I just had a very disturbing conversation with a Rackspace Cloud CSR. It went something like this:
CSR: Can I have your account user name and password?
Me: You want my password?
CSR: Yes sir.
Me: You know that's, like, security 101 that you should never reveal a password over the phone?
CSR: Yes sir, but in this case we need it to verify your account.
Me: OK, let me go change it to something I'm willing to tell you over the phone.
[Typety type type]
Me: OK, my password is now somereallylongbogusthing.
CSR (without any delay): Thank you. How can I help you?
Me: Wait, you must either be the world's fastest typist, or you can see my password on your screen.
CSR: That's right, sir, I can see your password.
Me: (The sound of my jaw hitting the floor.)
I am just stunned. I have used Rackspace for mission-critical servers in the past. They have always seemed reasonably competent, if not always 100% reliable. But this calls into question Rackspace's entire security policy. The first rule of computer security is that you do not store passwords in the clear. Never. Ever. No ifs ands or buts. You Just Don't Do That. And security is particularly critical in cloud computing, where your data ends up on hardware that can be reused by other people. If Rackspace is storing passwords in the clear, what else might they be screwing up? This really calls into question whether Rackspace can be trusted with mission-critical data.
Good grief, Rackspace, I really wanted to like you. But what were you thinking?
[UPDATE:] It really is as serious as I thought. WIth the account password you can change contact information and reset the root password on all your servers. So unless and until this is fixed you should not use RSC for anything mission critical. I hope they do fix this because other than that I really like RSC. Their UI is very well designed, and setting up a server was amazingly fast and painless.