Keep your mitts up: How to protect against unauthorized domain transfers

This post is meant to give you recommendations on how to prevent a potential domain hijack before it happens, because once a domain transfers to another registrar it can be difficult to re-acquire, especially if the transfer was in compliance with ICANN policy. If the registrar is not willing to transfer the domain back into your control then your options for recovery become very limited.

Keep your secrets

Before we get started I want to make something very clear. You, as the registrant/account owner, are responsible for the security of your domain. You should never, ever, ever, give your Registrar login information to anyone. This includes web designers, hosting providers, Facebook friends, cousins, sisters, brothers, and even your own parents.

Dual-factor authentication

Coming from someone who has worked compliance and abuse for a domain registrar for several years, my first recommendation in securing your domains would be to add dual factor authentication to your registrar account. offers dual factor authentication as a free service. It helps protect your accounts and your identity by requiring a unique security code—in addition to your username and password—to access your online accounts. Most registrars offer this kind of service at a cost, but gives it for free (because we love you).

If you are at all concerned about the safety of your domains, then Namesafe should be active on your account.

Keep your email secure

It is essential that the email address you choose for your registrar account is kept as secure as possible. In the absence of dual factor authentication, your registrar account is only as secure as the email address associated to it. Most registrars’ lost password tools send directly to the email address you set for the account, including’s password recovery tool. This means if a hacker was able to access your personal email then they could potentially recover your Registrar account login information and reset your passwords.

I recommend using a Gmail account, and not an email tied to your personal domain.

Choose better passwords 

Pick a password that is at least 8 characters long. Try using the following criteria when choosing a password:

  • Complexity / randomness of words that you would easily remember
  • Special characters  (&^%$#_-+=)
  • Numbers (Specicharac$*&?)
  • Mix of Upper and Lower case characters (Sp3ciCharaC$*&?)

I also recommend keeping your passwords recorded using a trusted third party provider (Passpack,,