Doteasy is a domain registrar that is not worth your trust

Doteasy is a domain registrar that is not worth your trust. How do I know? Because I host Flight Club with them, and when I went through their password retrieval process this evening, they sent me my password in an email.

Emailing passwords is a bad idea for (at least) two reasons:

It means it’s likely the system storing the passwords does not encrypt the passwords, and encrypting passwords that you store is something they teach you in Web App Development 101.
That email I got with my username and password went through the internet’s tubes, and at any point along those tubes it could be sniffed, captured and used for malicious purposes.

Here’s the email Doteasy sent me:

DOTEASY MEMBER REQUEST
—————————————————————–
As requested at Jul 05, 2010 21:28:11,
the login info for your Doteasy Hosting account is shown as follows.

Domain…..: flight-club.org
Member ID..: flightclub
Password…: [my actual password]

Thank you.

Doteasy Support
‘Join the hosting revolution!’

Popularity: 3% [?]

Posted in Web Development. Tagged with doteasy, email, security, trust.

By Joe

July 5, 2010

12 comments

12 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Ryan said

on July 6, 2010

What makes you think they wouldn’t encrypt it? I generate a password, and it gets emailed, then I salt it and put it in the database. End transaction. What’s the problem?

Drew Jaynes said

on December 22, 2010

Stick with GoDaddy Joe, you’ll thank yourself later. Granted, their backend UI used to be atrocious and is only marginally better after the redesign, but the pricing is still great.