What are the last 4 characters of your password?

I used to have this blog hosted on Bluehost. I set up the hosting account years ago to host a gaming community and it had served it’s purpose well. I had no downtime that I can remember and my site was always pretty responsive.

A few months ago I decided that I had kind of outgrown Bluehost, so I decided to make the switch to Digital Ocean. I had heard a lot about them and I switched because:

  • My Bluehost account was bloated with junk I don’t need – MySql, PostgreSql, Awstats, file managers, ruby, php, one click installers for WordPress and Drupal and on and on
  • I wanted more control over my server than what Bluehost and cPanel was giving me
  • Digital Ocean is cheaper
  • Digital Ocean is awesome*

The switch was relatively painless and I got my account set up and my blog transferred in a matter of hours. I then promptly forgot about Bluehost and went on my way.

I realized that I never canceled my Bluehost account when they sent me a renewal email. Luckily it was a Hey your account is going to renew reminder instead of a Hey your account was just renewed message. I promptly went to their site and hit the chat link to begin the cancellation process.

To my surprise the process was relatively painless, and went something like this:

Dave: Hi, I’d like to cancel my account
BH Rep: Okay, may I ask why?
Dave: I found a cheaper hosting solution that suits me better
BH Rep: Okay, please hang on

He then went off and did who knows what. But he then came back and said:

BH Rep: May I have the last 4 characters of your password?

What.

You want my what?

I wasn’t sure how to respond. I asked him if it was necessary and he said emphatically that yes, it was necessary, and that it’s part of their process to authenticate me. I told him I was concerned that it seems like they can either decrypt my password or store the last 4 characters unencrypted. I got no response. Now, due to time constraints I obliged and provided the characters and proceeded with the cancellation.**

But I was still concerned. I could think of 4 possible scenarios:

  • They hash passwords and then hash the last 4 separately
  • They store the last 4 characters of my password in plain text somewhere
  • They encrypt passwords and have the ability to decrypt them
  • They store passwords in plain text

I really like to think it’s not the third one, and really like to think it’s not the last one. Chances are it’s the first one. Which is good. Kind of. They’re still asking me to give out a pretty personal string.

If we do some simple math, conservatively assuming they accept 72 different characters ([A-Z][a-z][0-9][!@#$%^&*()]) with a minimum length of 8 characters there are 728 possible password options, which equates to 722,204,136,308,736. That’s a lot of options. However, if we assume an attacker knows the last 4 characters of my password, then that means the attacker only has to guess the first 4 characters. Which means there are only 26,873,856 possible options. That’s a significant decrease, and something that could be run through in a matter of hours.***

Most likely this is no big deal. There won’t be a breach, and even if there is the attackers get a bunch of hashed passwords and that’s it. But what bothers me the most about this is the lack of concern over password security. We use passwords for everything – Facebook, banking, Stack Overflow, baby registries, etc etc etc. We should never have to give these things out, even partially. And for a company to ask for it? That’s ridiculous. The only way to help stop accounts from being stolen is to take password security more seriously.****

We need to stop thinking of passwords as no big deal and start treating them as what they are – keys to our most personal information. You wouldn’t give a key to your house to a random stranger, right?


  • I am in no way affiliated with Digital Ocean. They are awesome though.
    ** Yes, this probably makes me part of the problem
    *** This, obviously, is ignoring salts, which I hope Bluehost uses.
    **** The funniest thing about this whole situation is that had they asked for the last 4 of my SSN I wouldn’t have even batted an eyelash. What does that tell you about security in America?