Wearing a helmet was optional in my state during my motorcycling years but I never had the guts to go helmet free. One mishap could have caused an ugly mess for me and for my dependents. So it is with your business and website security.
A 3-Step Check-up Anyone Can Do
Here is a simple 3-step check you can do right now to assess your website security posture. No technical knowledge required. Simply go to your website, become your own customer, and observe what happens.
Registration and Login Pages
Start by registering for an account. You will most likely be entering your email address and a password to create an account, which will be used later to sign in. Is the registration page secure? A secure page will have the lock icon and the web address will start with https (not just http). Keep in mind that this is your registration and/or sign-in page and not your shopping cart payment page.
Requesting personal information on an unsecured page will cause many people to hesitate or even abandon a purchase or site registration.
Continuing as your own customer, after you have registered for an account on your website does the system send a confirmation email that includes the password you just used to register?
I have encountered this three times in the past six months and it’s a danger for several reasons.
- It signals a lack of security awareness to customers.
- Customers will probably not be thrilled that your system sent an email exposing their confidential information.
- Email can be read in transit, with some exceptions, and on shared devices.
- It’s a beacon to hackers and an open invitation to try and breach your website.
Ever wonder why some sites force you to reset your password instead of just sending it to you, even after you prove your identity? It’s because your password is not retained, encrypted or otherwise.
Instead, when you register for an account the system transforms your password into a very long string of gibberish called a “hash,” which it keeps instead of the password itself. The hash is unique to your password and you and cannot be reverse engineered, making it useless to a hacker.
“X” Marks the Spot
Keeping encrypted passwords instead of hashes makes your business website the proverbial “X” on a pirate’s treasure map; all that’s left is the digging—and dig they will.
A hacker who steals a database full of encrypted passwords can simply sell it on the Internet underground to buyers with sophisticated cracking tools then move on to the next website. Stealing a database of hashes is useless.
Fortunately it’s fairly easy to shore up your defenses.
Secure Registration & Login
Secure your registration and login pages, not just the payment page. Securing these additional pages prevents eavesdroppers from intercepting your customers’ name, address, phone, email address, username, and password when registering. It also protects their credentials when signing in later.
An additional benefit is that Google recently began to give a positive nudge in the search engine rankings to secure web pages.
You can add security in one of three ways
- If you have a secure checkout page then you might already have an SSL certificate that a website developer or web admin can use to secure your other pages.
- Buy an SSL certificate and have your web admin set it up on your site. Certificates range in price from free per year to $400+ per year depending on the specifics.
- Use your hosting company’s certificate. They’ll often provide this service at no charge and will set it up for free.
Mind Your Email
Don’t send passwords or any sensitive information via email. It’s guaranteed to raise eyebrows and possibly the attention of hackers. Consider changing your registration process to complete account registration with a “thanks for registering” web page instead of a confirmation email.
Reset Passwords, Don’t Save or Send Them
Have your web admin institute a process that requires users to reset lost or forgotten passwords. If you operate a WordPress website then your site already uses this secure method.
If your site is currently retaining user passwords (even if encrypted) instead of hashing then it is probably because the developer/admin isn’t familiar with the required technology, tools, and methods. If you ask for it, your admin will find someone who knows how to do it and probably even enjoy learning about good security practices.
Spend a few minutes to experience what your customers do while on your website. It will help you understand your website security posture and take any steps necessary to keep it, and your, customers safe.
Author: Dave Goodwin is the founder of growinge.com, a business web hosting company, and the host of The Growing Entrepreneur iTunes podcast. Connect with Dave on Twitter @davegoodwinge.
Published: October 16, 2014