1.1 This document sets out auDA's policy on the allocation, use and retrieval of domain name passwords in the open .au second level domains (2LDs). At the time of publication, the open 2LDs are asn.au, com.au, id.au, net.au and org.au.
1.2 This document does not detail the technical steps required to allocate, use or retrieve a domain name password. This information is contained in the registry's technical procedures manual, which is made available to all auDA accredited registrars.
2. ALLOCATION OF DOMAIN NAME PASSWORD
2.1 A domain name password must be allocated to the registrant by the registrar, at the time the domain name is registered. The registrar must provide the domain name password directly to the registrant; the registrar must not provide it via a third party, such as a reseller.
2.2 For security reasons, the domain name password must contain:
a) between 6 and 32 characters;
b) at least one letter (a-z) and one number (0-9); and
c) no dictionary words.
2.3 The registrar may generate a domain name password for the registrant, however the registrant must have the option to choose their own domain name password at the time of registration, or to change it at a later date.
2.4 When issuing the domain name password to the registrant, the registrar must notify the registrant of:
a) the importance of keeping the domain name password secure; and
b) the obligation on the registrant to keep their contact details up-to-date.
2.5 The registrar must not change the domain name password without the registrant's consent, except where permission has been granted by auDA. Circumstances under which auDA may grant permission include:
a) where there has been a security breach (or suspected breach) of the registrar's systems; or
b) where the registrar has terminated a reseller licence agreement because the reseller has breached auDA policy or the Code of Practice.
Please Note: The registrar is not permitted to change the domain name password merely because a reseller has become the reseller of another registrar, or has itself become an accredited registrar.
2.6 Where the registrar has changed the domain name password pursuant to paragraph 2.5, the registrar must notify the registrant of the new domain name password and the reason why the password was changed.
3. USE OF DOMAIN NAME PASSWORD
3.1 The domain name password is required for transfers. Under auDA's Transfers Policy, the gaining registrar must obtain the domain name password from the registrant before they can send a transfer request to the registry.
3.2 The domain name password may also be used by the registrar to authenticate their communications with the registrant (for example, updating contact details or changing nameserver information).
3.3 It should be noted that the registrar of record does not need the domain name password to perform operations on the domain name. It is therefore important that registrars implement security procedures to ensure that unauthorised changes are not made to domain names under their management.
4. RETRIEVAL OF DOMAIN NAME PASSWORD
4.1 The registrar must provide the registrant with a copy of their domain name password within 2 days of a request by the registrant, provided the registrant has maintained correct contact information in the registry. If the registrant is required to provide written authorisation, as defined in paragraph 4.3, a registrar must use reasonable commercial endeavours to provide the password within 7 days.
4.2 The registrar must ensure that the domain name password is provided directly to the registrant. Where the registrant has maintained accurate contact information, the registrar must provide the domain name password to the registrant contact listed in the registry database.
4.3 Where the registrant has not maintained accurate contact information, the registrar must authenticate the request for the domain name password by obtaining written authorisation from the registrant. For the purposes of this policy, "written authorisation" means a hard copy letter, facsimile or PDF document signed by the registrant, or in the case of a corporate registrant, signed by a senior manager, company director, company secretary (or equivalent of these positions) of the registrant, on corporate letterhead.
4.4 The registrar may provide the domain name password to a third party, if the registrant has given explicit permission to do so.
4.5 Where the registrant has provided written authorisation as in paragraph 4.3, the registrar must keep full records of the domain name password retrieval by the registrant for inspection by auDA on demand, including copies of the written authorisation from the registrant.
4.6 Registrars may use an automated retrieval tool for providing domain name passwords to registrants, but they must ensure that the domain name password is provided directly to the registrant in accordance with paragraphs 4.2 and 4.3 above.
2002-12 Domain Name Password Policy