My last post GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission got a lot of traction and it reached the ears of the GoDaddy people!
I just got off the phone with Neil Warner, GoDaddy’s CSO (Chief Security Officer) and he explained the situation to me.
First, I was glad that they heard the customers, heard the complains and took the time to look at it. That was his explanation:
- They take security serious and spend a lot of money on intrusion/malware detection to protect their customers
- They have a security team 24/7 monitoring all their shared/VPS and private servers
- When they detect any issue, they try to fix the problem and that’s why they tried to access my box
- They store all the passwords encrypted (not one-way hashed which is the recommended), and they can only be retrieved and reversed after a member of the security team opens a ticket and explains the reason for using the password (like to investigate malware)
One thing that made me feel better was that they actually have a process in place to access the passwords and they hold their people accountable for that. Having them encrypted or in clear-text doesn’t make much a difference, if the process to recover them is open to anyone in their staff…
He said that most users like their free incident response and malware removal and the way they deal with security issues.
He also said that they should have contacted me before accessing the box, warning me of the possible malware, and that they will do that from now on (good to know).
I am happy they called and explained the situation. +1 for GoDaddy for being open, explaining the issue and trying to improve.