I’ve been using HostGator for many years to host my blog, I’ve been wanting to migrate to DigitalOcean or other cloud hosting provider, but I haven’t found any motivation to do so previously, and I’ve found it last year (I’m cheap, I waited till it expiring so that I can move away), the main and only motivator is that HostGator keeping my password in plain text in support case.

Last year, I did upgrade my package so that I can support multiple domain, I’ve purchased extra domain so that I can host demo site for my clients, but I never really use it that much, so I raised a ticket to HostGator to request for downgrade my package, and before my ticket go through, I’ll need to key in my login and password for verification purpose.

I tried to submit new request (for this post purpose, and it went through), the verification screen does not shows up, maybe HostGator change the process (it’s been a year) or the process depends on type of request, as if my request asking for cancel subscription, it will suggest me to call them or live chat, while request for support will directly submitting the ticket. Here is the screenshot of my past request for downgrade my package:

HostGator Billing Support System
HostGator support case

my password has been captured and shown in plaintext. So I reply the support regarding the password has been displayed in plaintext issue, as I thought it just used to verified me, which make sense considering I’m requesting to downgrade my plain, but it doesn’t make sense to keep the password in the support case. I did get response from the support:

HostGator support’s response
HostGator support’s response

According to the response, it is fair enough that they need to verify me before proceed to my request, but storing my password in plain text in the support case it’s just plain wrong, even their security very strong and so secure that nobody can hack into their system, one thing that couldn’t protect is social engineering, hacker can still get their way around and get their hands on the support ticket and then they will get customers’ pasword in plain text. I know security is difficult to get it right, but storing password like this does not make any sense.

While I do think HostGator provide very nice services and packages, I do hope they work on their support process and get rid of storing password in support case.