I use Bluehost and have been shocked my how shoddy and insecure an operation they run.
For example, anytime I contact support, they ask for "the last four characters of my password." This implies that they are storing my password in plaintext instead of hashed — even if it's just the last four characters, it’s (1) awkward and (b) severely cuts down the entropy of the actual password. It also implies that, should you use the same or similar passwords for other sites, the Bluehost team now essentially has, and looks at (!), that password.
They also have absolutely terrible support for running Ruby on Rails and their control panel's Rails controls "don't work," to quote their help team.
Not that I think this is even remotely likely, but they could be storing an MD5 hash of all but the last four characters of your password, and an MD5 hash of your full password. Since MD5 works by processing data through the algorithm bit by bit, with each operation producing a valid MD5 hash up until that point, they could take the first hash and 'continue' hashing with the rest of your password, and then compare it to the full hash.
TL;DR: You can take an MD5 hash of any data and generate a valid MD5 hash of that data plus some data of your own, without knowing what the original data was.
It's been a while since I used Bluehost (2-3 years), but think I remember seeing my password in plain text somewhere, so they did store it in plain text back then.
For example, anytime I contact support, they ask for "the last four characters of my password." This implies that they are storing my password in plaintext instead of hashed — even if it's just the last four characters, it’s (1) awkward and (b) severely cuts down the entropy of the actual password. It also implies that, should you use the same or similar passwords for other sites, the Bluehost team now essentially has, and looks at (!), that password.
They also have absolutely terrible support for running Ruby on Rails and their control panel's Rails controls "don't work," to quote their help team.
Stay away.