. Their passwords were stored in plaintext and as a result compromised the security of their users. Take a look at Sony and even Adobe.

    These days you should expect at the very least for companies to hash passwords. Additional layers of security should include multi-factor authentication, at least two. As a hosting company, it should be relatively easy to add SSH key authentication, yet in my 10 years with you I have never seen that option.

    At this point, it only takes one rogue employee to put a backdoor on your systems or for hackers to find a way in. Once they are in, they have control to take your data and do as they wish with it. The least you could do is make their lives difficult with even basic hashing.

    Needless to say I am disappointed. The lack of security was the last straw with Lunarpages. As I mentioned in previous posts, my account was compromised numerous times. Seeing your stand on password storage makes me wonder if it has anything to do with my account being compromised.

    Francis

  • Mr. Pelland,

    I apologize if I was not direct enough. The passwords are not stored in plain text. Unfortunately I cannot go into exactly how the first and last digit of a password is verified on our end as it would pose as a potential security risk.

    To add some clarity, PCI has nothing to do with passwords but focuses solely on the credit card data and surrounding environments. The SSAE16 audit however does focus on password storage, along with many other areas, and we would not have received our passing report if we had stored passwords in plain text. Two factor authentication is required throughout all critical areas but of course does not extend to that of individual hosting account logins.

    Regards,
    Chad Riddle
    Operations Manager
    Lunarpages Internet Solutions

  • Pingback: harvey()

  • John Desmond

    Maybe they’re storing passwords in ROT13 and there’s nothing to worry about.

    All my accounts at Lunarpages have been hacked at one time or another. This time is the last time. It got hacked and they suspended the account. Before I realized that was the problem, I told the login system that I forgot my password. This is what came in the email:

    =====
    A request to retrieve your website login information has been made at Lunarpages Web Hosting. Below, you will find your Lunarpages Hosting Account username and password, as well as the login address you can use to access your website.

    Username:
    Password:

    To login to your Lunarpages customer account panel, please visit account.lunarpages.com

    Please keep this information secure and if you have any further questions or need assistance, please contact [email protected]
    =====

    This is unacceptable. Anyone inept enough to email passwords will have an inept password protection scheme. I’m outta there!
    -John

  • This is what I was eluding to. Like you, I’ve been hacked a few times while on Lunarpages.

    If they can send you your password in plaintext by email, it means the stored passwords can be decrypted. If by chance a hacker makes their way in or an LP staffer hands out the details, chances are all the passwords will be decrypted in a short amount of time. The hacker will only be required to figure out the salt.