Password Safety: Are You Securing Your Customers’ Info?

Password safety is your responsibility - photo by Rob Pongsajapan on Flickr

Keep your customer passwords safe! (Photo courtesy of Rob Pongsajapan, Flickr

Are Passwords The Best Way To Keep Data Safe?

A friend was telling me about a crowdsourcing site that she signed up for recently with her online business. In return for critiquing other websites, the site lets you get your website critiqued by others.

While telling me about the quick registration process, my friend mentioned that they had sent her password to her in an email.

You mean they sent you an email with a link to their website where you could create your password?” I corrected her.

No,” she said. “They sent me an email with my password as part of the message.

Sending plain text passwords in an email is never a good idea, much less a best practice for a business when dealing with its customers. My friend promised that she would change her password on the site as soon as she got back to her office.

And so we got to talking about recent security breaches like Target, Nieman Marcus and Michael’s. The perpetrators of these successful attacks stole millions of customer records – names, addresses, email addresses, credit card info, and more.

You Are Responsible for Your Customers’ Data

While these were attacks on huge corporations, the breaches are a strong reminder to all businesses that you are responsible for all customer data that you ask for.

Businesses sometimes downplay the threat to their small business and neglect important aspects of Internet security because they think their business is ‘under the radar’ of the bad guys.

Yet while large corporations may be the ultimate goal of computer hackers, no business is too small to be of interest to the bad guys. A successful attack on a few small businesses is just as good as a breach of a medium-sized company, and so on up the ladder – not to mention that it’s sure to be a lot easier!

Regardless of the size of the business, there is a golden rule of customer data:

You are responsible for all customer data that you ask for.

The corollary is:

if data is worth asking for, then it is worth protecting.

Best Practices in Keeping Customer Data Safe

Using these guidelines, let’s take a look at good practices for taking care of customer data:

Have a privacy policy (and follow it!)

We keep hearing about “big data” and the value of using it to communicate effectively with your prospects and customers. So, not surprisingly, it is tempting to ask people signing up for as much information as possible.

Bad idea, for two reasons:

  1. Every extra bit of information you ask for loses you business! That’s why on my newsletter sign up form I only ask for your first name and e-mail address. (Have you signed up yet? Do it now, while you are thinking of it. Sign up form to the right.) At first I only asked for e-mail address, but there’s so much evidence that using first names in e-mails increases open rates, so I broke down and added that.
  2. If you ask for it, you have to keep it safe! The more personal info you collect, the greater the risk to your business if it gets hacked. Password safety is a starting point.

So before you start collecting data ask yourself if you really need it. Don’t collect or even ask for information unless you have actual plans to use it. If an email address will do, then don’t ask for a home address and telephone number.

Legally, in most countries you must have a privacy policy on your website. But beyond that, creating a privacy policy will help you decide what customer data you really need.

Limit access to the data

Most security breaches are because somebody with access to the data made a mistake. Make sure that only colleagues and employees who ‘need to know’ can access your customers’ data. The more people who have access, the greater the risk.

Don’t go it alone

Unless you’re in the business of online security, don’t try to handle the security for your customer database on your own. This isn’t the area where you should be trying to save a few pennies by hiring your neighbor’s son or daughter who ‘is a wiz with computers’. Make sure you hire a responsible service that will be able to help you if something goes wrong.

Only have people create password-protected accounts if it’s really necessary!

Ironically, demanding users create passwords can increase your risks! Not only does it make you responsible for keeping their password safe at your end, it assumes they will keep it safe at their end. But unless they use a password manager, odds are they won’t.

One of the problems with passwords is that way too many sites ask for them, and they all seem to have slightly different rules. So we end up needing so many that we can’t keep track of them all in our heads. With so many passwords, it’s easy for people to get lazy about using strong ones.

And when customers don’t think there’s a valid security reason for having a password they tend to use obvious passwords or to re-use passwords from other sites. Not only does that put their accounts at risk, it’s also becomes a weak point in your security.

Rules for Creating Safe Passwords

If you really do need passwords to restrict access to your website, then make sure you have your customers follow best practices in creating their passwords. Implement an automated password safety system that:

  • Disallows obvious common weak passwords like 123456, qwerty, and  dictionary words
  • Requires at least 8 characters
  • Requires that each password include a mix of letters, numbers and special characters (I admit it: I hate that one! But it does make things more secure.)
  • Never sends passwords to your customers in plain text in an email!
  • Limits the number of failed attempts to access an account
  • Notifies you of unusual activity
  • Supports secure, automated password resetting

Let your customers know that you take passwords – and the security of their data – seriously. When you require customers to use passwords on your website, you have to take even better care of protecting the passwords then they do themselves.

Finally, make it easy for your customers to get in touch with you.

Password Safety Contest

Tell us about the password and security best practices you’re using on your website.

The first 10 small businesses that comment below or on the Frank Online Marketing Facebook page will get 10 free licenses for their customers to use StickyPassword to securely store all their passwords.

Liked this? Get the Frank Ideas Newsletter!
[ View Archives ]
Another Reason Why Canadians Buy Less Online
How To Make More Money With Less Work: It's Possible says Melanie Benson Strick
Post was last modified: by

4 comments on “Password Safety: Are You Securing Your Customers’ Info?

  1. I do not have my customers create passwords and if I need personal information from them, I ask the m over the phone. The only thing I have a password on is my “client corner,” which I create the password for. It is the same password for everyone as it just contains some extra resources that I have available for paying clients. I do change it occasionally as I get new clients and lose old clients.

    • Thanks for commenting, Jessica.

      In many businesses (and possibly yours as it grows) it will become a hassle for you and a barrier for potential customers if they have to call to provide personal info. For small businesses, when taking payments, often PayPal is the easiest way to deal with this issue. It used to be that PayPal was a sign of an amateur site, but no longer.

      • Thank you for that idea. I do use PayPal for payments, but when it comes to mailing addresses and such I use the phone. I do see your point, though, as my business grows I will need to implement different strategies and I will definitely keep this article in mind.

Leave a Reply

Your email address will not be published. Required fields are marked *