Actually, DreamHost did have a problem recently with FTP security, which they have partially addressed.
Remember how you used to be able to obtain FTP and Email passwords directly from the Control Panel if you forgot them? While convenient, it also meant that the passwords were stored as plain text. This is a security foo, and should never be done. To this day, though, some passwords (ironically enough including those for .HTACCESS-protected directories!) are still stored as plain text, and still retrievable as such from the Control Panel!
Passwords should only be stored as salted one-way hashes, using algorithms such as SHA-1 or SHA-256 or MD5.
At any rate, though, no matter what security DH or any other host has, if you use weak passwords, you’re going to be hacked. Maybe not today, maybe not tomorrow, but it’s only a matter of time.
Never, ever use a stupid password such as “password” or “12345” or “letmein.”
Never, ever use a password that is in any way related to you or your clients, such as your mother’s maiden name, your SSN, phone number, address, dog’s name, alma mater, or any other information that anyone could possibly know or find out about you. Merely adding a digit or two to such a password isn’t much better.
Never, ever use any single word found in any dictionary of any human language as your password. Also, the old tactic of using two unrelated words connected by a single punctuation character (e.g. default AOL passwords for new accounts) is no good anymore. Hackers use dictionary searches. Also, they know all the tricks such as changing S to $, E to & or 3, l to 1, O to zero, “for” to 4, etc. Those tricks only slow them down a bit these days.
Never, ever use the same password for multiple purposes. Once a hacker has found that you use an easy password for, say, an online game, they may also try it on your banking account, DreamHost control panel and FTPs, etc.
This also goes most especially for your Email accounts. People tend to think that these are unimportant, and so need not be as well-protected as, say, your banking account or DH panel password. But think about it: if you forget your banking account password, what will the bank website do when you click on “Forgot Password”? What will DH do? They’ll Email you a new password confirmation link to the Email account you have stored with them! So, if a hacker finds out your Email password, all s/he has to do is request a new password from the other services (the bank may require some ID such as SSN, mother’s maiden name, etc., but this info isn’t so hard to find out), then read your Email!
Sadly, all too few Email servers properly support Secure Password Authentication (SPA), and thus send the password, however good you might have made it, “in the clear” and thus sniffable by any TCP/IP packet sniffer placed anywhere along the route from you to the Email server! Email passwords is thus one of the lesser known but most serious weak links in computer security today.
Frankly, I think that the whole idea of allowing a forgotten password to be retrieved or even reset or click-validated via Email is one that needs to go away, at least until Email itself is replaced with a more secure means of Internet messaging (Email is fundamentally broken, as the spam crisis shows — it cannot be fixed, and the Internet community is just going to have to accept that SMTP, POP3, and IMAP4 are going to have to be totally scrapped and replaced with whole new protocols written from the ground up for maximum security even at the expense of convenience and performance, and that that means that all existing Email client programs such as Outlook Express, Thunderbird, Eudora, etc. are going to have to be rewritten — merely patching them with SPF, SPA, etc. is no longer going to suffice).
At any rate, don’t blame DH or other services if you use lame or re-used passwords to them. You might as well hang a sign on your site that says “Hackers Welcome Here.”
