Salt & hash all passwords currently visible/viewable in CloudWays admin
While the CloudWays service is great, I've been concerned for a while now that I can simply click to copy passwords for SFTP, SSH, databases & WordPress. My concerns have been amplified as yesterday over 1.2 million compromised passwords were stolen from GoDaddy because they stored their details in a similar way: https://wptavern.com/godaddy-data-breach-exposes-1-2-million-active-and-inactive-managed-wordpress-hosting-accounts
Simply put: ALL passwords stored on CloudWays should be salted & hashed. There should be no way for CloudWays (or me) to retrieve them once they've been saved. The fact that I can indicates they are being stored as plaintext, which is a huge security issue. Passwords should only be visible at the point of creation, and should then be stored and compared against a salted & hashed version - no one should EVER be able to retrieve their password.
Please make it a priority to change the way you store passwords for all of your systems, otherwise I'm very much concerned that you will suffer the same fate as GoDaddy.
Lawrence M
shared this idea
-
Mike
commented
Yes, please take this seriously.