Photo by Devin Avery on Unsplash

Since last one month, I started logging the websites I visit and use, mostly those which require user to login. To my surprise I have account at over 50+ different websites. The number may be much more, considering I wasn’t able to recall all those websites where I created account just because that was the only way to get in, and later on never used it. This may be the case with many internet users.

What Is The Problem?

Well, the problem is that 90% of these 50+ websites I visit don’t have SSL and some of these send plain text password reset or email the password itself. Showcasing there inner genius in handling user sensitive data. I have taken care not to repeat the mistake of using dump passwords, but that doesn’t help much, as intruders can get in and hit these websites hard. Many of these don’t care much about encryption, mostly because they don’t have expertise in it or may be it cost a lot to hire someone to do it. There should be a way to handle the user sensitive data on websites that don’t spend much effort in doing their bit.

What Is The Solution?

The first solution I see is to delete the account, but the problem here is many of the websites I/we log into don’t have the option of “delete/wipe”. If you stretch a lot, websites may provide you with deactivation of account which again doesn’t help. Ultimately you end up being tied with a particular website which you may never use again and the worse happens when someone hacks them.  If you are wondering why will any one care about websites that most likely doesn’t get much visitors then you are wrong. Such websites are much more vulnerable as they can be easy targets and when you extend such intrusion to many other similar websites you get a very large pool of user data. So, please give me that delete button.

The second solution is to make use of Auth APIs. Google, Facebook are the two most popular and widely used websites. Let them take care of logging in and out of the accounts. If a user removes app authentication for logins, it will also remove/wipe the data automatically. This way you don’t get into the hassle of managing the user account creation and maintenance activities. May be you tap into the social sphere by using such Auth APIs. This isn’t a straightforward solution, but doable.

The third solution would be to imbibe encryption by default, both on the client and server side. I am not sure if this is the case in today’s databases and other back end tools. But if software has a functionality that by default embeds encryption, then at least 99% of the user data is safe. Getting SSL is costly, and not many opt for that, but if open source projects like WordPress can find a way to develop websites with encryption embedded everywhere, I think that should help. I think Let’s Encrypt is a good start.

The fourth solution is the simplest just don’t open account if you aren’t able to establish trust on a particular website. Look for SSL and if you are an experienced internet user you will get a hint whether to create account with the website or not. Also, limit the urge to use every website you get hold of.

Pro Tip: If you want to keep track of all data breaches them do follow Troy Hunt and subscribe to Have I Been Pwned.