If you've registered a domain through Gandi, the WHOIS information readily divulges your account handle and Gandi support refer users who've forgotten their handle to refer to it. Registries don't necessarily include all the information a registrar sends, but going to Gandi's WHOIS server directly never fails to give all the information and handle. I've submitted a customer service complaint about the issue.<p><pre><code> When looking at the whois information for domains registered through Gandi the gandi handle is included. Other registrars do not include the usernames holding the domains. Gandi showing this information is an *extreme* security issue. Rather than guessing the username, the registry lays it out explicitly for all to see.
</code></pre>
I encourage others to contact them as well.
This is the least of the downsides of choosing Gandi... like not being able to run any kind of UCG site (including simply hosting blog comments), not being able to discuss hacking of any type on any domain registered through them, not being able to host any kind of adult content, not being able to host any content that might offend anyone...<p>Have you read the service agreement? Particularly the part about upholding their ethical code and guaranteeing that anyone else you allow to publish content will uphold that code?
I work for Gandi in the US (full disclosure, here). We have been looking at this issue in particular lately.
There are a few ways we can beef up login security, but the bottom line is that it's a balance between that security and the inconvenience of lost login names. Many, many, people forget their logins, and this makes it easy to retrieve. This is more of a problem with accounts that you log into once a year or two, like registrars (Hint: use password storage software!).
That being said, we are actively working on a more convenient way to configure logins to provide security than this legacy method. I expect we will be addressing this in the next couple of months.
Response from Gandi support:<p><pre><code> Thank you for your feedback.
This is due to the way our system was originally designed with some registrars. Indeed, this is not the case for all the extensions and varies according to which registry is returning the whois information.
However we agree that it might cause issues so we are currently working on a new authentication system to fix this. This new system should be released in a few months from now. Thank you for your patience and for your understanding.
If you have any further questions, please let me know.</code></pre>