Expect ‘lost password’ headaches in the next few months

Expect ‘lost password’ headaches in the next few months

It’s time to look up and learn your passwords.

Google and Mozilla are stepping up the pressure to ensure that all websites have correctly applied security certificates and come from the sources they claim to come from. Within the next few months, Chrome and Firefox will start warning you that the website you’re visiting is not using a valid security certificate or an https connection.

Without a valid certificate, someone could place a box between your website and your reader, then hijack all the requests to your site and send them elsewhere. The reader, not aware of this,  could be persuaded to enter usernames, passwords and other personal information to a fake website. This is why Google and Mozilla are taking action.

Here’s a real-world example: You open your laptop at a coffee shop or airport and punch in a web address. Instead of that website, you get a login page to access the Internet. If you’re trying to access a secure website, it will almost certainly fail to connect you to the login page. The software that handles the subscription to the coffee shop’s Internet service intercepts your request but redirects you a different site: its login page. However, your browser will not let you continue because the website is no longer genuine. The coffee shop portal is not using the correct certificate and doesn’t match the name of the website you originally wanted to visit. You will get a full page telling you that something is very wrong and you should click the big “Back to Safety” button.

This has led to smartphones and laptops declaring that the connection you’re using needs to be authenticated; you need to click on that notification instead to log in. Before this change, nobody was able to jump from their original website to the login page any other way. Coffee shop managers were having to become IT technicians to get it to work.

If you run a website, it’s imperative that you move to https using a correct certificate. This is not too hard to set up, and there are plenty of guides you can follow, depending on your site’s infrastructure. But conversions can lead to headache-inducing issues. For instance, if any images or other resources on a page still go to a non-https resource, then your reassuring green padlock will go away. This means any services you use — say, Google Fonts, a CDN server (which will also need your certificate) or even internal resources — must become https for that green padlock to appear.

Saved passwords are normally associated with the full URL, including the http:// or https:// part of the address. Once you move a website to https, all your clients will have to re-enter their usernames and passwords to gain entrance. This will probably spike the number of “lost password” requests coming to your site.  

Certificates need to be kept up to date and servers restarted when new certificates are installed.  Certificates typically last three months to five years; however, a recent argument between Google and Symantec meant that all certificates generated by one major certificate provider had to be regenerated and reinstalled regardless of when they expired because the certificate on which they were based was no longer considered valid by Chrome.

Thinker offers an all-in-one certificate-update service, which is included with all of our web-hosting packages. If your site is not yet secure, it will be soon. However, if you need to log in to the back end of your site to update information, be aware that you may need to hunt through your list of saved passwords to recover your password, especially if, like us, you keep the machine-generated secure passwords originally sent to you. Alternatively, you can click the “Lost Password” button and start the procedure to regenerate a password.

Google and other search engines prefer secure sites, so you should find your site increases its profile once converted.