More and more websites are requesting personal information and allowing you to make purchases at a touch of a button by storing your credit card information. With that convenience comes significant additional risk.
How can you tell whether a site that you’re using has strong security? It can be difficult to identify, but there are a number of ways you can spot the right attitude when it comes to security and user authentication.
The basics: Site security certificates
The first, easiest way to tell whether a site is committed to security is to look at the address bar. The important text you’re looking for is at the very start of the address:
HTTP or HTTPS
Sites that begin with “http” are not secured. You should not provide them with any personal information. Sites that begin with “https” have a layer of security, which they paid and received a certificate for. Sites with that also have their name in green on the far left of the address bar, or a notation of “secured” have purchased extra layers of security beyond the HTTPS certificate. You should always look for the HTTPS certificate when shopping online.
Do they establish your identity?
If a site is asking you to sign a document electronically, they should be taking steps to confirm your identity. Signing contracts, accepting the terms of binding agreements, and giving your permission should all be gated behind a robust form of identification verification.
This security should normally involve something more than a user login; it should confirm unique information to establish user identity. This can mean relying on an email account you own or confirmation of government issued I.D. Just make sure, when you’re giving out identification numbers, that they don’t store them.
Being picky about passwords isn’t necessarily good security
This one is a little counterintuitive. Have you come across a site with password restrictions so strict they make you angry? A number, a special character, an uppercase and lowercase letter, no spaces. Passwords like this are difficult to remember for the user, and according to the National Institute of Standards and Technology, encourage unsecure password choice and storage behaviour. In an effort to make their lives easier, people use simple words with small modifications, or random sets of letters and numbers that they then have to write down or otherwise record.
Demanding these password restrictions encourages users to engage in poor personal security practices, whereas longer passwords made up of dictionary words are not only easier to remember, according to NIST, but harder to crack with brute force attacks. They also report that spaces have little effect on security and can be allowed.
Are they proud of their security?
Many secure sites proudly state their security features. Amazon’s privacy page, for example, specifically notes how your information is encrypted and what information is visible to who.
It’s a good idea to check privacy policies for keywords such as encryption and security, and read up on a company’s precautions. Another important piece of information to watch for is whether the site discloses their relationship with third-party vendors. Third-party vendors have been the cause of large-scale security breaches in the past. It’s important not just to know who you’re dealing with, but who the company deals with as well.
Check whether a company offers additional methods of verification. Enable two-step verification on everything you can.
Put simply, two-step verification is just an additional layer of confirmation, which means an additional layer of security. These often use your personal email or your cell phone, in addition to password credentials before you’re able to log in. These extra layers aren’t infallible, but they serve a two-fold purpose:
- Extra identification is good! It’s one more barrier against potential breaches.
- You will know whenever someone tries to log in with your credentials! If you get an email, call, or text, asking you to confirm a login that you didn’t attempt, you will know that your password has been compromised.
A great deal of a company’s real security measures can be divided by the way they present themselves. If they clearly care about privacy and lead you through an authentication process that is up to industry standards, you can have more confidence when you enter your credit card information or sign a document.