CloudAccess.net Stores Non-Hashed FTP/SFTP/SSH Passwords

One of the ways that security issues at a web host can lead to hosted websites getting hacked is if there is breach that reveals users login details and then the hacker uses those to log in to customer accounts. Not getting breached in the first place is the best way to prevent this type of thing from occurring, but other measures should be taken to limit the potential impact of a breach.

One of the measures that needs to be taken is to store passwords as securely as possible, which means storing them in hashed form. You can think of a password hashing as one-way encryption. That is, the data is encrypted, but it cannot be decrypted, so the underlying password is not retrievable in normal circumstances. With this type of password storage when someone tries to log in the password they input is hashed and then compared with the stored password hash to see if they are the same. With hashed passwords even if someone gets access to the stored passwords it would be difficult for them to do anything with them, since they would first have to crack the hashes.

One way to spot if a password is being stored in non-hashed form somewhere in a web host systems is if it can be displayed to you, since if they were only stored in hashed form they wouldn’t know what the underlying password is to be able to show it to you. While we were working on a website hosted with CloudAccess.net recently we spotted this page in their control panel:

CloudAccess.net control panel FTP/SSH page

When you click on the “View hidden password” it will in fact show the password for FTP/SFTP/SSH, which wouldn’t be possible if the password was properly stored. Since we can’t see the underlying systems we don’t know if they are storing the password in plaintext somewhere, which would be the worst case, or if they are at least encrypting it.

Such bad security doesn’t match CloudAccess.net’s claims about their security. For example they claim that:

The CloudAccess.net Platform is continually monitored and managed by specialized security experts who understand the security requirements of both the server and application.

Another claim that sounds bad, but could be an indication that other web hosts have even worse security is that:

Our managed hosting service is widely considered to be more secure than the many alternatives.