"Historically, Internet companies have rarely encrypted passwords to aid customer service."

Only if you are lazy buggers who can't be bothered to implement proper password security and resetting procedures - note I said resetting NOT recovery. If any log in system includes an option to "send your password" if you've forgotten it, avoid it like the plague if its important. This means they are keeping passwords in plain text. Any one with ANY common sense should give you an option to reset your password instead.

"Historically, Internet companies have rarely encrypted passwords to aid customer service."

How's this "aid customer service"? Luser 'phones up asking for the password? Wouldn't it be just as easy to go "No, we can't tell you it, but we *can* reset it to "dogfood24", done".

Just hope they don't lose their "security warning" e-mail in transit from themselves to their customers via.. their MTA. Reckon it's a likely chance of them losing most of it then.

yeah, that makes sense. "I've forgotten my password, the one i use on all my internet banking sites too" "ah yes, its FL1bble sir"

surely "OK, we've emailled you a link to change it" or "we've set up a temporary password, you'll have to change it..." would serve the customer better?

Its like saying that locksmiths should have a key to all the doors in the street incase you lose your key... which reminds me. Where are my keys...

Now that is annoying... I got to contact all these sales guys and get new passwords to them.

Weird thing is.. Fasthosts only accept alpha-numeric passwords. Just tried to use a ! in the control panel password and it complained. All a little too weak really....

"Historically, Internet companies have rarely encrypted passwords to aid customer service."

That is complete nonsense, but even if that WAS the case it still doesn't explain why a 3rd party could get away with them all.

Pathetic.

Yeah, right. Any developer worth his salt wouldn't make such a hash of this.

We are writing to inform you that we have recently discovered evidence of a network intrusion involving a Fasthosts server. We have reason to believe that the intruder has gained access to our internal systems, and that this may have in turn given them access to your username and some service passwords.

We have since closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again.

We therefore recommend, as a precaution, that you now change the following passwords on your account, both for your personal use, and for your customers:

Your main account control panel login password

All email (Standard, Advanced and Exchange mailbox) passwords for you and your customers' mailboxes

All FTP passwords

All MySQL and MS SQL database passwords

These can all be changed within your control panel. Further details on how to change your passwords can also be found in the support section of our website.

We strongly recommend that you choose secure passwords so that they cannot easily be guessed. These passwords should include the following:

It should be a minimum of 8 characters long

It should contain an upper case and a lower case letter

It should also contain at least one number (numeric)

We recognise that this may cause some inconvenience and concern, and for that we sincerely apologise. Please be assured that your account security is extremely important to us, and we have taken every step possible to secure your information against any future intrusion attempts.

We have used fasthosts for over 6 years without many problems (if you understand that you get what you pay for).

I have just received the 'change your passwords' email and now have to change over 2000 passwords.

This is one of the final insults from a company whose support has been diving downhill, for example I have to book 1 week in advance to have an engineer look at a possible critical hardware failure on one of our dedicated server discs.

SIGH !

J

"Historically, Internet companies have rarely encrypted passwords to aid customer service."

So, can someone post ISP names that do encrypt passwords. In a similar fashion to the flap about posting names of footballers who gave money to the nurses charity. We're not dissing the bad ISPs, we're simply praising the good ones.

Why do ISPs who must see more cracking attacks than anyone else think they're immune from being cracked.

Quite a few web servers respond to the /../../../etc/passwd type attack and you only need one like that to reveal everyone's passwords.

Madness.

Max

"We've asked Fasthosts why the passwords were not encrypted in the first place. It said: "Historically, Internet companies have rarely encrypted passwords to aid customer service.""

Moreover, some common authentication methods used REQUIRE a plaintext (i.e. unencrypted) password to be stored. e.g. A RADIUS server needs access to plaintext passwords to support CHAP, ironically used to avoid passing passwords in plaintext over the wire.

... so they can login to the customer's account and see whatever problem it is that they're having first hand. It is a very bad idea not to encrypt but the convenience of it means you'll likely find many, many companies do it.

... Not to trust UK outfits anymore. My hosting company runs passwords against dictionaries and complains if the password you're trying to set is too weak. Why's that not standard practice here?

Jeez.

"they can login to the customer's account and see whatever problem"

Err, why not reset the users password ? The user can always change it back after the hell desk monkey has had a poke around.

Love it.

Delete all if your mail one day then the next admit to a massive security breach. Any offense under the data protection act here?

Is this actually everyone hosted on Fasthosts? Or just a limited number?

I have had no email from Fasthosts, and there is nothing on the RSS feeds or control panel. So is this really company wide?

(Probally the same Chinese hacker I have been watching who slams the same brute force password list against my FTP server every weekend.... would of thought he would of got bored by now!!)

Its nice to say that Encryption protects passwords, but that's false. Yes it does make it more difficult for the laymen to look at the data and see the passwords, however, if the encryption formula isn't strong enough, then the password could be spoofed. If someone gained this level of access, then it would be easy for them to see what encryption algorithms are in place and guess passwords. Even with MD5 which is near impossible to reverse engineer a password, all that really needs to be done is feed values into the algorithm then do a simple query on the data (say, SELECT UserName FROM userdb.userstable WHERE Password='MD5Hash';) You'll then get a nice list of user names who share the password... Granted you don't get a massive list of users, but with enough users of a system, overlaps in passwords are bound to happen. Applying a simple salt to the algorithm will help this, but in my experience, this is more rare then actually encrypting the password in the first place...

The real issue here isn't that they had it in plain text or not... But how did an attacker gain such level of access.... Sounds like someone broke into the facility. That's a Physical access issue. Who forgot to lock the door. I bet we'll find there was an iPhone behind all of this.

Not all systems use the same or a configurable method of authentication. Not all systems are capable of using an encrypted password. Sometimes you need to compare against the plaintext password. The more you centralise your authentication, the more likely this is.

As a company this issue is going to cause a major problem for us. We have hundreds of handheld devices out there with with FTP and sql database access. How the hell are we going to implement these changes without stopping our customers dead in the tracks. We will have to issue revised apps,they will not be able to upload or download data out in the field until the app is rolled out to all users.

This is a real kick in the teeth for those of us who have to go to our clients and explain passwords need changing.

However I'm going to do this, however tempting it is to just hope you dont get stung by not changing. Up until now FH has denied everything it possibly can whenever anything didnt work right or there was a problem. The fact they are being open about this makes me think there is a really high chance of there being a problem to the customers. What is missing from this though is how long someone could have had the passwords. if the police has been called, external people in to fix the problem. Surely this has been known about for weeks?!?!

Maybe this will be the problem that moves a lot of FH servers and staff to another location owned by their german overlords

When Fasthosts are charging as little as £3.99 a month for 1.5GB of space and unlimited traffic doesn't it occur to anyone for that kind of money you'd need to sell 500 months worth of web hosting to even buy a cheap HP or Dell server. I mean you'd have to sign up for 41 years to even pay for the box it's hosted on. You get what you pay for and costs have to be cut somewhere. It never seems to occur to many people that they're actually not paying enough for web hosting.

No email here, but I've changed my passwords all the same just in case.

"Any developer worth his salt wouldn't make such a hash of this"

Pun(s) intended?

i've got several domains on fasthosts/ukreg... and i've not received any email regarding this breach... this article was the first i knew of it, and only then cause i have your newd feed on my google homepage...

what worries me therefore is the idea that they should publicly announce the breach before even advising the users... which is akin to telling the media that your friends house is unlocked before letting him know...

i think i'll move hosts asap ... which i was thankfully planning anyway due to various issues that have been steadily increasing of late...

encryption of passwords for systems that contain critical/sensitive/customer data is required by the standard.

btw, does El Reg encrypt the passowrd i've just used to post a comment? ;-)

changing all the passwords. At work we have a Fasthosts reseller account with a lot of domains all with lots of mailboxes and ftp and a lot with databases. What fun I'll have changing all the passwords, then changing the database ones in code on all the websites that have them and finally changing the outlook passwords on countless clients sites. Oh and I nearly forgot all the CMS passwords will need changing as well.

Might be done by Christmas!

Those of you complaining about having to change passwords...you've never changed them before!? Isn't that a security risk also.

You should change your passwords regularly whether or not your host has asked you to.

I take your suggestion with a pinch of salt.

@Dan Germain "btw, does El Reg encrypt the passowrd i've just used to post a comment? ;-)"

Course they don't. How else do they pay for all their EBay toys and Amazon pr0n? They are logging into your PayPal account at this moment.... :D

@all-of-us

Isn't it a little comical that we are complaining about telling our staff/clients to change passwords? I thought a decent password policy forces changes at a regular period. LoL!! I know "Change User Passwords" has been on my TODO list for 18months....

(Probally the same Chinese hacker I have been watching who slams the same brute force password list against my FTP server every weekend.... would of thought he would of got bored by now!!)

Is that the same chinese chap we have knocking on all of our FTP servers every weekend as well?

"When Fasthosts are charging as little as £3.99 a month for 1.5GB of space and unlimited traffic doesn't it occur to anyone for that kind of money you'd need to sell 500 months worth of web hosting to even buy a cheap HP or Dell server. I mean you'd have to sign up for 41 years to even pay for the box it's hosted on. You get what you pay for and costs have to be cut somewhere. It never seems to occur to many people that they're actually not paying enough for web hosting."

That's a very naive determination. Big managed web hosts build their own web servers in bulk, and stuff them full of customers' sites. If you think about it, 1.5GB is nothing when a cheap and nasty set of 300GB hard drives in a decently robust RAID config wouldn't cost more than £300. And a company can easily afford to put 50-100 low-traffic sites (no business or high-traffic site would ever go near such a cheap solution) on a single box. If everyone's paying that charge, then the hardware is paid for in a month or two.

I'm sure we all recognise the phrase, "to aid customer service." As in "to aid customer service, we're not collecting post on a weekend any more." "To aid customer service, we've closed your high street branch." "To aid customer service, we've fired everyone in the UK and moved our call centre to India." "To aid customer service, we've shot all our customers through the head with a nailgun."

It's what you say when the truth would read, "because we're a bunch of incompetent muppets..."

Is this breach restricted to "our" side of Fasthosts or should I now be worred about the credit card details that Fasthosts uses to bill for the server useage? Oh err

cynic-mode: on

Yeah, but everyone knows that IT people are the worst for strong passwords and changing them often. Perhaps "Change User Passwords" has been on the TODO list of the Fasthost admins for 18 months too and they wanted to find a reason for it that would make people actually take notice of their request...

A real stinker:

"Yeah, right. Any developer worth his salt wouldn't make such a hash of this."

Well done, sir/madam. Keep up the good work.

It's a myth that changing passwords periodically is required for strong security, but it is certainly true that it can lead to weakened security. If I have a strong password today, it's still a strong password next year. So the question is can it be compromised in that time? If it can then changing it is not really protecting anything except working around the problem. If not, then the point stands. Can it be partially determine in that time? If so, then there is a case for password changes, but then this only would apply to a controlled environment with a proper assessment of the risk. If not then again the point stands.

However _forcing_ password changes often causes people to think of an easy one because they are not psyched up to remember one at that time, or else they need to get on and do some work. I remember a company which forced password changes with all kinds of rules - in the end people used P@ssword1, P@ssword2 and so on - quite the opposite of the intended result.

The Fasthosts service has been going downhill for a few months now - this is the final straw.

Resellers lost their Forums a few weeks ago and we have had nowhere to discuss the problems since.

Other hosts should be rubbing their hands....

Cheers

Brian

Tiscali don't encrypt passwords either. I was helping a friend install a new router a couple of weeks ago, and she'd forgotten her password. I said she'd have to ring Tiscali and get her password reset, but instead they gave her hints like "it ends with a 3". I almost fell off my chair.

Fortunately I'm with Demon.

They appeared to have retreated way waaaay back into their shell lately. Not the most enlightened response to ongoing customer service and communication problems.

I've yet to see anybody come up with any good reason why passwords need changing on a regular basis. They're either secure or not. The more often people change them the more likely they are to write it down somewhere or pick a weak one.

'We've asked Fasthosts why the passwords were not encrypted in the first place. It said: "Historically, Internet companies have rarely encrypted passwords to aid customer service."'

I've been using the Internet since 1992. I have *NEVER* before encountered an ISP that did NOT encrypt passwords. In fact, anyone installing a Linux-based server (or, in fact, even a Windows-based server, oxymoronic though that seems) would find that passwords are encrypted *BY DEFAULT* and that it takes a significant amount of effort to disable that encryption.

My advice, as a professional consultant, would be for any remaining Fasthosts customers to run for the nearest exit - terminate all business connections with this apparently incompetent ISP, destroy any data you may have hosted on their servers, and move to a *real* ISP.

Having worked at some really big companies my experience has been in branded hardware so perhaps colours my experience of how cheap web hosts operate. I'm well aware that box-stuffing is as old as the web hosting business and Jeff's estimate of about 100 doesn't square with what I've seen of hundreds and hundreds of sites squashed on to cheap 1 and 2U whitebox servers built of cheap components. There is clearly a significant cost implication on web hosts otherwise they wouldn't be massively over-selling their resouces and praying to God no one actually uses anything like their disk, bandwidth of CPU allowance. Anyone serious about a web presence for business needs to realise all of these cheap hosts are building their foundations on sand, for £3.99 a month they aren't getting high spec servers on NetApp or HP StorageWorks storage. Often there getting cheap servers with internal storage that's barely on stage beyond the rubbish PC World sell.

All I know from people who do run web sites is that 99% of web hosts seem to be as rubbish as each other and seem to be largely based on a form of pyramid scheme where someone is endlessly reselling someone elses service. I'm glad I have nothing to do with this kind of tat.

Fasthosts have replied to my request for compensation by suggesting that changing passwords frequenly is a useful security measure. Thanks Fashosts, really appreciate having to change somewhere upward of 500 passwords. Read below for a giggle

From FH

While we understand that the changing of passwords can present an organisational problem for our customers we would like to stress that this is a precautionary measure that we recommend, not a requirement that we are imposing.

Where a significant amount of work is required to update all passwords we recommend that this work is carried out as soon as possible but in a way that doesn't necessarily have an impact on the everyday operation of their business. We assess that the risk to our customers is very small in this instance.

On the basis of this recommendation, which we are confident is sensible and does not harm our customer's interests, we do not feel that this incident justifies compensation.

"So, can someone post ISP names that do encrypt passwords. In a similar fashion to the flap about posting names of footballers who gave money to the nurses charity. We're not dissing the bad ISPs, we're simply praising the good ones."

Yes, try United Hosting : UK and US based servers, highly reputable company (I'm only a customer, not a share holder). They put security, security, security at the very top of everything, and never compromise that.

I'm pretty stunned by there statement: "Historically, Internet companies have rarely encrypted passwords to aid customer service."

If they are using any kind of Unix related/descended/look alike box to host then they have to go to a great deal of effort to turn off password encryption on the host, and if they are using ssh via https then that password transmission is encrypted on line...

What fools!

"This is a real kick in the teeth for those of us who have to go to our clients and explain passwords need changing."

Well instead why don't you just explain you made a really stupid choice choosing fasthosts in the first place. That's the silly bit.

Perhaps you should up the word salt in the context of password hashing. Not only would you write a more informative comment but you understand Pink Duck's very funny joke.

The old advice on changing your password is mostly due to old circumstances. In the good (bad) old days, hundreds if not thousands of users would share access on a system, and frequently, those users were not trusted users (i.e., university systems). What's more, if you had access to the system, you could read /etc/passwd and the password hashes therein. Thus, if you never changed your password, you were far more susceptible to a dictionary attack than if you simply changed your password every couple of months. Of course, in this day and age, the password hashes are not exposed to all and sundry, and the justification for this has fallen off quite a bit.

A second, more applicable in the modern day reason is that if your password is compromised and you don't realize it, changing your passwords on a regular basis will minimize the damage. However, one must question just how frequently a user would have to change their password for this to matter.

On the other hand, a good reason to NOT change your password on a regular basis, is the difficulty of managing strong passwords, especially if they are constantly changing. One (very) slow trend that is helping this is the increasing availability of truly long passwords on systems. For example, a passphrase made of 5 words chosen at random via 5 pair of dice thrown 5 times each is actually very easy to remember - it's just 5 random words - but has 64 bits of entropy. 6 words have 77 bits, and 7 have 90. In comparison, the best you can achieve with an 8 character string of line noise is 52 bits of entropy. And even 7 random words are a LOT easier to remember than 8 random characters. Just remember - the words MUST be randomly selected. Regular spoken English does not have that much entropy in it, and our brains do not do a good job at selecting words truly at random.

If you're interested to learn more about passphrases, try checking out diceware:

http://www.diceware.com/

They have word tables to be used with 6 sided dice, along with a far more exhausted explanation of passphrase entropy, etc.

-daniel

They are just numbers in a database.

Record the original value of the encrypted password.

Replace it with the encrypted value of a temporary password.

Restore it to the original encrypted value.

Create a interface to automate the procedure, give the required database privileges to an account that can only connect via internal IP addresses.

Tech support can then gain temporary access to any account by temporarily changing the password. The customer gets to keep his old password, which remains a secret.

Even expecting users to use strong passwords is probably a bit of a losing battle, let alone changing them all the time. People don't usually have strong memories so they have weak memorable passwords.

The average owner of a password is an ordinary person trying to do something with a computer - and they have to use dozens of passwords. But for 95% of the sites they visit the password and username is veiwed as nothing more than a nuisance. So they choose one that is easily remembered, and probably stick with it for every web site they log in to.

To all those who are so expert that they know Linux encrypts passwords to begin with... guess what, they probably don't authenticate against individual machines with their own shadow password system. It's probably a central server with a custom authentication system. This information may be pushed out to the hosting servers, but was probably stored unencrypted so that the system that pushes it to individual servers (Linux, Windows, MySQL, whatever) can encrypt the password in the correct format for that particular system... and that is the problem, everyone wants to encrypt their passwords differently, so you store the plaintext in the master database...

i quote

"By Dom

Posted Thursday 18th October 2007 16:37 GMT

I've yet to see anybody come up with any good reason why passwords need changing on a regular basis. They're either secure or not. The more often people change them the more likely they are to write it down somewhere or pick a weak one."

err. obviously you change your passwords to offset the possibility of brute force trial and error succeeding.

simply put if your password never changes a brute force attack will succeed regardless of the time it takes between each attempt.

if you change it regularilly trying every possible combination sequentially will likely fail as by the time they get near the correct passowrd the current one may be one they tried x amount of time ago thus will never try again.

obviously the time between changing passwords depends on the time allowed between successive attempts, for most of my systems 3 unsucssessfull events allows no more to be attempted for an hour then 2 then 4 etc. with an e-mail dispached to user with details of who to contact for recovery and the ip involved in the attempt {so they can just add it to the blocked/remove it from the allowed} list if its not themselves

thus brute force would take a long time to get through any reasonable number of attempts

for web based logins 3 failed {no time limit between} attempts causes a capcha to be involved for all subsequent attempts {with the same e-mail to user} for the same reason to help foil brute force.

BTW reg folks how about like most of these fora, allowing openid instead of us now having another id/password to have to keep track of as its so much easier than having to keep track of all these id's passwords for sites still using older methods to track users, or is it because using older methods allows you to compile our e-mails to a list for later spamming^H^H^H^H^H marketing purposes

@ Andy King

Is that the same chinese chap we have knocking on all of our FTP servers every weekend as well?

If your Chinese hacker uses the same list of 2300 passwords. Tries obvious usernames like "Administrator" and English First Names. Turns up most of the weekend, every weekend, with the same list... Sounds like the same guy. :)

Obviously these are my logs from the FTP site run on the end of the ADSL line supplied by Fasthosts. Gawd only knows what is going on on the Fasthost hosted website.

I just find these hackers funny... and means I earn my wage. For reading a log file. :)

User passwords are normally stored in plaintext to allow one time password authentication systems to work.

In a nutshell;

User connects, server gives random value

User and server hash password / username with given value

User provides values to server

Server checks if they match it's values and grants access.

Public / Private keys would be better but that's how POP3, IMAP and SMTP authenticate users without SSL/TLS.

This is why ISPs would store passwords in plaintext.

One time password systems require it.

I got the very email off them telling me to change my passwords, what I want to know is I pay for a service am i gonna be compensated for this inconvienience and the fact my info was and could be put in the wrong hands!

Not a big customer with Fasthosts by any means but the complete lack of assurances that the credit card details were not accessed and so on really worries me.

So much I've cancelled my current card and getting a new one sent right out. Also cancelling with Fasthosts, it's too amateur feeling now and I've got a couple of clients to keep happy. Nothing is risk free but not everyone one is as stupid as fasthosts...

Fasthosts are starting to piss me off. Their webmail has always been painfully slow, their support people are frequently not on the ball, their web control panel can be temepramental – and now this password fiasco! One more balls-up and I'm certainly taking my hosting and my clients' hosting to another provider.

"... gained access to some of our internal systems via network connections. This security breach was only possible because of a security vulnerability which was forced illegally."

So Fasthosts were only protected themselves against the legal security vulnerability I presume?

Anyone out there still using Fasthost I suggest you move quickly. This isn't the first time as we all know, and it won't be the last time that they shoot themselves in the foot. Best to part company and let it be their problem and not yours.

This is not the first time in recent months that Fasthosts have signalled a cavalier attitude to the interests and security of its customers. It is less than 2 weeks since Fasthosts' incompetence ("Human error") led to the mass deletion of their customers e-mails.

In September this year - just one month ago - Fasthosts disconnected the server hosting Craig Murray's Website and Blog. They did so in capitulation to pressure from Schillings, the Solicitors who acted on behalf of Alisher Usmanov, an an attempt to silence Murray - the former UK Ambassador to Uzbekistan. The panic of the Fasthosts reaction led to several other websites (including that of Boris Johnson) being pulled at the same time. Murray's comments about Uzbekistani Billionaire Usmanov, his character and history, had already been in the Public Realm. No Libel action had been launched in response to his book "Murder in Samarkand" published in July 2006. Schillings pressure on Fasthosts was bluster, and Fasthosts (or their legal advisors if they were consulted on the matter) should have known that rather than immediately roll over in submission to these agents of ucensorship.

I am not attempting to establish a link between the Usmanov/Murray affair and the compromised server. Unless there is such a matter as Karma.

The combination of technical incompetence and the lack of defence of customers who upset the rich and the ruthless signals a somewhat unique attitude to Customer Service by Fasthosts. Their customers should take note.

(">

Any company that runs its entire web hosting platform on Windows is obviously staffed by people so muppetty that they will also store passwords on the system unencrypted.

Farcehosts have a long history of lying to their customers and in the face of a major security breach they are acting true to form.

@Smell My Finger - yes, web hosts oversell their capacity, and hundreds of sites on a box is not unusual. Depends on how much traffic each site is getting as to whether it's a problem. The problem with Fasthosts is that they offer 'unlimited' reseller accounts with 'unlimited' bandwidth and disk space. Therefore they are basically not in control of the load on their platform.

Fasthosts are not inspiring me with any confidence in their security practices at the moment.

Their login page boasts "Secure Login" yet sends login details in plain text (no HTTPS).

And the password reminder page says... "Quick tip: Once you have logged in, why not update your password to a more memorable word?"

Nice to see them encouraging people to choose nice easy to remember passwords and don't worry about them being dictionary cracked because somebody's probably already read it in plain text out of our database!

Brilliant.

Somewhere I worked was, for a while before they became lucicrously uncompetitive, a Tiscali reseller.

I could log in (and I bet I still could) and view every username/password combo for every DSL line we sold. Tiscali (at least as a reseller) doesn't encrypt.

I've spent enough time talking to support on innumerable customer sites to know that for damn near any DSL line you can ring up, do a DPA check, and get the password - it's not reset to a known value as it might be for a website.

The commodity service that is delivered vs. the costs and risks presented to our customers appears to suggest that there is space for a hosting company providing service, support and flexibility. My experience is that FH are failing in all these respects and I suspect it won't get much better. Has the balance of power shifted to the accountants an do you want to subsisdise them sorting this mess out. More research on the alternative OR split your hosting and aggregate the risk....

Please transfer all my domains and services to EasySpace.

Yours sincerely,

E.x. Customer.

Since many people use the same username and password for many sites, there's a good chance that the perps now have thousands of PayPal and eBay username/passwords too.

Ok this was about 2 years ago but Fasthosts also stored at this point the CC details all in plain text which all the staff could see.

If you have not received an email yet, you will. I have several Fasthosts accounts and am receiving emails for all accounts but they are not all coming through at once

Real bummer. I feel for any admin who has loads of passwords to change. Mine will be enough of a pain in the ass and I only have a few to deal with!

Well I had a fast hosts dedicated server for about a month in 2002. I quickly got rid of it as it was there own version of linux, quite old and would not run standard software. I've not done any business with them since.

To my surprise I got an email about this problem today.

I'm sure the data protection act has something to say about keeping account details for that long. I'm also sure I've asked them to remove me in response to past mailings.

Transferring to easyspace - must be mad - from my experience there is regular down time and they charge you for transferring domains away - which is always the first thing I check these days as its a sign of a host who wants it make it difficult for you to leave.

based on stats from ippatrol.com my friends web site (few pages, basic html) had 157 outages in 2006 (42.5 hours) and 261 so far this year (48.5 hours).

Interestingly the ukreg login is on a secure site unlike the fasthosts one.

Any site that shows a padlock on the page should be avoided anyway. Always make me double check the security since I got caught out by a site that claimed to be secure but wasn't.

It sent me and the hotel an plain text email booking confirmation with all my visa card details displayed in full.

The site made all sorts of excuses, which were clearly lies as they still haven't secured it despite saying it would be done and they were just waiting an ssl certificate. I did manage to get Commodo to jump on them for displaying their logo but Visa were not interested.

Only two weeks ago someone fraudulently used my debit card to the sum of just over £1.5k. Until yesterday i had been trying to think how they got my details as i still have the card, don't use online, don't use in the shops, don't use it anywhere. Then it clicked, the only time i've used this card (this is a transfer account for me!) is to renew my domains with ukreg and the card details are stored within my control panel. I cannot prove it yet, but this is my only possible answer to the fraud and would urge everyone to consider speaking to your bank. I've spoken to fasthosts/ukreg about this, but they refuse to comment as its an 'ongoing police investigate' and all they said was they 'dont think' credit card details are at risk, but working on the basis that they use to (may still do) hold cc details in plain text format i have my doubts and will be considering legal action, as i'm still out of pocket for £1.5k!!!

...how there's suddenly a "Remember to change your passwords regularly!" box on the Fasthosts control panel, yet still no mention on the Fasthosts site regarding this. The Fasthosts blog url now also redirects you to the main page.

Between the control panel that doesn't work half the time and the crap customer service, well the crap service full stop, I'm pretty fed up with them. There is nothing quite like showing off your wonderful new website to a client and it constantly hanging halfway through a simple script to make you look like a cowboy.

I would love to be able to say that I shall be taking my business elsewhere, I really would, but that is sadly not the case. I think I'm going to be very stiff come billing time, thanks to the massive shafting I'll be getting.

They "don't think" credit card details are at risk... I think there should have been a full stop after "don't think" - what a load of tossers!

"I'm sure the data protection act has something to say about keeping account details for that long. I'm also sure I've asked them to remove me in response to past mailings."

I have emailed them to cancel my account before as well. No luck.

I'm glad I don't actually use them any more, and the credit card I did use with them is expired now...

Actually, I don't know how they can make the "biggest" claim anyway. According to Webhosting.info, they're actually third largest.

From this post on the register looks like this is a second CC hack.

http://www.theregister.co.uk/2000/11/08/russian_credit_card_scam_looks/

Interesting that in this story in 2001 they claim the Credit card servers are not connected to the internet.

"Fasthosts has received a number of queries from customers over the last few days with regards to charges in Russian roubles from a company called Incomtel. We have reported the matter to the police who are investigating the incident.

We have carried out a full audit of our network security and are confident that all of our systems are fully secure. The servers that process credit card details are not connected to the Internet and we have found no evidence that any security breach could have occured."

do not under any circumstances go to 123-reg - they have totally lost it ...was great once upon a time...you COULD speak to someone (at a silly call rate but you could get a human) now its email support only and DNS outages are getting silly... where to go now with my 200 + domains though? was gonna go to fasthosts! any recommendations? need control panel and advanced A TXT and CNAME DNS control...

A bit of work with the selenium firefox plugin should help automate the task for the poor guy who has 2000 accounts.

I've used it bfore now for such things.

Do 1 or 2 manually, look the the generated selenium playback file and use perl to expand the file to do them all.

Bl**dy fasthosts! I've got hundreds of passwords to change now! Off the back of this I've made a little tool which automates creating strong memorable passwords. Some of you might find it useful - if you don't, sorry, I didn't mean to spam.

60k download - http://www.davenicoll.com/downloads/ptolemy.zip (requires .net framework)

"The Forums are unavailable at this time."

WTF !?!?

I've had enough of this. I can still remember they were down for 3 days or so with some hard drive f**k up and the previous credit card fraud problems.

BYE BYE Fasthosts

Pah! They've just about given you the ability to have an MX record and an A record. I'm sure I've seen a comment from one person in the Fasthosts forums that the MX record has to be an IP address.

One free service I have used in the past was mydomain.com lets you have decent DNS control :-)

(Posted anon for obvious reasons)

I have an Egg Card - and you manage that account on-line.

Those account passwords are not hashed - I had forgotton my password and on phoning up, and after answering some security questions they just told me my password.

This, I feel is much more an issue.

"Any company that runs its entire web hosting platform on Windows is obviously staffed by people so muppetty that they will also store passwords on the system unencrypted."

Doesn't take long for the 'freetards' to creep out of the woodwork. I work for a shared hoster, we run hundreds of windows and loonix boxes and there's certainly not a skills problem in either area. The problem tends to be with the personal hygene and interpersonal skills of the spotty lunix know-it-alls who turn up to interviews, diss windows and then blabber pish when asked what actual experience they've had in managing and securing large scale hosting environments, be it windows or unix. I've met just as many idiot loonix know-it-all's as I have incompetent windows admins and IT staff in general, so get back to yer bedroom in mummys house and install another pointless distro.

Peace and Love.

The Fake Anonymous Coward

With fasthosts you can transfer the whole NS to another provider (say zoneedit.com or something) and then you can have complete control over your MX and other records.

"obviously you change your passwords to offset the possibility of brute force trial and error succeeding. (...) simply put if your password never changes a brute force attack will succeed regardless of the time it takes between each attempt."

You are dead wrong, but I'm too bored to explain why and it's 0700 on Saturday, too. Just consider that "brute force attack" will rarely be done at the "front door" but on a stolen file of N hashed passwords. A brute-force guessing run over that file will take less time than the average interval between changing passwords. Also look up "Rainbow Attack". The one problematic situation that "changing passwords frequently" mitigates is the case where your password is sniffed on the wire (not unlikely), then put into a database but left unused for significant amounts of time.

As "Daniel" says:

"The old advice on changing your password is mostly due to old circumstances. In the good (bad) old days, hundreds if not thousands of users would share access on a system, and frequently, those users were not trusted users (i.e., university systems)."

Thank you kind Sir for finally providing an explanation of the persistent "must change password regularly". One Free Internet for you.

Small-scale web developer seeks recommendations on new linux hosting provider for small projects. Must provide php5 and mySQL. Must not charge for data overusage.Must not store passwords in plaintext.

Centrally stored password systems do NOT need to be unencrypted. I have implemented NIS, NIS+, kerberos, and LDAP (line encrypted with SSL) authentication systems. I have authenticated RADIUS servers against LDAP. I have ran POP, IMAP, HTTP auth, etc. authenticated against NIS+ and LDAP. Not ONCE did I store unencrypted user passwords.

If you store plaintext user passwords just because you need central authentication services, you don't know what you're doing. If you're passing yourself off as a Sr. level admin, you should be hauled in for fraud.

-daniel

FTP passwords are always sent in the clear. It's in the standard. Most large ISPs use FTP by default and few have secure alternatives. Most consumers tend to use and rely on passwords being sent in the clear. There is nothing wrong with passwords being in the clear if you trust the networks between the two endpoints.

Fasthosts mentioned a network intrusion so someone was probably sniffing packets and collecting passwords. You can see how easy this is by loading up something like Etherreal on your own computer and having a look at the packets going in and out of your computer. I am sure that around 95% of the readers here (if they look hard enough) will see their passwords coming and going in the clear.

At Keen Computers we don't allow our hosting customers to have FTP accounts. Customers have to use secure FTP instead. This involves the use of certificates and software like WinSCP. We have been using this technology for more than three years now. It adds to our support costs, but it increases security. We also force the use of HTTPS for the control panels - more certificates.

We have recently implemented secure email and are testing this with a small number of users. It has taken us hundreds of hours of testing to get to this point. This again requires yet more certificates and greater customer support and education which is expensive. So I am guessing that it will take a year or two for us to migrate all of our customers onto secure email.

Fasthosts is not necessarily the company to blame here. Some of the fault lies with Microsoft and the other developers of the software in use at Fasthosts. (With windows web server 2003 for instance, only basic FTP is available and additional software has to be purchased and/or installed into the servers to add the security.)

The hosting market is very competitive and profits are almost non-existent so customers get what they want. End users want to use FTP because almost all the relevant end user applications use or support FTP. This is why web companies are still using old fashioned protocols like FTP. If the large ISPs stopped using FTP they would loose 50% of their customers overnight and would have to spend millions on support - they cannot afford either of these options.

Fasthosts are correct to say that unencrypted passwords are standard / normal etc - they will be until everyone stops using FTP. Perhaps this incident will help move the industry towards secure FTP. (Microsoft have a good opportunity to change things because they have a new server operating system in beta.)

I am not naive enough to think we are totally secure at Keen Computers because at any time, I am aware of half a dozen or more weaknesses in the security of our systems (and hence the security of every other hosting company too.) Finding an ideal solution to them is not yet possible, too expensive or just not practicable. The security experts around the world are constantly working on the problems and discussing new ideas though. Eventually, new solutions are formulated, new applications are developed, new procedures are laid out and new standards agreed upon - and so every now and again we have the ability to raise our security to a higher level.

The number and types of threats against all of us are increasing all the time. Every single computer in existence at the moment is insecure - it's just that we don't always know how they are insecure or we don't want to pay the additional costs. The safest form of hosting would be a managed dedicated server - but they cost around £50 per month. Most people though will take the risk, save the planet and go for shared hosting instead.

A lot of the security problems today are all about trust - hence the certificates with everything to define who and what can we trust. Things get very political very quickly and anyone too paranoid ends up trusting nobody. We have to trust the suppliers, the developers, Microsoft, the network engineers, the sysadmins and even the users - but at the same time we have to keep up the pressure and encourage them to do better. In the past, there was too much trust, malware didn't exist and we all thought every program could be trusted to play by the rules - those days are long gone.

Anthony Knee

CTO, Keen Computers

We started transferring our 2000+ domains from Farcehosts to another host earlier this year but still have 1000+ left.

It's going to be a long, long week as we finally say GTF to FH.

Can't recommend http://www.site5.com/in.php?id=43896 enough for hosting.

They just asked me to tell them my password so they can help with a problem I'm having. That's always a bad sign. It makes more sense now that I hear passwords were being stored in plaintext before. How did you hear of this? I just got the email but they were not forthcoming with an explanation. What a joke. If they've just had a security audit how can they be sending out emails asking for your password?

Another security issue they have is that they only run an old version of PHP on shared hosts. PHP5 is needed for the latest version of most applications with the best security. For example, mediawiki (as used to run wikipedia) doesn't support turing testing of new registertrants unless you upgrade to version 1.6 which needs PHP5 to run. Its not like PHP5 is a new product. Still if they're having this kind of problem with internal security no wonder they don't care much for customer security.

Take it you've never seen fasthosts servers? It ain't expensive to build servers like that.... And no, I don't work for Fasthost, but I do like checking out other companies racks when we're at our data center

I think FH may have shot themselves in the foot...

The ISP i work for encrypt on their "servers", but internal "management databases/servers" do not encrypt. Therefore, on the actual hosting server the password is encrypted. However, backdoors that internal staff use to access the customer accounts are not encrypted and also the backend database is not encrypted, but also not exposed in anyway...

So FH may have just shot themselves in the foot with not being clear on this.

Resetting a password is all fair and good.. except remember that they are hosting servers - maybe dedicated ones.

If a client forgets his root password, what to you do? Send an engineer out to the server room, find the server, reboot init=/bin/bash, remount the root filesystem RW and reset the root pw ? or just start by resending the PW used to setup the system in the first place (90% of users have not reset their default password anyway...).

If they have lost their PW after resetting it, you can order a system "remote rescue reboot" by some hosting companies that can get you up and running, but not all servers are run by a half-decent sysadmin.

The final solution is a re-image, losing all your databases, website (backup? What's a backup?)

In the interest of customer security, having a password accessible is good...

But why was the password list not secured itself (ie. an encrypted document or data, descrambled with a master password), thus needing not only access, but also knowledge of that password to view...

I used to work for Fasthosts, in their FrontLine Support Department and I have seen and experienced what goes on in that place.

I can say I have seen both their Data Centres, the dedicated and the Shared Platform - they are big and all servers are built with cheap parts and Ill think you find mosts hosts will & do.

With regards to the low margin, I wouldnt say this is the case with FH at all - when you think yes you pay £4.00 a month for hosting, what if you want ASP or ASP.net, you have to pay for it, what if you want Stats? Again you have to pay, what if you want An outgoing mailserver, again you have to pay. The list could go on,

As far as I can see and know the FH interneal systemns are hosted on NT4 so theres no wonder they go hacked.

Maybe they need to buck their Ideas up!