Are Passwords The Best Way To Keep Data Safe?
A friend was telling me about a crowdsourcing site that she signed up for recently with her online business. In return for critiquing other websites, the site lets you get your website critiqued by others.
While telling me about the quick registration process, my friend mentioned that they had sent her password to her in an email.
“You mean they sent you an email with a link to their website where you could create your password?” I corrected her.
“No,” she said. “They sent me an email with my password as part of the message.”
Sending plain text passwords in an email is never a good idea, much less a best practice for a business when dealing with its customers. My friend promised that she would change her password on the site as soon as she got back to her office.
And so we got to talking about recent security breaches like Target, Nieman Marcus and Michael’s. The perpetrators of these successful attacks stole millions of customer records – names, addresses, email addresses, credit card info, and more.
You Are Responsible for Your Customers’ Data
While these were attacks on huge corporations, the breaches are a strong reminder to all businesses that you are responsible for all customer data that you ask for.
Businesses sometimes downplay the threat to their small business and neglect important aspects of Internet security because they think their business is ‘under the radar’ of the bad guys.
Yet while large corporations may be the ultimate goal of computer hackers, no business is too small to be of interest to the bad guys. A successful attack on a few small businesses is just as good as a breach of a medium-sized company, and so on up the ladder – not to mention that it’s sure to be a lot easier!
Regardless of the size of the business, there is a golden rule of customer data:
You are responsible for all customer data that you ask for.
The corollary is:
if data is worth asking for, then it is worth protecting.
Best Practices in Keeping Customer Data Safe
Using these guidelines, let’s take a look at good practices for taking care of customer data:
We keep hearing about “big data” and the value of using it to communicate effectively with your prospects and customers. So, not surprisingly, it is tempting to ask people signing up for as much information as possible.
Bad idea, for two reasons:
- Every extra bit of information you ask for loses you business! That’s why on my newsletter sign up form I only ask for your first name and e-mail address. (Have you signed up yet? Do it now, while you are thinking of it. Sign up form to the right.) At first I only asked for e-mail address, but there’s so much evidence that using first names in e-mails increases open rates, so I broke down and added that.
- If you ask for it, you have to keep it safe! The more personal info you collect, the greater the risk to your business if it gets hacked. Password safety is a starting point.
So before you start collecting data ask yourself if you really need it. Don’t collect or even ask for information unless you have actual plans to use it. If an email address will do, then don’t ask for a home address and telephone number.
Limit access to the data
Most security breaches are because somebody with access to the data made a mistake. Make sure that only colleagues and employees who ‘need to know’ can access your customers’ data. The more people who have access, the greater the risk.
Don’t go it alone
Unless you’re in the business of online security, don’t try to handle the security for your customer database on your own. This isn’t the area where you should be trying to save a few pennies by hiring your neighbor’s son or daughter who ‘is a wiz with computers’. Make sure you hire a responsible service that will be able to help you if something goes wrong.
Only have people create password-protected accounts if it’s really necessary!
Ironically, demanding users create passwords can increase your risks! Not only does it make you responsible for keeping their password safe at your end, it assumes they will keep it safe at their end. But unless they use a password manager, odds are they won’t.
One of the problems with passwords is that way too many sites ask for them, and they all seem to have slightly different rules. So we end up needing so many that we can’t keep track of them all in our heads. With so many passwords, it’s easy for people to get lazy about using strong ones.
And when customers don’t think there’s a valid security reason for having a password they tend to use obvious passwords or to re-use passwords from other sites. Not only does that put their accounts at risk, it’s also becomes a weak point in your security.
Rules for Creating Safe Passwords
If you really do need passwords to restrict access to your website, then make sure you have your customers follow best practices in creating their passwords. Implement an automated password safety system that:
- Disallows obvious common weak passwords like 123456, qwerty, and dictionary words
- Requires at least 8 characters
- Requires that each password include a mix of letters, numbers and special characters (I admit it: I hate that one! But it does make things more secure.)
- Never sends passwords to your customers in plain text in an email!
- Limits the number of failed attempts to access an account
- Notifies you of unusual activity
- Supports secure, automated password resetting
Let your customers know that you take passwords – and the security of their data – seriously. When you require customers to use passwords on your website, you have to take even better care of protecting the passwords then they do themselves.
Finally, make it easy for your customers to get in touch with you.
Password Safety Contest
Tell us about the password and security best practices you’re using on your website.
The first 10 small businesses that comment below or on the Frank Online Marketing Facebook page will get 10 free licenses for their customers to use StickyPassword to securely store all their passwords.