I’m working on deploying a small community site. User registration requires nothing more than a username, email address, and password. I’m not even asking for a name, and certainly not storing any sensitive data.
Should I still invest in an SSL certificate? Would it be considered terrible practice to transmit a user’s password without one?
This is just a personal project, so I’d like to avoid the extra cost if I could, but I can’t help but feel I’d be irresponsible if I didn’t secure everything properly.
I’d recommend getting an SSL certificate and requiring https any time users submit a password to your website. Though your users won’t be transmitting any sensitive information, there’s still one big reason for this: many people use the same username and password for every site they visit, and if someone’s using a laptop in a coffee shop on open wireless, you should do everything in your power to keep them and their identity safe.
If cost is an issue, a good compromise is CACert. Their certificates aren’t trusted by default in most browsers (yet), but anyone with a verifiable identity can get a certificate from them for free.