PSA: Acixs Web Hosting

[Minalien]

This is something that's gone on over the the past two days or so, but I think Jakimfett (of MineChem) summed it up best with this post on his blog: http://jakimfett.com/status-report/authentication-encryption-acixs-hosting/

For those of you who don't feel like reading, it comes down to this. Acixs stores your passwords in a reversible manner. This is hugely insecure, even if their claims to have their database encrypted are true. I'm not saying to absolutely avoid using Acixs if you're already using them or if you think they're your best bet. But be aware that your passwords are stored in a manner that somebody can recover - whether it's them, or attackers. If you are going to use Acixs, use a password that you don't use anywhere else. Take efforts to do what they will not - protect your data.

 

[MrAdder89]

Hi,
My name is Daniel 'MrAdder' Green and I represent Acixs Hosting.

I'd like to let you know that the issue raised here has been addressed. The password system has been updated and is no longer shown to users in the WHMCS control panel. When accounts are created users are informed of their temporary password and informed that they need to change their password when they log in for the first time. We're also working with multicraft to work out a better system for dealing with passwords to help ensure security for users across the entire minecraft community.

Please if you have any concerns regarding this or any security matter you can always report it to us at security[AT]acixshosting.com

Regards

Daniel 'MrAdder' Green
Acixs Systems & Technical Manager

 

[Minalien]

It's a shame that they didn't have you or Ben just address this in the first place, but such is the way of startups I suppose. Thanks to both you and Ben for tactfully addressing the concern of user security, and I hope that the rest of the Acixs team learns from this and either addresses issues tactfully or handles things through those of you who understand how to do so.

My main concern, however, isn't simply the users' passwords being shown to them - it's whether or not these passwords continue to be stored using a reversible encryption scheme or if they are (either planned or implemented) hashed and stored properly. Can you comment on this?

 

[MrAdder89]

It is partially implemented at this time but due to Christmas and New Years Holidays the development team have been on break and the full implementation will be completed within January of 2015.