For a while now, I'm trying hosting providers (ASP.NET at least). What all tried providers have in common so far: a more-a-less silly password limitation policy that ridicules security.
Correct me if I'm wrong, please, but I came across the following, asked the providers how I could trust their security if they disallow strong passwords and they all answered "your data is safe with us, we're a secure provider, look at our customers etc".
Between the hosting providers I tested, I found among others:
- Password length <=8, only letters / digits
- Password length <=8, only letters / digits + list of some other chars
- Password length <=8, unclear what's allowed, server error on some chars
- Password length <= 12
- Inside Plesk: password length restrictions for databases
- Passwords send in plain text, or shown on Plesk or other admin tools
- Invalid, outdated or low-keyed SSL certificates
- etc
Am I right in saying that this makes me (or the sites I host) vulnerable?
This seems common. Does this only happen on the low side of the market? Am I right that only VPS or colocation are secure bets? Do you know of any godaddy-level priced hosting providers that do not pose limitations or should I seriously go up?
Wrt to "server error on some chars", I read that and think "SQL Injection".