http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/

At this point, I honestly find myself in awe at how bad password storage is *in general*. Apparently when you go through the "forgot password" process, you're emailed a plain-text password instead of being put through a proper password reset process. IMO I want a company that can stand up and say "ep, our user database was compromised, but no worries the way the passwords were stored was bulletproof. You can change them if you want though!" (or ideally a company that doesn't get compromised at all, but I'm "dreaming" there har har!)

I know someone who always had a flippant attitude towards this sort of thing. "Oh, setting up a webserver? Thats easy right? Oh, configuring email is easy too, it shouldn't take more than 15 minutes." Showing this person a postfix diagram was not at all daunting, and this person had never so much as set up a LAMP stack. In other words, a professional bullsh*****. IMO this is the problem - we have far too many cocksure people who for some reason just don't associate the complexity of properly setting up a webserver and keeping it secure. Of course these same people end up finding out that they have been turned into a spam relay because someone hijacked their oh so finely tuned Postfix installation.

I think the only thing saving the average person is security through obscurity. Go ahead, install and configure all of your own stuff. If you are blog #280,000,012 chances are you are going to be fine - not because you know what you're doing, but simply because you are irrelevant and invisible.

I could easily set up a basic LAMP stack, but what stops me from doing it is knowing enough to fear how much I truly don't know. Just because I can #sudo tasksel does not a linux admin make. I try to learn as much as I can, but at the end of the day I rely on *hopefully* more knowledgeable people to do the heavy lifting, expecting their experience to translate into stability and security. In the end though, I'm just left wondering if that was just a delusion on my part. At the end, I wonder if the jobs just go to the people who are outright liars and if my cautious / honest statements rule me out for jobs that less qualified people end up taking based on the strength of their exaggerations.

/rant

Even with systems where passwords are properly salted and hashed if the db is taken they broadcast it to anyone in the database and request they change their password... it is legal CYA. I agree though there are way too many systems that get compromised with no data security whatsoever and when that happens things get ugly fast.

 

-----signature-----

Oh I understand the legal CYA aspect. With a properly stored password I'd not be too concerned, its just that in this case there is good reason to think that is not the case.

Once again we're reminded that strong passwords are only as strong as the database on which they're held.

Absolutely.

Also:





Source: http://blog.dreamhost.com/2012/01/21/security-update/