"In my entire life, I’ve never heard of a company storing passwords in plain text"
He needs to get out more. Happens all the time I reckon. Someone throws together a prototype with plaintext username/password column on the person or user table and 10 years later it's still there. I have personally seen this at two different companies.
Also, hashed passwords aren't all that much better these days - I know of a vBulletin forum that got penetrated recently, and did a bit of digging about how it stored passwords - MD5(MD5(password).salt) or somthing similar - doesn't seem to stop prople with something called passwordpro from bruteforcing passwords from hash:salt combinations - even things that don't look particularly prone to dictionary attacks seem to be getting answers in 24hrs or so on various forums...
I'm wondering whether I trust myopenid or google's openid service enough to centralise as much of my online authentication there as I can...
Indeed. Many ISP billing/CRM systems date back to the 1990s and store plaintext passwords as a "feature."
Non-technical users (say, customers of a dialup ISP) tend to like being able to "guess" at their password with the customer service rep instead of having to recite their exact password or pick a new one on the spot.
True, it is a "common" mistake. It is also amateurish.
I run a few sites on MT. We pay the ~$20/mo hosting fees with the expectation of well-configured apache servers, fair customer support, and the ability to handle an occasional Slashdot, Reddit, or Digg effect. While we keep our CMS' up-to-date, we are happy to pay for the overhead of having someone else deal with OS, network, and server issues.
Unfortunately, their "amateurish" mistake pretty severely attenuates our confidence in their competence -- for existing and future features alike. Worse, it equates to real lost time for us to recover, additional lost time as we implement new security measures (e.g. Tripwire IDS), and frustration with the fact that we found out about our sites being hacked back on Nov. 12th and yet they are just now notifying us of the larger issue!
At my last job, my boss insisted on Media Temple because they had "good spam filtering and the GridService is fast." Unfortunately, neither of those are true. I had a horrible experience with them, response times were slow, and I would never recommend them to anyone.
The real solution, of course, is to use Slicehost (or any of the other virtual machine hosting company's) and Google Apps for email which has unparalleled spam filtering.
While I'm not glad they were hacked, I do hope that people start realizing they're not all they're cracked up to be, and just because they have a fancy website doesn't mean they're that great a service.
I thought MT was good when I was using them, but once the site got a little bigger I moved to EC2 and have never looked back. Much faster and much cheaper.
MT = Marketing Temple.
I doubt there are some competent tech people over there. It's like those unlimited bandwith sites like site5.com , hostgator.com or servage.net but then, a bit more expensive, better designed and with a more loyal (and more known) user base.
I occasionally do some development work for a web design company that has most of its clients using MT for hosting. MT is expensive, but their customer service is actually quite good, their techs are knowledgeable and their web based admin tools are nicer than what you usually get from discount web hosting shops.
> but their customer service is actually quite good
I would personally disagree with that. I know I'm just a datapoint of one but every single time I've created a ticket on (mt), it takes 3-12 hours before anyone even replies back. Phone calls take 30-60 minutes before a tech answers and they don't always appreciate when I inquire about an open ticket because I'm supposed to wait 12 hours when all my sites are down. I have had 3 different accounts (personal + job + projects) and experienced slow ticket response times on all of them. I've created tickets for real, technical problems with my account that were beyond my control and was treated like it was all my fault. Looking over at some of my past tickets, here are the subject lines:
> All my sites are extremely slow on this account
> All my sites are down!
> As of 9:15am EST all my sites are running painfully slow
> URGENT: What happened to all my sites?!!!!!!!!!!
There's not much I can do when I go to mydomain.com and find "Index / not found" other than post a ticket. And it takes 2 hours before someone responds with a canned "Please check if you uploaded your files correct." Actual resolution takes another 6 hours.
I am still with (mt) and have no plans of switching right now (too much work) but that's only because nothing has gone wrong in a while and everything seems to be working at the moment. It's only time before I get frustrated or lose money due to the long waits and decide to switch. I have worked with many many hosts over the past decade and I'd say (mt) is pretty close to the bottom. Sorry, didn't mean to bad-mouth a single company but I just wanted to justify why I disagreed with your comment.
Switch to Hostgator. They will migrate your previous hosting setup for free after you buy an account. Their most expensive shared plan is only $13 per month. And their support is generally fantastic.
I'm not associated with them in any way other than being a customer... And I (and my company) have been a customer for over 4 years.
> I've created tickets for real, technical problems with my account that were beyond my control and was treated like it was all my fault
This is exactly how they made me feel, constantly. I had complained about database performance (or lack thereof), sites not loading, etc and it was always my problem according to them.
Try Rackspace Cloud if you're ever looking to switch. I host my Rails application on Cloud Servers but they also have Cloud Sites which is the managed web hosting. They say their support is fanatical, and they're not exagerating. An upgrade in ArchLinux took my server down, I tweeted about it, minutes later they called me on my cell phone at 11:00PM and resolved the issue quickly and happily.
I'm a major fan of ServInt...after being nudged off LaughingSquid for taking too much bandwidth I was pointed to (mt) but found they didn't do server-side backups and were demure about their tech support.
Servint is more expensive and its a VPS so you have to do some more work, but they've been -excellent- at customer support with fantastic response times and smart staff, they really do have daily backups (which we've used in our darkest moments), allow ssh access (OMG, so useful), 4 static IPs, 'infinite' virtual sites, and can stand up to a slashdot/engadget/boing/etc storm all at the same time.
Anyways, I'm picky and have had nothing but good experiences with 'em.
He needs to get out more. Happens all the time I reckon. Someone throws together a prototype with plaintext username/password column on the person or user table and 10 years later it's still there. I have personally seen this at two different companies.