Plesk and apparently what-ever RimuHosting is using to setup new accounts seem to have a tendancy to send login information, including passwords in plain text via email!

The excuse as always was something like "everybody else does it this way", but at least RimuHosting asked if there might be a better way. Still waiting to find out if they intend to fix the problem.

Hi, I was alarmed to see this as I take security of my VPS's verys seriously, but hadnt actually thought about it before now. I checked back at my set up welcome emails and found that yes they appear to be sent as plain text. The answer I think is to simply change the VPS root passwords as soon as possible if anyone feels that they may have been comprimised as I have now done. To be honest, I would highly recommend that anybody change a root password at least once a month to be safe.
kind regards,
Arthur

Plesk and apparently what-ever RimuHosting is using to setup new accounts seem to have a tendancy to send login information, including passwords in plain text via email!


Yes. I believe, it is a minor security issue, but the first thing I did, I changed the password. So the host was wide open for a few minutes. However, it looks a bit inconsistent. You submit your order and password via https and then you are getting back your password in plain text via mail.

It's been a while since I setup my account, but I'd suggest that as an interim step Rimu should put a note on the bottom of the email stating that since the pasword was sent in plain text, for security purposes, it should be changed immediately.

Sending in plain text at setup isn't desirable, but most knowledgeable users should know enough to change it. A note would be valuable for the less knowledgeable (or less alert) user.

I agree; this is a real problem. Changing the root password quickly may help but it doesn't close the window of vulnerability.

RimuHosting should fix this.

Pullings

How about being a little more constructive than 'they should/need to fix this'. How about offering ideas?

Like one would be that when you sign up and submit your order the confirmation email sends you a link to a secured site that you need to login to with the username and password you signed up with, to get your information. So it is stored there and all that is sent to you is an email with a link.

Or maybe the confirmation email can be reworded (if its editable) to say the username is blah and the password is what you signed up with?

Criticism is all good.....as long as its constructive.