Beware ANHosting / MidPhase
A couple days ago I needed to renew my hosting agreement with ANHosting/MidPhase but was having trouble logging in because they sent me an http link when only https responds. I reported this so the tech helpfully replied with my userid and password
. I was floored! You never, ever
send passwords over email -- it is not a secure transport. I explained this to them but they didn't actually read my message and instead sent me the login credentials a second time! Repeated explanations on why this is a Bad Thing™ went unacknowledged.
What's scarier is that they're actually able
to do this. It means that they're not following "best practice" of storing passwords as salted, one-way hashes that can be used for validation but not recovery. It would not surprise me if their password database is completely plaintext but even if encrypted, it's reversible encryption and that is dangerous
. At some point, they're going to be hacked or a disgruntled employee will steal the database and then everyone's login credentials will be leaked. Adobe recently had 153 million
account passwords revealed and though they were
encrypted, they weren't salted and so are quite weak: http://xkcd.com/1286/
As far as I'm concerned, what ANHosting/MidPhase is doing here is criminally negligent. They have my payment details on-file and giving out my login details without even me requesting them.
At least I use a hashed password so even if somebody steals this account from me they can't use the information to access any other account.https://plus.google.com/u/0/107188281763279197751/posts/GL31XJR1KSa