Some functional aspects of your web platform can reveal many things about its security level.
The security of a website is not limited to the functional aspects, but the level of “functional security” usually matches the level of “technical security”.
As an example, the resilience you put in the user journey is a very critical aspect.
Rather negative signs
Passwords sent by email
Some websites send passwords by email when users create their accounts.
Although quite convenient, this scenario is not recommended, since the password is then visible in the user’s mailbox. If the mailbox is hacked, then the password is not reliable anymore.
Even worse: Some websites frequently send the password to users, for instance in newsletters. Despite the fact that having the password ready to copy/paste can be useful for users who have lost it, this practice is a disaster for 2 reasons:
– The password is accessible in several emails, which increases the risk of credentials theft.
– If the password can technically be sent in clear text, then it means that it is not protected enough in the website’s database. If the website is hacked, then all passwords can be stolen (like in the recent Ashley Madison attack). A properly stored password cannot be decrypted.
Passwords visible in clear text
To be properly secured, passwords must not be visible on the screen when users type them. This prevents prying eyes to steal them!
Although this is becoming quite uncommon these days, some websites still show passwords in clear text to users, for instance in an account settings section or upon login.
Staying in password management practices, the choice of a password must follow some minimal hygiene rules.
Without these rules, many users will set the simplest password like “password”, “letmein”, or “123454321”. These examples can be found in the top list of common passwords.
Rules should be enforced, and advice given to users when they choose their passwords.
The worse accepted password we have ever seen on a website during a security audit is the empty password (no password at all!).
Other items on password management
Many other “bad practices” in terms of password management decrease a website’s security level and increase identity theft probability.
On the opposite, some good practices increase security. In particular:
– Enforcing strong passwords: minimum 8 characters, with lowercase, uppercase and numbers
– Refusing weak and “classical” passwords listed in the top 100 of most used passwords
– Refusing passwords previously used by the user (in case of a password change)
– Showing advices to users when they choose / change their password, with a strength indicator
– Limiting connection attempts (slowing down connections after repeated authentication failures)
– Sending secure links to change passwords, instead of sending passwords by email
– Automatically logging out users after a certain amount of time, to ensure they don’t stay authenticated for ever
Unencrypted data exchange (HTTP vs HTTPS)
If your website has at least one authenticated section (where users are connected and identified), then it is necessary to use a HTTPS connection.
Please remember that HTTPS is not only for websites performing banking transactions.
Here are some good reasons to implement HTTPS:
– Your brand/website reputation: users are becoming more and more sensitive to websites’ security, and have more faith in websites when the little lock icon appears in their browser, just next to the URL.
– Your website identity: With top-of-the-range SSL certificates (EV certificates – Extended Validation), it is possible to have your company verified by the certificate provider, and thus reinforce the trust that users have in your website.
– When using untrusted connections (like a public Wi-Fi in a café or in the street), users are connecting through a potentially insecure and spied connection. Their passwords, often used on several websites, thus deserve the best protection.
Is is also worth noting that HTTPS recently became a ranking criteria on Google (see our article on this subject).
Error message display
A website showing error messages also reveals a lack of rigor in how exceptions – these unexpected cases that the application’s creators did not plan for – are managed. Attackers love these messages.
For developers, the most detailed error messages are truly helpful, since they help understanding where technical problems come from. Unfortunately, attackers also look for this information because they reveal very useful technical information.
Being useless to common users, these messages must not be displayed on production environments.
Of course, the users of your website complain about many things. But when they start mentioning some actions performed on their accounts, that they did not perform themselves, then it is time to investigate!
Attacks can be more or less visible, and your users have a front seat.
By displaying these security weaknesses, your website also shows to hackers that security is not your priority. This means that more serious technical flaws can probably be found and then allow data theft or website defacement.
Our experience in penetration testing has taught us that there is a relationship between these functional flaws and the more “global” security of a web platform.
Be careful not to send out signals that would encourage bad guys to attack your website!