[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au

[Joseph Goldman]

If process' were changed at auda level, then it wouldn't 'have' to be, 
but at current design the domain password is not just a password used in 
a single system (to the end user), it is a password used between all 
registrars systems (even though they all tie back to the auda/ausreg).

End-Users of a domain don't get to interface with auda/ausregistry 
directly. A registrar must have the domain password to make any changes 
via ausregistry (i.e. to transfer into their systems). If you had a 
falling out with your registrar, you need a way to get your password to 
take it to the next registrar to now manage your domain through them. A 
registrar has the ability to change your password on your behalf.

I suppose technically it is possible for auda/ausreg to offer password 
reset functionality, but it takes the system from a simple retrieval to 
a more fuller interface for end-users directly which is where I don't 
think they want to be.

Most everything is (should be) done by API, rather than an interface.

I could well be wrong, these are just my thoughts/opinions on why it 
would be done this way. I know a few of the Ausregistry staffers lurk 
around the list, they might be willing to comment.

On 11/03/14 08:34, Octavio Alvarez wrote:
> On 10/03/14 14:31, Joseph Goldman wrote:
>> My thoughts exactly, a domain password by design has to be retrievable,
>> so it can't be a one-way hash.
> Please excuse my silly questino, but why does it have to be retrievable?
>
> Thanks.