[markbao]

This isn't a microblogging service or pet social network. A domain registrar is storing your password in plaintext? Really? Didn't we go over this a thousand times?

If I was on Hover (which I considered), I'd transfer my domains immediately. Moving to a plaintext password system to get fewer support requests is like removing the door from your house so you don't have to keep fumbling for the key.

[NiekvdMaas]

It's not just domain registrars, I reset the password of my basecamphq.com account (which stores very confidential project information) last week, and received this email:

  Hi -name-,
  
  Can't remember your password? Don't worry about it — it happens. We can help.
  
  Username: -username-
  Password: -password in plain text-
  
  Please keep your password safe to prevent unauthorized access.

It blows my mind that even 37signals falls for this trap. There should be a website showing a blacklist of services that store passwords plaintext.

[alexmuller]

Not exactly a list, but: http://plaintextoffenders.com/

[robtoo]

As I'm sure you noticed, many of those sites are putting the password in the welcome/verification email, but this is not the same as actually storing it as plaintext in their database. The thing to look out for is your old password in password reset emails, not welcome emails.

And another one to add to the list: my brother's small business uses British Telecom for email hosting. Their control panel stores the password in plaintext.

[alinajaf]

> The thing to look out for is your old password in password reset emails, not welcome emails.

What's the use of encrypting your passwords when you're broadcasting them to every mail server between your and your customer?

[mcobrien]

I'm surprised you haven't been prompted to upgrade your account. 37signals switched to a new login system 18 months ago which doesn't store passwords in the clear. With a new login you get a regular password reset email.

[robtoo]

Why should basecamp even need to prompt the user to upgrade their account to the new login system? Why don't 37signals just do it?

[jermy]

Because the newer login system requires you to move away from having any easy to remember username (eg. someperson) that only needs to be unique on a particular Basecamp instance, to picking a harder to remember new username (eg. someperson5946) that needs to be unique everywhere.

[mmatants]

Companies like Hover have a user/password scenario unlike e.g. an email provider: users only visit their site one/two times a year (to renew a domain or whatever).

So I wonder if they should instead allow "authentication-by-email". Basically, make it work just like current reset emails (with an embedded randomized link that allows access), but prevent the link from expiring.

Obviously that suggestion has a lot of holes in it, too, but it's something to consider, especially since it's not a new idea.

Either way, it's a real amateur move to do away with hashing.

[Cushman]

I love this idea. 90% of the time when I use a forgot password link, I'm really trying to auth-by-email. I'm not sure how it would work for reusable links, since that becomes auth-by-URL, which seems significantly less secure— maybe putting HTTP auth in the url would be less likely to be logged at any point?

[Joakal]

Auth emails are like plaintext passwords. Best combo would be your public key stored on their server. Any future requests, they send you the PGP'd email.

[makmanalp]

Isn't this basically the same thing as e-mailing yourself your password?

[woodall]

Not if the link can time-out or expire after X [days, minutes, seconds, ect]. When I think of emailing my self the password, I think of storing it in plain text in my email account. When I think of authentication via email I think of a one time use link that allows me to log into a session.

[repsilat]

Email is sent in plaintext. It'd be easy enough for an attacker to request an email authentication (which it then sniffs in transit). Expiry time doesn't help much.

Email auth really should be done as Joakal says - your public key stored on their server when you sign up, email auth is encrypted. Trouble is, it's "too hard" for "normal people". If gmail/outlook etc supported it, though, it could catch on.

[Cushman]

We're starting out from the position that my email is the keys to my digital castle... good or bad as that may be, if someone can reliably sniff my email in transit they already own my life.

[Cushman]

In the same way that forgot password links are. The key difference is that the token expires on its own.

[Johngibb]

wouldn't oauth (by gmail perhaps?) be a better solution to this?

[Cushman]

It is oauth for all intents and purposes— a third party (your email server) authenticates you as the owner of the email address and passes you a secure token.

It's worse in some ways (control, usability, security) and better in others (simpler technologically, everyone has it).

[freejack]

Thanks for the great idea! We implemented this in Hover, details here: http://help.hover.com/2011/07/08/hover-adds-no-hassle-sign-i...

[mishmash]

After some positive research, I just purchased two domains from Hover. This is unacceptable however and I will be moving them away.

What registrar would anyone say is the most security focused and/or government resistant?

Maybe it should be a 2011 AskHN?

[AdamGibbins]

I can't vouch for "security focused" - but Gandi.net have so far never let me down. They're based in France, so not susceptible to US law (dependent on the TLD you use of course) and have a huge variety of TLDs.

Can't recommend Gandi enough, they do exactly what they say on the tin - "no bullshit".

[jarin]

Gandi is pretty awesome, but just be aware that your credit card company might freeze your card the first time you buy from them (apparently buying domain names in other countries is a fraud trigger) :D

[Maxious]

Never had that problem with Gandi but buying digital goods from Facebook froze my card. Apparently they were a hive for credit card thief testing at that point in time because of the low value of virtual gifts (1 US cent?).

[christefano]

This happened to me, too (twice!), but I now use PayPal instead of my credit card and my bank no longer freezes my account.

[stfp]

Gandi is super awesome ! One quick thing though: since last year they have a US subsidiary (see http://en.wikipedia.org/wiki/Gandi), which might or might not make them more susceptible to US law.

[gregsadetsky]

Gandi is great and resilient. I know from personal communication with them that the Yes Men recommend using their domain services (they also favor joker.com, which is based in Germany -- I've had a good experience there as well, although Joker doesn't offer VPS services like Gandi).

[geocar]

I've had other positive experiences with Gandi.net: They hooked one of their VPS servers up with a BGP feed so I could announce my AS there for testing a new Anycast service.

[AdamGibbins]

Gandi also have excellent free DNS hosting services. With an excellent control panel including grouping and raw BIND config.

[jjcm]

Name.com is great. They don't try to obfuscate the UI to make it more user friendly. Straight access to the DNS records, simple clean design. Here's an old link to a comment I had discussing them: http://news.ycombinator.com/item?id=1766590

[brodd]

That very thread convinced me to switch to name.com six months ago. They're great.

[dmit]

Switched to Name.com around that time too. The website stripped special characters from my password during registration and I couldn't understand why it wouldn't let me log in since the limitation wasn't mentioned anywhere. Had to confirm with customer support. Take that as you will.

But I like how they send you an email on every failed auth attempt.

[shantanubala]

I absolutely love NearlyFreeSpeech.net for domain registration (and also cheap hosting).

I wouldn't say they're security focused, but they allow you to be totally anonymous in your registration, and have a policy of hosting anything that isn't illegal.

[jjcm]

Here's a thread discussing DNS registrars from last year: http://news.ycombinator.com/item?id=1766439

[yawniek]

007names.com is doing good here

[clobber]

Moniker

[mmahemoff]

Precisely. Doing something like this is always a trade-off, and yes, it might make sense for something like a blogging service (the same way Posterous inbound mail has the small potential to go wrong), so I can see where Hover is coming from. But really, in the case of a domain registrar, wow. If you're administering a domain, you're no longer in "mainstream user" territory.

There should really be some minimal set of conditions for domain registrars, with one of them specifying a reasonable security model for password retrieval.