

Ask HN: my domain registrar stores cleartext passwords. Does it matter? - hoodoof

I was doing some domain updating etc and saw that it lists usernames and passwords for accessing their systems.  This means they store their passwords in clear text right?  Does it matter?
======
bigiain
Yes, you should publish their name and migrate your domains immediately. It
matters for at least two different reasons - only one of which you can protect
against.

Firstly, it means that password can't be considered "secure". You can at least
partially mitigate that by ensuring you don't use that password anywhere else
(which you _should_ be doing anyway), that means a breach of that password
only affects your account with that registrar - and if they've been breached
you should consider all data they hold exposed anyway.

Secondly - and I think this is _very_ important - domain registrars need to be
held to the very highest levels of security, because anyone who can manipulate
your domain can receive your email, and that pretty much makes things "game
over" for anything that lets you use password reset emails.

------
mike-cardwell
I find it odd that you haven't named the registrar already

