Plain text passwords in emails?

An ICANN accredited registrar affiliated with SnapNames, is currently sending usernames and passwords in plain text – via email, no less.

SnapNames is using several small registrars to split its drop-catching resources, and this particular registrar clearly violates security procedures.

After winning a domain with that registrar, I received two consequent emails; the first one contained my new username, and the second one the password.

I guess they thought that by splitting the info in two, they are lessening the odds of eavesdropping. But that’s a big security risk, regardless.

So what is the proper method?

When using a registrar for the first time that was utilized to capture a domain, the procedure should be as follows:

  • An email is sent to the holder, inviting them to create an account; the link includes a hash key.
  • The account holder creates their own password, over a secure connection.

On a side note, I don’t keep domains in random registrars; I transfer them to my main registrar after the 60 day lockdown period expires.

Speak Your Mind

*