How very 1990s
SSH with passwords rather than keys? How terribly quaint and 1990s.
A bit short of details in the article - would be interested to know exactly what was exploited and how.
Hosting biz GoDaddy has admitted a hacker tampered with an SSH file on its servers, leading to the theft of 28,000 users' SSH credentials. The intrusion, which took place last month, involved one or more malicious persons "alter" an SSH file on GoDaddy's infrastructure, the US giant told The Register. GoDaddy spokesman Nick …
When my son, an aspiring writer, built a site 0to post his short stories, He didn't want my help (which IMHO would have helped) so when I suggested he get a domain name, I decided to research his options.
I eliminated GoDaddy from the list early on. They really haven't seemed to have progressed much from their origins as a slapped together discount provider with a flashy ad campaign. Back when they started this might have been enough, given the limited (and expensive) competition. But now there are a wealth of options and many offer more and seem to be better put together and better run. Among other things, in 2017 we learned that its domain validation system had a serious bug and they had to revoke 9000 SSL certificates. Then there was the authentication weakness which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain. If I wouldn't trust them for a minor site, I can't imagine a company trusting them with their business.
Shameless plug for my son (please don't tell him:https://www.failingandflailing.com/
One _can_ get a domain registered to (and hosted on, the folly of youth) GoDaddy out, but it takes work and perseverance. What I _can't_ apparently do is get them to acknowledge that I haven't had any business relationship with them for years, so bugging me with "Your account is suspended because the credit card we have on file has expired" emails is at best pointless.
Note the recent story in ElReg about shenanigans in Colombia, where Neustar is reported to be selling (or attempting to sell) their registry business, including .biz, .nyc, and .us to GoDaddy.
From the U.S. perspective, you get what you pay for...caveat emptor comes to mind. Now here's an interesting fact that I want to share with you about GoDaddy: They are the registar of choice for fishing and fake web sites. More often than not, if it's a fake web site, then the registar is GoDaddy.
Hashing doesn't matter if the process of logging in sends the password to the server and you've gained control of the server. The statement is carefully wishy-washy, my guess is the configuration was corrupted and delegated password checking to something under external control.
The web sites that I develop uses the CHAP protocol so the plaintext password is never sent. The server sends a random binary string, salt, hash method, and hash rounds to the client. The computation is done in the client and that result is sent to the server. If they match then the password is valid. The random binary string changes for *EVERY* login request to thwart playback attacks. So even if SSL isn't used, the password is still protected. In this case, not even the server has the plaintext password stored. Furthermore, the ONLY time the server actually gets the plaintext password is when the user creates a new account, or they change their password. I have a project in the works to change that too.
This post has been deleted by its author
Biting the hand that feeds IT © 1998–2021