Using <input type = “password”> on web pages with the HTTP protocol is not safe, as user data can be stolen by hackers. User data protection is provided by using the HTTPS protocol.
Using <input type = “password”> in data entry forms on sites
The element of the form for entering the password <input type = “password”> is intended for registering users on the site. As a rule, the text that the user enters in this field is replaced for security purposes by special characters – asterisks or periods.
On mobile devices, the typed character is usually shown for a second, so that the user can verify that the input is correct on a small virtual keyboard.
In this field, you can add an identifier or name:
The data entered by the user, it is dangerous to transmit over an unprotected HTTP protocol, as this creates the threat of various hacker attacks.
There are such options for unprotected use of user data:
- If you are sending a link to the intercepts of the data. Your information can be sent.
- If the data is entered through the HTTP protocol, the information passes through the network in an unencrypted format. Internet service provider and other persons.
- Placing the form within frames is transmitted over HTTP, even if it has been transmitted over HTTPS. With this option, it can be stolen and modified.
Protecting user data using the HTTPS protocol
Due to the insecurity of the HTTP protocol, it is necessary to use HTTPS on any sites where user data is used. This protocol is designed to protect user personal data from interception and alteration.
In browsers to inform users about the potential threat on sites that use the HTTP-protocol, warnings about the insecurity of the connection are displayed. In Google Chrome, a more categorical formulation:
According to the study, about half of users react negatively to similar messages from the browser. At the same time, 46% of these users do not enter personal information on such sites, and 64% immediately leave unprotected resources.
Resource insecurity alerts can also negatively affect brand reputation. Considering the cumulative evidence that the HTTPS protocol is a ranking factor, and the impact of browser warnings on the behavior of visitors, experts unequivocally recommend switching to a secure protocol.
In order for the site not to have a message that scares potential customers, you need to use an SSL certificate, in which case the browser message will inform about the security of the site:
Why is it important for all sites to ensure the security of their users?
There are situations when news and entertainment sites on which visitors do not enter confidential and financial information are not sufficiently responsible for storing data about logins and passwords. In this case, there is a high threat to the security of users who use the same sets of usernames and passwords on different sites.
Attackers can attack such a news portal, get passwords and logins, and then use them on other sites that contain important financial information, such as online banking services. Accordingly, the security of personal data depends not only on the competent actions of the site developers, but also on the users themselves. There are certain rules for using passwords that will minimize the risk of identity theft. Some data protection recommendations apply to site owners, others to users.
Recommendations for administrators:
- The length of the password should complicate hacking using a brute force method. The optimal length is more than six characters, in the presence of letters of various registers, numbers and special characters. The password entered by the user must pass a check for compliance with these requirements.
- The sites should be implemented lock accounts with incorrect password entry for a certain number of times. For example, if you enter three incorrect passwords, you can block an account for a few minutes or longer. This will help to significantly complicate the hacker attacks with the selection of passwords.
- Regular change of passwords after a certain period of time. For the selection of a complex long password by brute force, a hacker may need more than 90 days. Therefore, by prompting users to change passwords every 60 or 90 days, it is possible to ensure the safe storage of their personal data.
- For site security, it is useful to rename administrator accounts from the popular names Administrator or Admin to individual ones. It is also important that such credentials with wide powers have the most complex passwords, which should be regularly updated. Otherwise, there is a threat of hacking programs for automated password selection (brute force).
- You can audit the passwords of site users by trying to hack them yourself using hacking tools. This will help identify security problems before intruders and eliminate them by refining the site or telling careless users of their mistakes
Recommendations for users:
- It is desirable to use meaningless combinations of letters and symbols that have no relation to personal information;
- Passwords for different sites should be different. If you can not remember them, you can use password managers. However, in this case, it is necessary to carefully select a complex password for this tool.
You can install LastPass: Free Password Manager, which allows you to safely store passwords, addresses, notes and other data for auto-complete forms:
Conclusion
- The security of the transmission and storage of user data is one of the priorities in the operation of any site.
- You can protect your personal data using the HTTPS protocol.
- It is important to monitor the reliability of passwords that users enter by adding appropriate checks and recommendations.
- It is useful to regularly suggest changing the password in user accounts to reduce the risk of their being hacked.
- Administrator passwords should be as complex as possible; you need to remember to change them as often as possible.
