Journal #8657

Posted 4 years ago2016-01-18 20:20:02 UTC
I have a handful of throwaway email accounts on my web host. As such, some passwords are pretty half-assed and they may even be things like AAA123456. Today I got an alert from the support team at my web host:
Our servers have detected the passwords of several of your email accounts are insecure. Because they include the u sername (sic) or domain in them. [Note: not the case]
Please change your passwords from your control panel and re-enable the accounts. Follow these steps to build a strong and secure password:
(typical secure password advice removed)
My reply:

How do can you even tell that? Do you happen to be storing passwords in plain text instead of running them through a one-way algorithm as would be appropriate for a hosting industry of your caliber?
I can't wait to see what they reply, but it looks like I'll be changing providers soon...

===== UPDATE 1 =====

Dear User:
The server detects it automatically and modifies them, at no point we can see them because they are encrypted.

Yeah totally encrypted. With ROT13. TWICE!

6 Comments

Commented 4 years ago2016-01-18 20:34:58 UTC Comment #62789
Welp.
Just so we know not to use them, what host are you currently with?
Commented 4 years ago2016-01-18 21:03:03 UTC Comment #62790
It's called Don Web. It was recommended by a friend years ago, they have pretty good features for a price that's affordable for a low-income person like myself (some $30/yr as opposed to actually reputable hosts like Dreamhost that cost closer to $100/yr). But I guess it's still my fault for hiring a cheap ass host from South America. At least I'm not hosting anything particularly critical.
Commented 4 years ago2016-01-18 21:15:33 UTC Comment #62793
Your password has to have at least 1 capital letter, at least one lowercase letter, at least 1 number, be at least 6 characters long, must not have your name, phone number, birthday, etc. in it, because hackers just brute force try every letter and number combination till it clicks.

And then the company servers get hacked and your password got leaked anyway
Commented 4 years ago2016-01-18 21:27:02 UTC Comment #62791
They're throwaway accounts and I don't give a damn if they get hacked because there's nothing important at risk.
Commented 4 years ago2016-01-18 21:52:00 UTC Comment #62788
Get yourself an email at Proton Mail. Free encrypted email, it requires a kind of 2-step authentication: first into your account, and then to unlock the inbox.

The advantage of email security is lost if you send emails to providers like Google which openly admit of scanning the email. But it's not like we're not used to that...

I think you have to wait 1 or 2 weeks before you get your account, or maybe now it's instant idk...
Commented 4 years ago2016-01-18 22:48:59 UTC Comment #62792
That looks interesting! Not for throwaway accounts, though. Because they're throwaway accounts. Could work well with Enigmail. If only the people I email knew what encryption is.

You must log in to post a comment. You can login or register a new account.