Passwords are a problem. As noted by Gizmodo, 2015 was a banner year for terrible choices, with “123456” and “password” topping the list. But there’s another problem looming for passwords, even those chosen with care: requests over HTTP.

Despite pressure from search giant Google and the success of projects like Let’s Encrypt, HTTPS adoption remains slow — and password requests over its nonsecure sibling pose big problems for users and site owners alike. As a result, some companies are taking steps: Non-HTTPS password requests are now flagged by Firefox in an effort to beef up security and lower corporate risk.

Warning Signs for HTTP

According to SecurityWeek, Firefox DevEdition 46 will alert developers whether passwords are requested on nonsecure pages, displayed as a lock with a red strikethrough. Mozilla security engineer Tanvi Vyas said the new Firefox effort examines any Web page with an embedded password field against the WC3’s Secure Contexts Specification.

HTTP password fields fail this test since they carry the risk of allowing man-in-the-middle (MitM) attacks using JavaScript for keylogging or changing the destination of the submitted password to an attacker-controlled server.

Even password fields hidden without user interaction are still at risk. The only way to avoid getting flagged is by hosting login pages on HTTPS or migrating an entire website to the secure server. It’s worth noting, however, that only the Developer Edition of Firefox comes with a warning; the public doesn’t get the notification yet.

Risky Business

For businesses, this HTTP risk should act as a wake-up call: Users often duplicate passwords across multiple sites, meaning that a single MitM attack on a nonsecure page could compromise everything from user devices to essential network services. In other words, avoiding HTTPS doesn’t just put company data at risk, but also impacts the privacy of employees and consumers. This privacy is quickly becoming legislated instead of merely assumed, enforced instead of simply encouraged.

Consider a recent Google demonstration at the Usenix Enigma 2016 security conference where the search giant showcased an experimental marking system that flags all HTTP pages as insecure. ZDNet reported that users can get a sneak peek of the feature by typing “chrome://flags/” into the browser’s URL bar and then enabling “Mark nonsecure origins as nonsecure.”

While there’s no official release date for the feature to become a default security setting in Chrome, the Chromium issue tracker indicated the company’s goal is to “mark nonsecure pages like HTTP using the same bad indicator as broken HTTPS.”

Developer warnings from Firefox and experimental efforts from Google lead to the same conclusion: Browser builders are calling out HTTP insecurities to enhance user privacy and encourage HTTPS adoption. Businesses have two choices: Get on board with the transition, or face the backlash as users seek secure alternatives.

More from

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison.But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It took law…

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…