Matthew Rasmussen's journal of journals on various topics of interest, published here, there or somewhere since 1999.
It's thoroughly embarassing what even Fortune 500 companies will accept from their website designers. There's a lot of snake oil out there, like Twitter and almost anything to do with Facebook, not to mention the Russian roulette of gaming search engines, but we're just going to look at your website. If you're a not too tech savvy manager trying to figure out if your vendor is ripping you off, read on.
- On any page, go to View Source, and search for the word "<table>". Did it come up? If so, is there any actual spreadsheet-type data on the page? No? Then you've been ripped off by a firm that can't use modern code to build a site. They'll want twice what they should be charging for any minor layout tweak, because they'll have to practically rewrite the page from scratch every time it needs changing.
- When you enter a phone number in any reasonably logical manner into the phone number field, does the site fail to understand it? Does it give you an error, and tell you how it wants the number entered instead? If so, you've been ripped off by a vendor who thinks your customers' patience is less valuable than half an hour of its billable time. Teaching a computer that 555-555-5555x102 is (555)555-5555 ext.102 and 5555555555ex102 is not taxing. An incredibly badass phone number validator might run to 50 lines of code. Might. Five minutes on Google will turn up dozens of good ones, ready made and free to use. See also: Social security numbers, dates and zip codes.
- Does clicking the link to log in redirect the user to a different website? It's easy to create a fake site at a plausible-looking address. There are thousands of them on the web at any given time, designed to trick the user into typing in their account information. Redirecting from TinyCreditUnion.com to login.2MyAccount.co.cz/TinyCreditUnion?=mainsite?=login.redirecttome.com goes against every shred of good internet consumer advice in existence. If you train your customers to make bad decisions with their account information, some of them will.
- Does a password have to contain numbers, symbols, etc? Bear the following in mind: There are lists available on the web, compiled by legitimate security researchers, of what the most common passwords are. Beyond screening for those, the difference between the password "buylamps" and the password "4f9s^fg)3" is statistically meaningless. Brute-force attacking an eight character password containing nothing but lower-case letters would require an average of over 104 BILLION attempts. If the site designer is smart enough to take the tiny precaution of ignoring more than one login attempt per second (which your customers will never be bothered by, on the receiving end) it would take 3,309 years of constant guessing just to get an even chance of breaking into an account.
- Is there a meter that tells you how "strong" your password is? It's bullshit. It's calling 3000 years "weak," 30,000 years "fair" and ten lifetimes of the universe "strong," and chances are it's not even checking against a list of common passwords. If the small steps above have been taken, it's as meaningless to you as mathematician talk about the different sizes of infinity.
- If you enter the wrong password a few times, does the account lock you out? More fake security. The obvious trouble is, it's only ever going to be invoked by already pissed off customers who can't remember the machine-exact keystrokes with which to enter this particular password on this particular website. I know you want to think of yourself as the center of your customers' financial lives, but you're not. So unless you want to pay someone at a call center to deal with every minor issue the website was designed to handle, fire the bums who try to sell you customer lockout.
- Does the password need to be changed at regular intervals? This is not even fake security, nor merely irritating: it's actually negative security. Your customer can't memorize a new password every month (nor can you) never mind half a dozen. That means the password has to be written down somewhere. Which means it's not a password anymore, it's a bearer bond. Suddenly, leaving an address book in the restaurant, losing a $10 thumb drive, having a purse snatched, or just plain leaving a sticky note in the wrong place can compromise half of a customer's financial life.
- Does the site use security questions? If you can make a security question specific enough to be unambiguous (mother's maiden name) it will be a matter of public record. If it's any vaguer than that (your first crush), it will lead to so many possible answers that no customer will be able to consistently enter the same, correct, exact, machine-confirmable string of characters in answer to the question each time without -- again -- writing it down. Most users settle on a consistent string of profanity, which is guessable and still usually needs to be written down. Guess a few strings of profanity yourself if a vendor ever tries to sell you this.
Return to SpaceToast.net