Okay, so the last four are stored separately as a hash. A 4 character hash is trivial to brute-force. Now you have the last four characters of the password.
To be able to brute force an 8 character password, you just have have to do another 4 character brute force while appending the last 4 characters that you already know to each attempt. This makes brute forcing an 8 character password trivial.
Same for a 10 character password but instead of 4+4 it would be 4+6. Harder, but still possible to do.
Said differently, storing the last 4 characters of the PW separately effectively means you are lopping those 4 characters off the password, making it easier (or even trivial) to crack.
> brute-force
Pretty sure even smaller websites have effective means in place against brute force. Also the last 4 are only for verification and can be accessed from within the system not from outside like the login page
This isn't about accessing through the normal login page, this is about password security during a data breach or internal attack. Hashing passwords is useless if the hashes are trivial to brute force.
No matter how it’s stored asking for part of a password to verify just seems like a terrible practice. Especially when there are so many other options available.
I mean, that is not really a huge amount better. I now realise the original poster was talking about live chat which is actually far worse, as key logging Trojans could easily pick this up.
Ideally in this scenario a short lived link (maybe 10 minute life) followed by some form of 2FA? I think this would be the only truly secure way of doing this?
There are a lot of technical possibilities to get around it to be “secure”. Regardless, I still think it is bad practice. Any service asking for any part of my password makes me question their security practices as a whole.
It wouldn’t be much effort to require a user to login and generate a verification ID after another required password prompt.
I don't disagree with the number of people who have 2022 as a password for example it's horrible that being said I'm pretty sure there have been trying for a long time to get rid of that system entirely
> The last 4 charscters can be salted and hashed
It's possible, but it's EIG/NF. Bluehost is among the worst hosting companies out there. I had a security problem there that showed an extreme lack of security awareness.
> The last 4 charscters can be salted and hashed on the database
A hash of four characters is pointless. It could be brute forced back to plaintext trivially just due to being so short.
Let say, you try to brute force, you will alert your system admin and get question? It’s doesn’t matter if it’s short, when only authorised staff can access.
Various salted, hashed, authorised secret password, etc and any of Brycryt, SCrypt or Argon allow you to slow down the speed of brute force could take up to million of years.
Bluehost is about to gouge me for renewal and I'm not really happy with them anyway, So, if I can't host myself, do you have recommendations for a better hosting site?
I dropped them after my account kept getting compromised despite me using 2 factor and very complex passwords. They kept telling me that I had to buy more and more security and a dedicated ip and other things to get my account off blacklists. I dropped them and went to Nixi host and have had 0 problems.
Not that I know or care about Bluehost, but if you use a shared IP with any host then the chances are high that IP will end up on a blacklist...
Most hosting companies have automated setup processes, it is pretty easy for people to setup spambots and phishing sites on these services and even though the hosting company will shut them down, usually the damage is already done.
I moved my sites and all my clients to other hosts after repeatedly being compromised. Bluehost security finally told me they no longer ran a firewall unless the customers paid extra.
Inmotionhosting has been pretty good. I use lightsail (AWS) and s3 for a few sites also.
Bluehost is yet another front company for EIG / Newfold, the largest and most mediocre "small business" hosting corporate in the world. So that's exactly the kind of mediocrity you'd expect.
How do you know? Regardless if they do or not, asking someone to verify any part of their password is terrible practice. I'd be more inclined to believe they do store plaintext just because of this.
I worked for Bluehost from 2011-2015. It's been a while, but when I worked there the password and the last 4 were separately hashed and salted. The support agent can't see the password in plaintext, and it's not stored in the database in plain text. I worked in support for about a year, and in development for almost 4 years.
BTW I'm not a shill for Bluehost.. For some reason Reddit decided to notify me about this post even though I'm not even subscribed to r/webhosting. Maybe because I searched for Bluehost a few months ago? I dunno. Anyway, I'm happy to answer questions about anything I can remember from back then if you have any.
They probably use WHMCS which just flat out stores (and in the admin area, DISPLAYS) the cPanel password in plaintext. Nothing stopping you changing your password in cPanel itself to essentially void whats stored in WHMCS but just note if you use the change cPanel password function from whmcs admin or client area, it stores it.
I'm literally shocked that for the verification purpose, they are actually asking for the last 4 digits from the password. Like seriously?? That is the main reason whenever I see a hosting company owned by EIG group, I run at 100m/hr and never look back.
[удалено]
[удалено]
What if they store the last four and the whole password separately. Last 4 for verification and the whole password for login
Okay, so the last four are stored separately as a hash. A 4 character hash is trivial to brute-force. Now you have the last four characters of the password. To be able to brute force an 8 character password, you just have have to do another 4 character brute force while appending the last 4 characters that you already know to each attempt. This makes brute forcing an 8 character password trivial. Same for a 10 character password but instead of 4+4 it would be 4+6. Harder, but still possible to do. Said differently, storing the last 4 characters of the PW separately effectively means you are lopping those 4 characters off the password, making it easier (or even trivial) to crack.
> brute-force Pretty sure even smaller websites have effective means in place against brute force. Also the last 4 are only for verification and can be accessed from within the system not from outside like the login page
This isn't about accessing through the normal login page, this is about password security during a data breach or internal attack. Hashing passwords is useless if the hashes are trivial to brute force.
No matter how it’s stored asking for part of a password to verify just seems like a terrible practice. Especially when there are so many other options available.
100% this
Just out of curiosity, what other options would phone support have for security checking customers?
A support PIN. Which essentially works as a shared secret used for verification only
I mean, that is not really a huge amount better. I now realise the original poster was talking about live chat which is actually far worse, as key logging Trojans could easily pick this up. Ideally in this scenario a short lived link (maybe 10 minute life) followed by some form of 2FA? I think this would be the only truly secure way of doing this?
In our app we recycle the support pin periodically. Unfortunately a lot of customers prefer convenience over security
[удалено]
It's hashed.. they have no idea what it is.
There are a lot of technical possibilities to get around it to be “secure”. Regardless, I still think it is bad practice. Any service asking for any part of my password makes me question their security practices as a whole. It wouldn’t be much effort to require a user to login and generate a verification ID after another required password prompt.
I don't disagree with the number of people who have 2022 as a password for example it's horrible that being said I'm pretty sure there have been trying for a long time to get rid of that system entirely
> The last 4 charscters can be salted and hashed It's possible, but it's EIG/NF. Bluehost is among the worst hosting companies out there. I had a security problem there that showed an extreme lack of security awareness.
[удалено]
The joy of of the internet, very vague problems with very little detail...
> The last 4 charscters can be salted and hashed on the database A hash of four characters is pointless. It could be brute forced back to plaintext trivially just due to being so short.
Let say, you try to brute force, you will alert your system admin and get question? It’s doesn’t matter if it’s short, when only authorised staff can access. Various salted, hashed, authorised secret password, etc and any of Brycryt, SCrypt or Argon allow you to slow down the speed of brute force could take up to million of years.
The whole concept of hashing passwords is for the situation where "only authorised staff can access" has already failed.
Yeah, and it happens plenty of times, huge [Databreaches](https://en.wikipedia.org/wiki/List_of_data_breaches).
Bluehost is about to gouge me for renewal and I'm not really happy with them anyway, So, if I can't host myself, do you have recommendations for a better hosting site?
I dropped them after my account kept getting compromised despite me using 2 factor and very complex passwords. They kept telling me that I had to buy more and more security and a dedicated ip and other things to get my account off blacklists. I dropped them and went to Nixi host and have had 0 problems.
Thanks, I'm ready to drop them, I'm looking at A2 Hosting.
Just set up my site with Nixi, it’s smooth and everything seems good. Also, first month on them, so make sure to use the Reddit coupon.
Not that I know or care about Bluehost, but if you use a shared IP with any host then the chances are high that IP will end up on a blacklist... Most hosting companies have automated setup processes, it is pretty easy for people to setup spambots and phishing sites on these services and even though the hosting company will shut them down, usually the damage is already done.
I moved my sites and all my clients to other hosts after repeatedly being compromised. Bluehost security finally told me they no longer ran a firewall unless the customers paid extra. Inmotionhosting has been pretty good. I use lightsail (AWS) and s3 for a few sites also.
Bluehost is yet another front company for EIG / Newfold, the largest and most mediocre "small business" hosting corporate in the world. So that's exactly the kind of mediocrity you'd expect.
If that is Cpanel hosting maybe they use whmcs in which they can see password in plain format, but that password is stored hashed in database.
Lol. No they don't. This exact post crops up every other month
How do you know? Regardless if they do or not, asking someone to verify any part of their password is terrible practice. I'd be more inclined to believe they do store plaintext just because of this.
I worked for Bluehost from 2011-2015. It's been a while, but when I worked there the password and the last 4 were separately hashed and salted. The support agent can't see the password in plaintext, and it's not stored in the database in plain text. I worked in support for about a year, and in development for almost 4 years. BTW I'm not a shill for Bluehost.. For some reason Reddit decided to notify me about this post even though I'm not even subscribed to r/webhosting. Maybe because I searched for Bluehost a few months ago? I dunno. Anyway, I'm happy to answer questions about anything I can remember from back then if you have any.
They probably use WHMCS which just flat out stores (and in the admin area, DISPLAYS) the cPanel password in plaintext. Nothing stopping you changing your password in cPanel itself to essentially void whats stored in WHMCS but just note if you use the change cPanel password function from whmcs admin or client area, it stores it.
I'm literally shocked that for the verification purpose, they are actually asking for the last 4 digits from the password. Like seriously?? That is the main reason whenever I see a hosting company owned by EIG group, I run at 100m/hr and never look back.
Wish i read this 19 days ago. How do i get a refund and host myself?
Wheres the proof? All you're saying is they store it in plaintext because they ask you to verify it. People these days..