commsskills

First of all, let me state that I am a newbie having started on this in the first week of July.

One of the issues that I was initially concerned about is how secure are the domains placed at any particular registrar.

The concern is if it can it be hacked and transferred out to another person?

This is a valid question because of the horror of logging in and finding that all your domains are transferred out.

The risks involved can be analyzed in terms of:

(1) How easy is it for the hacker to guess your password?

Answer:
(1a) Have you made it easy for the hacker to guess your password? If not, this should be okay. This is under your control.

(1b) Check if your registrar send your password to you in the clear when you click on lost password. If yes, then it depends on internal controls on who can use that generate password option. Or is there a master password or decryption software in the hands of people within the company. This is under the registrar control. How well they control their internal processes is beyond our knowledge.

(1b.1) I tried with Moniker because they are reputed to have the best security. However they sent the password to me in the clear. There is at least one other registrar (which i cannot recall at this moment) who also sent the password to you. Perhaps it might be better if they provide you a link and when you click the link, you enter in a new password.

(2) How easy is it for the hacker to access your authorization code?

Answer:
(2a) For Name.com, once they enter into your account, they are able to unlock your domain. The authorization code is display on your control panel for them to see. Thus once they get in, your domains can be transferred easily.

To circumvent that, Name.com allow you to edit your security settings. I changed my to allowing at most 3 attempts to guess the password before the system deactivates the account for about 15 minutes. The default is 10.

(2b) For Dynadot, even if they enter into your account, they will still need to guess what is your birthmonth and birthday before the account is unlocked and the authorization code is given. Thus there is an additional layer of security which is very comforting.

(2c) GoDaddy appears to have the best of the three. In order to access your authorization, they will have to click a button. Instead of displaying it on the screen, GoDaddy actually sent the authorization code to your email account. This is excellent because now the hacker will need to go to your email account to retrieve it. If your email account is maintained at the ISP level, this provides an extra extra level of higher security.

In addition, GoDaddy provides an extra layer of protection in the form of registrar lock in which case it is very very difficult for your account to be transferred out. However that extra layer of protection is very expensive at around US$20 per year because it comes bundled. I had written to GoDaddy to request that they decoupled it but they are not looking into that for the moment.

Thus of the three, Godaddy appears to be the most secure, followed by Dynabot fairly closely and Name.com a distant third.

(3) What is the ease of the transfer process?

Answer:
(3a) Now if it is important for you to transfer the domain out easily, then Name.com wins hands-down because the authorization code is display there and unlocking is not a problem at all. Thus if you are into short-term flipping, then that should not be a problem.

(3b) For Name.com, Dynadot and GoDaddy, they will send an email to the registrant and wait for a reply before initiating the transfer. Under most circumstances, this should be enough. As to what happens if they felt suspicious of the transfer, I cannot find any statements on that in their website.

(3c) Moniker said in their website that they have operational control of the process by having 3 independent people to review your request and if needed, contacting you to see if you have initiated the transfer request. (Please see their website for the exact words they used).

However Moniker's charges are expensive. I had written to them and they quoted me some discounted rates. However I had about 5 to 6 correspondences with them because their discounted rates was not reflected on the screen. They did not reply to my last email. Two drawbacks: they add a surcharge of 4% if you pay by PayPal. If you pay by credit card, the surcharge is avoided. But now you have to answer compulsory personal questions like how much you earn, etc, etc.

But a lot of forums have people attesting to the fact that Moniker's security is the best. However it appears that they are referring to the review process. Nonetheless because my experience with Moniker is limited, if there are Moniker users here, please do elaborate on your experience.

(3d) It had been said that Fabulous is a very good registrar with an Executive lock feature. However the drawback is that in order to qualify for the wholesale price, you must first have a monetization account with them. This means that you must provide them with 10 accounts that you are prepared to park with them. All my accounts are rejected by them because they lacked commercial potential. For newbies, this is a daunting task as up to now, I still do not know where I had gone wrong. Thus the alternative is to sign up for their regular account where the cost of a domain is $15. Which is not worth it.


(3e) Network Solutions is reputed to have strong security. Appreciate if any user can elaborate

(3f) Mark Monitor appears to be very exclusive. Reading through their website it appears unlikely they are willing to offer $5.99 domains. Appreciate if any user can elaborate. But they should be very secure because apparently they assign a manager to you and you cannot do self-registration. You have to request for them to contact you.

So to conclude, of the three: Name.com, Dynadot and GoDaddy,

(i) GoDaddy has the highest security in sending your authorization code to your email
(ii) Dynadot is second because you must guess the birthday before they will unlock the account and give you the authorization code
(iii) Name.com is best if you are into short-term holding of your domains because they make the transfer process very simple but at the same time, you can limit the number of tries people can have to attempt to log into your account.

Okay, over to you guys

Domagon

Yep, Moniker stores passwords in the "clear" - an amateur-like practice, though is sometimes ok for some types of sites, but definitely not a practice one would expect from a "secure" registrar".

Worse, despite many complaints, Moniker still doesn't hash passwords

And that's not the only security problem they have ... a more serious one, that's personally affected me, and that of others I know, are registry / registrar sync problems, such as for .com domains - Moniker doesn't truly know what domains it has and doesn't.

Many people, including myself, have long been critical of Moniker ... and lately, many more people appear to have taken notice that Moniker leaves a lot to be desired in regards to both security and overall service compared to others; many registrars are better.

On an aside, GoDaddy doesn't charge anything extra for standard "registrar lock". However, they have (or at least in the past) sold a premium service in which one's account would, in essance, be watched more carefully by their system for transfer-out requests, etc.

Ron

__________________
Domagon Consulting Services - Business Help and Problem Solving
SeedCash.com - sow those economic green shoots. Make An Offer!

nielsencl

My advice is that you don't have to worry much if you follow common sense and these suggetions:

1) Don't keep all your domains with one registrar.

2) Don't use the same username and password at each registrar.

3) Select a username that is not easy to guess.

4) Select a password that is not easy to guess. Use a password that is at least 11 characters long. Use mixed-case letters and numbers at at least one -,!,#, or other non-alphanumeric character if they allow you to.

5) Lock your domains when you aren't moving them.

6) Have at LEAST two different contacts/emails on each domain. The emails should not be on the same domain in case one domain should go down or get blocked. Many domains are lost each year simply because the owner(s) did not get emails sent from the registrar. And remember that the transfer request emails default to your approval, so if you don't get a transfer request and don't reject it the domain could be transfered away.

7) For an extra level of protection you could use something like the Domain Monitor from Domaintools.com. They will send you an email anytime there is a status change on a domain. This can alert you if someone gets into your account.

I don't think the password sent in an email is a problem, because there is no different to using the password or a link in an email. If your mail has been hacked into you are in big trouble. So the message here is to also protect your email account as well. If your domain account has a super-secure password and your email password is still "password".... which is easier to hack into...?

__________________
NameAuction.es - Sell Gold - Homecare Software - Asbestos - This Is Funny - NR Auction

commsskills

one of the audit areas on computer security is if the password in the database is encrypted and secondly if it is possible to call the function that decrypt the password and email it to yourself....if it does than all the password formation techniques becomes irrelevant in the event of an internal security breach

for practical purposes, the degree of risk is not possible to assessed for outsiders like you and me...but when the passwords are sent in the clear, such questions on internal controls arise....still the answers will not be forthcoming.....for obvious reasons

to counter that, Moniker's internal review process will be useful because according to them it is done by 3 persons....followed religiously, it should be a counter-foil to internal breach...

In this regard, Godaddy's deadbolt transfer protection and Fabulous's executive lock are automated measures that can also reasonably counter internal breaches of security

I just wish that Godaddy will decouple the deadbolt transfer protection and offer it separately for a very reasonable fee...once they do so, they should have one of the tightest security in the market

SpareDomains

Moniker has been sending me weekly notices of a domain that is going to expire from my moniker account in less than 60 days, I transferred this domain out of moniker probably well over 6 months ago which is the main reason I have not transfered anymore domains there and currently have 0 there, I figure if their system can't tell what's actually registered at moniker then how secure should I feel there, fabulous is my top pick on security and pricing, godaddy would be my second pick.

commsskills

Hi,

The largest top 15 ICANN registrars in the world are:

Rank Registrar Market Share Total Domains
1 GO DADDY 25.032% 25,140,091
2 ENOM 8.517% 8,554,041
3 NETWORK SOLUTIONS 6.628% 6,657,122
4 TUCOWS 6.288% 6,315,237
5 MELBOURNE IT 4.963% 4,984,057
6 SCHLUND+PARTNER 4.296% 4,314,663
7 WILD WEST DOMAINS 3.002% 3,014,574
8 MONIKER 2.752% 2,763,432
9 REGISTER.COM 2.619% 2,630,245
10 PUBLIC DOMAIN REGISTRY 1.833% 1,840,582
11 KEY-SYSTEMS 1.408% 1,414,358
12 FABULOUS.COM 1.258% 1,263,135
13 DOTSTER 1.171% 1,176,448
14 35.COM 1.099% 1,103,882
15 DIRECTNIC 1.015% 1,019,480

source: webhosting.info

If you are hosted with any of these, would you like to share your experience of how they manage the authorization code and any other special security features they have. Thanks.