Is HostGator storing my password in plaintext?

Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).

Technically, the password might be stored under reversible encryption rather than plain text, but that's nearly as bad. The absolute minimum standard should be a salted hash - anything less and anybody with access to the auth database who wants to can use an online rainbow table to get back the plaintext passwords in moments - but single-iteration secure hash algorithm (SHA) functions are still easy to brute force with a GPU (they're designed to be fast; a high-end GPU can compute billions per second) so they really ought to be using a proper password hashing function such as scrypt or argon2, or in a pinch bcrypt or PBKDF2.

Also, there is absolutely no way to guarantee that the email was encrypted along the entire path between their mail server and your email client. Email was designed in a day when people didn't really consider such things to be critical, and short of an end-to-end encryption scheme like OpenPGP or S/MIME, email is at best encrypted opportunistically, and may be passed through an unencrypted relay.


Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.

This is confirmed HostGator being listed on Plaintext Offenders, as well as by its entry in the CVS file containing a list of offenders. This is not new and has been known since at least 2011. HostGator has not reformed since. The Plaintext Offenders website shows a screenshot similar to yours as evidence:

HostGator sux


If the company rep's response is true, the Password is stored as an encrypted text. This makes the plain text password in unprompted email a bigger concern.

is it safe to assume that my password is stored in their database as plain text?

The company representative explicitly told that they are not storing the password in plain text. Assuming that he is telling the truth, my conclusion is that they are storing the password in encrypted text. They are better than plain text passwords but they are still insecure. Hashing and salting is the best way to store passwords.

If the stored password is encrypted, the biggest concern here is not the way it is stored but the way it is transmitted, in plain text on an email when the user did not request any.

do you have any suggestions on how to address this issue with the provider?

You can ask the company to change the following (in the order of priority)

  1. Stop sending passwords over email.
  2. Provide Reset password option instead of recovering it.
  3. Replace encrypting passwords with Hashing and Salting.

In response to comments,

  1. Yes, there is high chance that the rep is lying or didn't know what he is talking about. But there is also a possibility that he was telling the truth. This answer deals with that scenario.
  2. I consider transmission of passwords as a bigger problem to storage because the OP was sent the password in an email when he did not ask for any.
  3. I have seen systems that store passwords in an encrypted text and send them to users upon request. They are not secure, but they do exist. Just because you received your info in plain text does not guarantee it is stored that way too.