What to check with your technical team

More major companies have recently fallen foul to security breaches. Some have seen the direst of consequences, with the Ashley Madison hack even leading to suicides. Every sector must look at how it protects the data of its customers – and this certainly applies to the events industry.
An increasing number of conferences have websites where the delegates sign in, pay to attend, and book sessions – but is their information securely protected?
Some of the onus is on the people registering for these websites to choose secure passwords and this is one place where size DOES matter.

The longer your password, the more secure it is. That then presents a real issue with websites where you are limited in terms of the number and type of characters that can be used for a password.

It’s not uncommon to find websites that prohibit you from having a password longer than 16 characters or where you can’t use symbols as well as numbers and letters. This situation is simply ridiculous, because if the developers of the website are storing the password correctly then it makes absolutely no difference how long the user’s password is. This simply highlights that when it comes to online security, those responsible are often less than equipped to do the job.

The question I find myself asking is: If the developers behind these systems aren’t storing the passwords correctly, then how do I know my passwords are adequately protected?

But it is a vicious circle, because the majority of us are terrible at choosing secure passwords and worse still, a lot of people use the same passwords for a lot of sites, which means that if a website gets hacked and your password is exposed, the hackers may well be able to login to other websites where you have registered. In fact, this is the source of a lot of eBay and PayPal fraud.

The events industry cannot do very much to make people choose secure passwords or to vary their passwords between sites, but we should be able to make sure that passwords are stored securely.

Ask your technical team if passwords are stored as ‘salted hashes’. If the answer is anything other than ‘yes, of course’, then get it changed. Passwords should never ever be stored in plain text or encrypted. Don’t store ANY credit card details on your servers – this should be left to payment processing companies who spend an enormous amount of money ensuring they can protect your data (and they, too, still get it wrong!).

As for the rest of us, we need to take password choice more seriously. Use mnemonic abbreviations and if you have trouble creating or remembering passwords then use a password manager like LastPass.