Is Lunarpages storing passwords in plaintext?

First of all, I want to state that these are serious claims. That what I am stating is based on my observations.  While I cannot confirm what I am saying is true, it is hard to claim the situation is much different than what I am stating.

Lunarpages, as I wrote in my previous post, has been my hosting provider for nearly 10 years. I’ve grown up from being that wacky teenager with limited technological understanding to now architecting and building infrastructure and development tools. I don’t claim to be an expert in any way and there is a lot I can learn.

Over the past year, I noticed some very shady things going on with my account. In part, my account was compromised at least twice where files were overridden. To this day, I still do not know how it has happened. But lately having to deal with support, I noticed a rather major flaw.  Lunarpages and it’s staff have access to your passwords in plain text.

To come up with the conclusion that Lunarpages in has access to your passwords in plain text comes from two separate emails I’ve received from them in the past week.  Frankly, I have lost all faith in them as a company.

The first email was one where I asked them to update my billing period from yearly to monthly. I am in the process of switching to SiteGround. I do not want to pay for another full year if I am only going to use 1 month.  One of the questions I was asked to confirm that I am indeed Francis Pelland is what is the first and last character of your password on file?

lp_password_confirm

Well that isn’t so bad. They could be taking your password before it is stored and take only the first and last character.  While this is still a flaw, especially if you have a shorter password than 9 characters as I did, I let it slip. But don’t think for one minute that it didn’t bother me. Sure companies who store your credit card number do something similar, the regulations for their handling is somewhat more standardized with PCI compliance. Assuming that I used numbers, lower case and upper case characters, it would take 3,521,614,606,208 attempts to figure out my password. My credit card’s remaining 12 digits would take 1,000,000,000,000.But when I went to confirm my password to support, they told me I was WRONG. So I typed it in my head again and sent back a response saying that I am certain it is correct. I should have looked at the email I originally sent, I would have noticed I typed the wrong character.  Lunarpages’ support got back to me saying that the character is wrong, they sent me an email containing my password.

lp_password

WHAT?! How on earth did they just send me my password by email in PLAIN text? Are Lunarpages staff all able to see my passwords?  In part, this is what fuel my paranoia for changing all my passwords after I started getting hack attempts literally 2 days after this email was sent out. Why is Lunarpages able to send me my passwords in plain text? There are a few logical explanations, but none should be considered acceptable by any means.

The first is that Lunarpages does store passwords in plain text.  This would be the biggest mistake. Surely no one is that stupid right? Then you search on Google and you notice many large companies are doing it themselves.  Here we have Sony, Google Chrome, Plenty of Fish, and Evernote. Maybe Lunarpages could actually be storing passwords in plaintext, as ridiculous as it sounds. What they are doing with their passwords is nearly identical to how Plenty of Fish sends their emails.

Storing in plaintext is quite troubling, but maybe we should give them the benefit of the doubt. Maybe they are encoding it prior to storage with a SALT that can be decrypted? This is also likely, but it really does not stop from anyone being able to decrypt the password. I’ve been working with various types of encryption over the past 5-10 years. They may seem strong, but anything you encrypt, once the hacker finds your secret, salt and IV, nothing stops them from getting everything out of you. Encrypted strings should never be used for passwords. Passwords should be hashed and don’t use MD5, that is easily defeated these days.

Based on the information I have provided above, I strongly believe that Lunarpages is storing their passwords in plain text. I cannot confirm with certainity of course. But this is a serious problem. How can companies today still be operating with passwords stored in plaintext?