• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Submissions
  • About Us
  • Contact Us
  • May 17, 2022
  • Startup
    • Creating a Plan
    • Funding a Startup
    • Franchise Center
    • Getting Your Office Ready
    • Making Your Business Official
    • Marketing Your New Business
    • Personal Readiness
  • Run & Grow
    • Customer Service
    • Human Resources
    • Innovation
    • Legal
    • Operations
    • Risk Management
  • Leadership
    • Best Practices
    • Communication
    • Green Initiatives
    • Open Culture
    • Strategic Planning
    • People Skills
  • Sales & Marketing
    • Advertising and Lead Generation
    • Marketing Innovations
    • Marketing Plans
    • Online Marketing
    • Relationships
    • Sales Activities
  • Finance
    • Budgeting and Personal Finance
    • Payments and Collections
    • Tax and Accounting
    • Pricing Strategy
    • Working with Investors
    • Working with Lenders
  • Tech
    • eCommerce
    • Hardware
    • Software
    • Security
    • Tech Reviews
    • Telecom
  • Shop

SmallBizClub

Helping You Succeed

Home / Technology / Security / Is Your Website a Security Time Bomb?
Is Your Website a Security Time Bomb?

Is Your Website a Security Time Bomb?

1455 Views

Oct 16, 2014 By SmallBizClub

Wearing a helmet was optional in my state during my motorcycling years but I never had the guts to go helmet free. One mishap could have caused an ugly mess for me and for my dependents. So it is with your business and website security.

 
A 3-Step Check-up Anyone Can Do
 
Here is a simple 3-step check you can do right now to assess your website security posture. No technical knowledge required. Simply go to your website, become your own customer, and observe what happens.
 
Registration and Login Pages
Start by registering for an account. You will most likely be entering your email address and a password to create an account, which will be used later to sign in. Is the registration page secure? A secure page will have the lock icon and the web address will start with https (not just http). Keep in mind that this is your registration and/or sign-in page and not your shopping cart payment page.
 
DG01
 
Requesting personal information on an unsecured page will cause many people to hesitate or even abandon a purchase or site registration.
 
Confirmation Email
Continuing as your own customer, after you have registered for an account on your website does the system send a confirmation email that includes the password you just used to register?
 
DG02
 
I have encountered this three times in the past six months and it’s a danger for several reasons.
 
  1. It signals a lack of security awareness to customers.
  2. Customers will probably not be thrilled that your system sent an email exposing their confidential information.
  3. Email can be read in transit, with some exceptions, and on shared devices.
  4. It’s a beacon to hackers and an open invitation to try and breach your website.
 
Password Reset
Ever wonder why some sites force you to reset your password instead of just sending it to you, even after you prove your identity? It’s because your password is not retained, encrypted or otherwise.
DG03
 
 
Instead, when you register for an account the system transforms your password into a very long string of gibberish called a “hash,” which it keeps instead of the password itself. The hash is unique to your password and you and cannot be reverse engineered, making it useless to a hacker. 
 
“X” Marks the Spot
 
Keeping encrypted passwords instead of hashes makes your business website the proverbial “X” on a pirate’s treasure map; all that’s left is the digging—and dig they will. 
 
A hacker who steals a database full of encrypted passwords can simply sell it on the Internet underground to buyers with sophisticated cracking tools then move on to the next website. Stealing a database of hashes is useless.
 
Fixes
 
Fortunately it’s fairly easy to shore up your defenses. 
 
Secure Registration & Login
Secure your registration and login pages, not just the payment page. Securing these additional pages prevents eavesdroppers from intercepting your customers’ name, address, phone, email address, username, and password when registering. It also protects their credentials when signing in later.
 
An additional benefit is that Google recently began to give a positive nudge in the search engine rankings to secure web pages. 
 
You can add security in one of three ways
 
  1. If you have a secure checkout page then you might already have an SSL certificate that a website developer or web admin can use to secure your other pages. 
  2. Buy an SSL certificate and have your web admin set it up on your site. Certificates range in price from free per year to $400+ per year depending on the specifics.
  3. Use your hosting company’s certificate. They’ll often provide this service at no charge and will set it up for free. 
 
Mind Your Email
Don’t send passwords or any sensitive information via email. It’s guaranteed to raise eyebrows and possibly the attention of hackers. Consider changing your registration process to complete account registration with a “thanks for registering” web page instead of a confirmation email. 
 
Reset Passwords, Don’t Save or Send Them
Have your web admin institute a process that requires users to reset lost or forgotten passwords. If you operate a WordPress website then your site already uses this secure method.
 
If your site is currently retaining user passwords (even if encrypted) instead of hashing then it is probably because the developer/admin isn’t familiar with the required technology, tools, and methods. If you ask for it, your admin will find someone who knows how to do it and probably even enjoy learning about good security practices. 
 
Spend a few minutes to experience what your customers do while on your website. It will help you understand your website security posture and take any steps necessary to keep it, and your, customers safe.
 
Dave GoodwinAuthor: Dave Goodwin is the founder of growinge.com, a business web hosting company, and the host of The Growing Entrepreneur iTunes podcast. Connect with Dave on Twitter @davegoodwinge.

Filed Under: Security Tagged With: Dave Goodwin, Mistakes, Network Security, Website

SmallBizClub

SmallBizClub

SmallBizClub.com is dedicated to providing small businesses and entrepreneurs the information and resources they need to start, run, and grow their businesses. The publication was founded by successful entrepreneur and NFL Hall of Fame QB Fran Tarkenton. We bring you the most insightful thinking from industry leaders, veteran business owners, and fellow entrepreneurs. That means guides to the complex worlds of financing and technology. It means business owners sharing their personal stories—both successes and failures— through articles, video, and most important, answers to your small business questions. Follow us on Facebook, Twitter, and LinkedIn

Related Posts

  • 4  New-Business Pitfalls (And How to Overcome Them) 
  • How An Overlay Can Make Your Small Business Website More Accessible
  • Top 10 Traits of a Good Web Developer

Primary Sidebar

Random

3 Most Devastating Small Business Pitfalls (and How to Avoid Them)

May 17, 2022 By SmallBizClub

smile---personalization---customer-service-success

Consumers Want Personalized Experiences and Products: Here’s How to Do It

May 16, 2022 By Gemma Moss

7 Ways to Improve Your Fleet Management Workflow

May 16, 2022 By Eleanor Hecks

5 Crucial Things To Know About Paid Advertising

May 14, 2022 By Jeremy Bowler

Business Continuity: Everything You Need to Know

May 14, 2022 By SmallBizClub

Footer

About Us

Small Biz Club is the premier destination for small business owners and entrepreneurs. To succeed in business, you have to constantly learn about new things, evaluate what you’re doing, and look for ways to improve—that’s what we’re here to help you do.

  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Copyright © 2022 by Tarkenton Institute, Inc. All Rights Reserved | Terms | Privacy