In 15 years as a security professional and over 5 years directly consulting for big companies, little companies, locked down companies and lunatic companies, selling operating systems, browsers, parts of the power grid, cores of financial exchanges, retail banking applications, email management applications and to-do lists, I have never once seen the "extremely secure" system you allude to.

I have seen lots of "reversable encryption", though.

Maybe I've just gotten lucky in my career, and I just get the fun applications where people do this wrong. But there's no way GoDaddy did it right.

Nonetheless you must admit it is possible.

If I did this, that's how I'd do it. Have a separate computer, locked down to the max, except for a couple of functions: accepting HTTP requests POSTing an encrypted password, then sending back the decrypted string. That function would be severely rate-limited. Another function, to confirm the hash of passwords, would not be rate-limited, allowing high volumes of website access.

I could make that machine friggin' impregnable (and so could you). But yeah. No-one ever does it.

Um, sounds like an industry standard HSM

http://en.wikipedia.org/wiki/Hardware_Security_Module

I wouldn't do it at all. If I wanted escrowed access to a VM, I'd stick a "break glass" SSH key on the box.

I'm not sure how "extremely secure" this "password-decrypting server" design really is, by the way. SQLI is often equivalent to remote code execution. Even when it isn't, XSS is equivalent to operator access, and operators can use the feature that decrypts the password.

Passwords are hazmat. You shouldn't be storing them, at all.

Yeah. I used to disagree with you, but now I agree.

You should write up a definitive guide for password security. For instance, I want to know if we should still use salts in the age of bcrypt, etc. Tell us what to do, man.

I kind of don't want to be "the password guy".

Haha. I understand.