Add a checkbox to NOT email root password
It would be *much* better to have a checkbox option at instance creation time to only generate/display root password on-screen, but not send via (plaintext) email. Much more secure.
Also, a key-only (e.g., no passwords allowed) checkbox option for VM access would be awesome.
Sasha Shepherd commented
I disagree. The first thing the user should do is IMMEDIATELY change the root password to something high security (in fact, you shouldn't be logging in with root anyway).
Emailing it in plaintext encourages changing it right away.
We're going to move ahead with this one and move it to the planning stage.
Thanks for the feedback!
Jonathan Tittle commented
SSH Keys are great, though disabling root log-in altogether is also a best-practice. Simply create an unprivileged user, give the user the ability to switch to root via su / sudo, and test that it works.
If you're extremely concerned about security, there's always two-factor authentication, which can be done through various methods, though one I've been testing is Duo Security.
You'll need a little time to do the setup, though two-factor is much more secure. Of course, if you're on an already compromised system, none of the three options really matter as a simple backdoor will circumvent them all.
This one is a tough call our policy is what Jonathan outlined - basically if you aren't using SSH keys we recommend updating the root password after you receive it.
For any kind of automated provisioning SSH keys are the preferred method.
And overall SSH keys are many times more secure than any form of a root password which should only be used for console access.
Jonathan Tittle commented
Since there's quite a few comments on this one, I'll ask. Why does it matter if the default root password is sent via e-mail when your Droplet is setup?
Changing the root password for any VPS, whether the password is sent via e-mail or not, should be one of the first steps you take before doing anything else. The passwords that are sent out are short, and while semi-random, are not, in my opinion, meant to be used except to gain first-time access.
This is simply standard protocol. Changing any password you're provided with is always a best-practice, regardless of whether it's a root password, or password for another service :-).
Junior Grossi commented
I think the better way will be work with SSH keys too. It will improve secure and will be easier.
Using SSH keys with the control panel currently you will not be emailed a root password as the SSH keys are used instead.
You could have as a creation requirement the pasting of a ssh public key, and have that inserted into the /root/.ssh/authorized_keys file. Also reset the defaults of sshd_config to "UsePam no"
Also please note that if you use SSH keys we do not email any root passwords.
This is really important, and adding a checkbox really isn't enough. Best bet is to disable sending root passwords by email entirely.
Great suggestion we had another request for this and we will implement for customers that are no longer trial accounts.