Recently some questions were presented related to security of the GoGrid portal, passwords and how GoGrid support handles passwords. We take these matters with utmost priority and consequently have immediately implemented some short and long terms procedures, policies and programmatic fixes to address them.
GoGrid is a secure environment
For starters, I would like to reiterate the fact that the entire GoGrid portal, including the Support chat therein, are 128-bit SSL encrypted. This has been in place since GoGrid was initially launched and a hard-stop requirement when we did launch.
Also, all GoGrid passwords are 1-way hash-encrypted within our databases and have been this way since the public launch of GoGrid.
New Procedures and Password-Recovery Development
In order to rectify this current password security concern, we have implemented the following items (effective immediately):
- GoGrid Support now has no access to clear text passwords
- Should a customer forget their password, GoGrid Support engineers are now instructed to reset and create new passwords for users, provided that the user has given proper identification that they have authority over the GoGrid account in question. These temporary, reset passwords are then delivered to the customers via a means acceptable to the customer. They are asked to change them immediately.
The second item in the list above is a simple stop-gap measure that we are implementing until the automated password recovery feature and procedure is implemented. We have listened to the suggestions we have received on this and believe that the forthcoming solution will be acceptable to end-users.
Do note that since the chats are encrypted (128-bit SSL), password delivery via that method is still considered a safe means to provide sensitive information. Sending passwords via a “plain text” or “in the clear” method (such as email) is now not an acceptable means unless no other means are available AND required specifically by the end user.
Server Password section within the GoGrid Portal
Some users may have been confused or concerned about the Passwords section actually within their GoGrid Portal. The design of this section within the portal is multi-fold:
- When new servers are created, the initial root or administrator passwords are automatically displayed here so that customers can immediately access those servers via SSH or RDC.
- This section is also used by Support to help customers troubleshoot issues they may be having with their GoGrid server. Customers can put users names and passwords here for Support to easily use and see. Also, within a multi-user GoGrid environment (where multiple people have access to the same GoGrid account), this is a convenient place for passwords to be “shared” among these users.
- Changes made to users and/or passwords within this section of the portal have NO EFFECT on the actual servers themselves. If a user changes their root password on a GoGrid server, it is NOT updated within this section of the GoGrid portal. Any updates to the password section of the portal must be done manually.
- While we don’t always recommend this, if you are concerned about your security settings, change your root or administrator passwords immediately once you log onto a GoGrid Cloud server and then delete those password listings within the GoGrid Password section. Note that if you forget that password, you may be forced to delete the server. This, however, may increased the lead time for GoGrid support to help you troubleshoot any issues.
We encourage any comments and suggestions regarding GoGrid product features, procedures and security. The procedures listed above may be subject to changes as we work to providing more security and functionality.
Latest posts by Michael Sheehan (see all)
- Get Your Game On in the Cloud - June 11, 2013
- How Software Defined Networking Delivers Next-Generation Success - June 5, 2013
- James Gosling to Speak on Innovation at GoGrid Cloud Meetup on 5/22 - May 16, 2013