Categories: According to Jim

Unstoppable Domains wants me to change my secure password

When Unstoppable Domains launched its service I was among the early adopters to pick up a .crypto NFT domain. It was a decision based on curiosity without any real expectations of usability or value. My .crypto NFT has been idle for years due to increased Ethereum fees. However, fast forward a few years until the present day, and I’m getting a warning that my password is insecure when trying to log into its service.

Why ask users to change their password?

It’s usually down to one of these two scenarios:

  1. We failed to enforce a strong password policy during user registration
  2. Tell me you’re hacked without telling me you’re hacked

I don’t believe Unstoppable Domains has been compromised; it’s simply too big and successful to keep that under wraps.

Identifying weak passwords during user login is a valid approach to fixing “legacy password” issues. It tells me that Unstoppable Domain has adequately hashed and salted the passwords on its backend. The only option is to validate the cleartext password provided by the user during login.

However, my password as you can see in cleartext from the video above consists of 25 characters with an entropy of 137.96 bits. Passwords with more than 100 bits of entropy are considered nearly impossible to crack by brute force.

Security by stupidity

I went through the process of changing my password adhering to Unstoppable Domains password policy:

Password should be at least 8 characters, 1 uppercase letter, 1 lowercase letter, 1 number, and 1 special character.

My existing password contained only letters and numbers (probably due to a lack of support for other characters when initially signing up with its service) and thus failed the “special character” requirement when validated against pattern-based rules.

Disappointingly, the policy overlooks password entropy. In other words, the actual measure of a password’s strength. It’s so bad that I could set my new password to Pass123# with an entropy of 18.84 bits. NIST password guidelines may recommend a minimum of 8 characters, but allowing this kind of predictability is preposterous.

Setting a known compromised password for an Unstoppable Domain account

Checking my new Unstoppable Domains account password on haveibeenpwned.com

Here is the NIST’s guidance quoted from haveibeenpwned.com:

The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches.

As shown in the video below, this is a feature Unstoppable Domains has yet to implement:

Unstoppable Domains is not simply selling NFTs anymore. It’s become an ICANN-Accredited registrar and should be held to a higher scrutiny. In my opinion, the “Unstoppable” part of its brand seems only accurate for its marketing department.

Acknowledgments: KeePassXC has been used to calculate password entropy.

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.

Related