Should I be concerned if my Git hosting provider stores passwords in plaintext?

"I work at ProjectLocker, and I'd like to add some clarity to this thread. First, to answer the OP's questions:

a) This rumor is not true. ProjectLocker doesn't store passwords in plaintext.

b) You can't verify this for ProjectLocker or any other website without access to their backend systems.

c) I'd be fairly worried. However, I would be pretty surprised to find that any of the major Subversion hosting or Git hosting sites store plaintext passwords. It's just a bad idea.

Incidentally, all Git access at ProjectLocker uses public-key authentication and no passwords.

As others have pointed out, ProjectLocker does allow users to retrieve lost passwords. We do this by storing passwords encrypted with a two-way function. (If you ever check the ""save this card for later"" box on an ecommerce website, your credit card is stored that way. Same thing goes for subscription sites that bill periodically, such as Netflix.) In general, we treat passwords as sensitive data, like credit cards or customer artifacts (code, etc.). There's a fair philosophical debate about whether sites should store passwords in retrievable format, but feedback from our users indicated that they prefer retrievable passwords.

As to the post on Reddit, I can say that the poster has never worked at ProjectLocker and has no actual knowledge of our authentication systems. The poster most likely is not familiar with two-way functions, and is mistakenly confusing ""reversible"" with ""plaintext.""

Finally, if you are considering hosting your code with a third party, and you do not trust their answers to a question like this, you should definitely not store your code there. If you don't trust your host, you shouldn't use them at all, regardless of how they store your password."

"One way to verify if this is true is to pretend you forgot your password. If the host tells you your current password instead of resetting it and giving you a temporary password, you have proof that they store it in plaintext.

edit: Joshua's comment is right: this isn't definitive proof that they're storing your password in plaintext, but it is proof that they are storing your password in a reversable format.

It is most secure to store a salted one-way hash of the password. It's trivial to hash your input and compare it to the stored hash, but impractical for anyone to reverse-engineer the hash to obtain your password. This is why most sites send you a weird random password when you lose it: they no longer know what your password is so they have to reset it to something they do know.

If ProjectLocker does store your password in a reversable format, there's varying degrees of worry you should have. Disgruntled employees aren't the only danger; if an attacker is able to obtain a database dump and can determine the way to decode the passwords (if they can get a DB dump, they can likely get the source code) they'll have plenty of passwords. If you use a username and password that you don't use anywhere else for that site, the worst they can do is mess up your ProjectLocker account. However, many people use the same username and similar passwords for many different websites; if you do so then storage of the password in a reversible format puts you at a great risk.

In my opinion, if the password you use at ProjectLocker isn't similar to the passwords you use at other sites, you shouldn't worry too much. However, it would be worth voicing a complaint with them because it makes it much more likely that a small lapse in security could lead to someone getting access to your account."