Protect account credentials. Registrants are encouraged to manage access account credentials for registrar accounts according to a policy based on these common practices:
- Maintain a list of authorized contacts for each domain registration account;
- Advise authorized contacts that they are responsible for keeping secret the account credentials for domain registration accounts, and that they must not disclose or share passwords;
- Identify measures authorized contacts must take should they discover that credentials have been disclosed;
- Authorized contacts must compose passwords used to access a registration account using applicable organizational policies and commonly recognized best practices for composition (e.g., length and complexity), re-use, and longevity;
- Alternatively, if the registrar supports a form of multi-factor authentication (e.g., a hardware or software token), authorized contacts must keep the token safe from loss, damage, or unauthorized use;
- Use different credentials for each account;
- Partition particularly sensitive or important domain registrations into an account whose credentials are held by more senior personnel;
- Securely escrow all registration account credentials;
- Define and implement a recovery process with detailed auditing;
- Define the circumstances where recovery is permitted, who has authority to recover credentials from escrow, and who is to be notified when escrowed credentials are accessed;
- Changes in personnel authorized as contacts for a registrar account should cause new credentials to be created and old credentials to be revoked. (This may require coordination with a registrar, i.e., in cases where the registrant intends to change the user account identifier.); and
- Employee resource management processes such as employee termination and employee transfer should be modified to check if the employee has domain registration account access. The processes could be modeled after similar checks for employee access to other assets, such as financial accounts.
These policies can be implemented as part of a large organization’s workflow. They can be implemented by an individual or smaller organization using methods as simple as a checklist, ledger or desktop password security application.
Take advantage of routine correspondence from registrar(s). Registrars use electronic mail as a way to convey notices and obligations to registrants. Consider using each such correspondence as an event triggering a workflow or registration related action.
Maintain documentation to “prove registration”. Registrants are encouraged to maintain documentation in case disputes or other situations arise where there is a need to “prove registration.” Suggested documentation includes:
- Copies of registration records;
- Billing records, especially ones that show payments have been made;
- Logs, archives, or financial transactions that associate a domain name with content that you, the rightful registrant, published.
- Telephone directories (Yellow Pages), marketing material, etc. that contain advertising that associates you, the registrant, with the domain name;
- Correspondence to you from registrars and ICANN that mentions the domain name; and
- Legal documents, tax filings, government-issued IDs, business tax notices, etc. that associate you, the registrant, with the domain name.