Now and again, you can hear news stories about large-scale cyber attacks. Many of those are done to obtain personal data. The cybercriminals can then use it for more targeted attacks in the future.
Unfortunately, there is no way to completely insulate yourself from the theft of your sensitive personal data. But there are some easy actions you can perform to make yourself as safe as possible. But above all, there are two actions you can take to determine if the website you are about to register on is definitely unsafe to use.
Of course, if a website doesn’t have any obvious signs of being unsafe, it doesn’t imply that it’s safe. But if it has any of these signs, then it’s definitely not a website you should register on.
In the nutshell, the websites you should never register on have either or both of the following:
- They don’t encrypt traffic
- They store passwords in plain text
But don’t worry about technical jargon. I will explain exactly what these things mean.
No traffic encryption
Don’t worry. You don’t have to know the details of what traffic encryption is. There is an incredibly easy way to find out if a website uses it though. Just check whether it has a padlock symbol in the address bar, like the following:
What this means is that the traffic travelling between your browser and the website is encrypted. Only your browser and the website know what data they exchange. If anyone would try to read the traffic, they would get unintelligible gibberish. And there is virtually no way they can decode it.
This is especially important when you connect to an open Wi-Fi network. If the traffic is unencrypted, then literally anyone connected to the same network can read it if they want to. And it’s not excessively difficult to do either.
As you know, many websites ask you for sensitive personal information. And if you enter such information on an unencrypted website, then someone else can see it too. And then they can laugh all their way to the bank with your credit card number!
But even if connect to your own password-protected home network, such website would still be unsafe. Traffic encryption is one of the most fundamental cybersecurity practices. If a website fails to implement it, it probably violates other important cybersecurity guidelines too.
Your data wouldn’t be safe with them. Steer clear!
Plain text passwords
It may surprise you, but when you create an account on a reputable website, like Facebook, you will be the only person who knows your password. This is why, when you click on “forget password” button, you don’t receive your old password. Instead, you receive a password reset link.
There is an important security reason behind it. Your password gets encrypted by a one-way algorithm. And it’s the encrypted text, rather than the actual password, that the system stores.
I won’t go into the details of how it works. You can read about it in your own time if you want to. But what’s important to know is that one-way encryption ensures that it’s possible to obtain matching encrypted text from your password, but it’s impossible to obtain your original password from the encrypted text.
So, in case of a break-in where the hackers obtain the database of the users, they still won’t be able to break into anyone’s account. If the passwords were not encrypted, however, the hacker would be able to not only break into users’ accounts, but try those passwords on other platforms that users are registered on. So, when you hear of someone hacking a Facebook account, that’s one way of making it possible. After all, remembering multiple passwords is tedious and many people use the same or similar passwords on multiple platforms.
Fortunately, there is a fairly easy way to tell if a website stores passwords in clear text. When you register on a new website that you know nothing about, just fill in the minimal amount of information. Then, as soon as you complete the registration, click on “forgot password” link.
If you receive your password back instead of a password reset link, then the website definitely stores it in plain text. In this case, stay away from this website. Don’t have anything else to do with it.
You now have tools that will help you to avoid sharing your data on unsafe websites. However, there are some caveats to remember.
If the website encrypts traffic, it doesn’t imply that it doesn’t violate other cybersecurity principles. It merely means that it has got the basics right.
Likewise, if you do receive a password reset link when you tell the website that you have forgotten your password, it doesn’t guarantee that your password is actually encrypted on the system. The website might just be pretending that it is.
But if the website asks for your personal information while being unencrypted, it’s definitely unsafe. It violates one of the most fundamental cybersecurity principles. Same applies if it sends you your old password back. In either of these cases, don’t continue using such a website.
Another caveat to remember is that, if a website tells you that you can’t register your old password as a new password, it doesn’t necessarily know what your old password is. It may have simply checked whether, once it’s encrypted, the resulting text matches any old encrypted text.