2012-06-13

Are you using DNSStuff.com? You shouldn't!

I have been using LastPass for a while now and I was very happy to find out they now also offer two-factor authentication. This has, as far as I know, been available since ages but you had to use a Yubikey. I don't know when they added support for Google Authenticator but they did. And since I have been using this for a while for my GMail and Google Apps accounts I was glad to find out Lastpass supports it too.

For a few days I have been cleaning up old accounts from websites I once registered at but am not using anymore and organising the left over accounts in logical groups. This cleaned up my LastPass vault nicely. This also gave me the opportunity to check each site's password and "harden" it by changing my old passwords which I used on many different sites (I had about 3 or 4 back in the day, usually no more than 5 characters) to a unique password for each site. And, since I don't have to remember them anymore, I can use passwords like "Fd6*8&T8q8vn2Uz".

And so, in the process of cleaning up my passwords and changing them, I came accross my DNSStuff.com account. It was one of the last accounts I had to check to have my list cleaned up. I logged in with my old, 7 character (a-z only), password and looked around for a way to change my password. I couldn't find a way to change my password so I tried the "I forgot my password" procedure in the hopes that the email being sent would contain a link or information to reset my password. Here's what I received:
Dear Rob Janssen,

You have requested your member log-in information.
     Your User ID:  RobIII
     Your Password: mypasswd

Log-in to member pages at:
    http://www.dnsstuff.com/amember/member.php
--
Best regards,
The DNSstuff Team
www.dnsstuff.com
Wait. What? How come I just received an email that contains my actual password? Shouldn't my password be hashed? How come I didn't receive some token to reset my password, or, hell, even a password reminder (e.g. "Your mothers maiden name" kinda useless crap). Nope. It was actually there in the email. Not good. Not good at all. So I sent an email in the hopes of getting a decent explanation:
Hi!

I wanted to change my password but couldn't find any way to do it. So I tried the "forgot password" in the hopes it would send me an email with a link to some page where I could change my password.

So I checked my e-mail and guess what? It sent me my password! ARE YOU FREAKIN' KIDDING ME? SERIOUSLY? You know this is 2012, right?

Are you ACTUALLY storing passwords in CLEAR TEXT? SERIOUSLY?

Please send me a link to where I can change my password or just delete my account. This is ridiculous. [...] 
And here's what I got back:
Hello

Thank you for contacting Solarwinds Customer Service.

Unfortunately the option to change passwords is not available through the website. This function is currently being developed.

Should you wish to change your password I will need to change it on your behalf.

Should you wish me to change it for you, please confrm your user ID and advise if you require me to change it to something specific or should I auto genertate(SIC) it.

Kind Regards,

Kim Cotter • SolarWinds • Customer Service

Customer Service: 866.530.8100, Option 1 | Fax: +353 21 2380232
Seriously? I had to respond:
Hi!

This is preposterous; it’s 2012 for Pete’s sake! "Currently being developed" in a website that has been around for many years? When will it be done? 2024?

You are aware of the many, many, websites being hacked nowadays? And they have at least taken the effort to at least hash (and sometimes salt) my password so that even *when* they are hacked/leaked my password isn’t easily available to the hacker. They don’t store the passwords as clear text, as you do!

[...]

I… I just get can’t my head around how this would happen; this is one of the first functionalties you would build when offering the ability to create accounts to users. Many websites today are even offering two-factor authentication and/or OAuth, OpenID and other ways of authentication. And they most certainly offer the ability to change passwords…

I am not going to suggest a new password to you; a password is (and should be) private information. How do I know I can trust you with my password? Even if I knew I could trust you with my password I wouldn’t give it to you and most certainly not over e-mail. An auto-generated, temporary(!), password for a password reset procedure would be another thing, but sending me an auto-generated password I cannot change after using it once(!) is worthless.

No thanks; I’ll use one of your competitors’ services. Even if they’d not offer the same services as your company does (which they do) I’d be happy to switch. Solarwinds is clearly still stuck in the stone age and is, "currently being developed" to probably be thrown into the dark ages. Yes, that might be called an improvement. But it’s not anywhere close to my satisfaction.

Thanks for your response and services. Please delete my account: RobIII
Yes, I am, and can be, a dick. I know.

One possible excuse could be that DNSStuff.com is storing passwords in an encrypted, rather than hashed, form. However, taken into account the inability of changing my password and employees requesting me to send a password over email to change it for me I am very convinced this is not the case.

As always, what you, dear reader, decide to do with above information is up to you. But when "DNSStuff.com passwords leaked" appears in your Twitter/Facebook timeline, Google news, Reddit or whatever other source for news you're using remember this post. All I can say is that I hope other Solarwinds products implemented better ways of storing passwords. But I wouldn't bet on it. Then again, you never can...

Update: After another e-mail, reminding them of my previous emails, finally my account was deleted two weeks later. Let's hope it wasn't a "soft delete" (e.g.: update accounts set deleted = 1 where accountname = 'RobIII') but I am afraid this will be the case. Oh well...