Hosting – initial admin password

This is a small thing, but might be important when you open hosting to a broader audience I just created my first instance. I use Cloudways today and the dashboard allows me to easily click and copy userids or passwords. I think it is important to not only have these easily available, but I really like the "click to copy" ability. I use this for example when setting up FTP where I need the ID and password. I also made the mistake on creating my first instance by not copying the admin password. My other hosting provider provides this on the dashboard after the instance is created which is really nice.

  • Adam
    • Support Gorilla

    Hi Brandon

    I hope you’re well today!

    Just to make sure: you mean that in the “Accounts” section you should be able to see and copy an existing password for SFTP/SSH access?

    Currently you can only change the password if you don’t remember it but not copy directly so I believe that’s what you’d like to be changed as well as your “WP admin” password, right? I’m just wondering then – wouldn’t that be a bit of a security breach?

    The WP password is one-way encrypted and I believe FTP password as well so being able to “expose” it like that would mean that we’d need to store it somehow, additionally – in addition to WP itself and to FTP configuration – in either unencrypted (open text) or symmetrically encrypted(which is as bad as open text if not protected with some private/public keys) way in the database. I’m not much familiar with Cloudways that you mentioned as example but I admit I’m quite surprised if they are doing that… But it’s just my personal thought on this so please don’t take it as a “no”. I’d just love to hear your feedback on this and I’ll make sure to pass that to our hosting team. I think I’m kind of “anticipating” possible objections so I’d like to make sure that I’m giving them solid arguments to back up that feature, I hope that makes sense :wink:

    Looking forward to hear back from you :slight_smile:

    Best regards,

    Adam

  • Brandon
    • Recruit

    Hi Adam,

    I have to admit I have not thought through the security ramifications. From a usability standpoint, I find myself using this feature a lot. I've attached screenshots to help the discussion.

    Here are the use cases I typically have:

    1) Creating a new app and doing initial setup. The first time I log in to a newly created app, I go to the dashboard and click to copy the userid, click the link to launch the admin panel, and then click to copy the password. Once I login I have Safari save the PW. If something goes wrong, I can always come back here and get the admin pw. Of course I could have copied all this when defining the app, but…

    2) Connecting via Filezilla. I can also come to this screen and "click to copy" the IP address, master ID and master PW. Super easy and always accessible.

    3) Accessing the SSH terminal. I just click to get the credentials and then launch. Great if I need to use some unix commands.

    4) I also occasionally setup additional FTP credentials for my remote developers (I think this already exist in your dashboard).

    So the WP password is just the initial, system created ID and PW. You are right, we shouldn't fish out encrypted passwords set after the initial creation. I think users will get frustrated if they don't have access to the initial ID and PW after creation. Just a convince that has saved me trouble before. You can also reset the password if you remembered the user id, but I think the more straightforward the better.

    Best regards,

    Brandon

  • Adam
    • Support Gorilla

    Hi Brandon

    Thanks for getting back to me and for such detailed feedback!

    I’ve passed this all together to our hosting team already under their consideration and we’ll see :slight_smile: I’m not able to make any promises on this at this moment but what I can promise is that your suggestion reached them out and they’ll discuss possible options and see if something (and if so what) could be done about this.

    Thank you again!

    Best regards,

    Adam