A website shows a padlock icon and 'https://' in the address bar. You are about to enter your credit card number. Is this sufficient to confirm it is safe to proceed?
AYes — HTTPS encrypts your data, so the site is verified as trustworthy
BNo — HTTPS only encrypts the connection; you must also verify the site's identity through the domain name
CYes — a padlock icon is issued by governments and confirms a site is legitimate
DNo — HTTPS is only safe on desktop browsers, not mobile
HTTPS encrypts the channel between your browser and the server, protecting data in transit from interception — but it says nothing about whether the site itself is legitimate. A phishing site can and often does have a valid HTTPS certificate. Verifying the domain name carefully (looking for misspellings, suspicious top-level domains, or added words) is a separate, necessary check. HTTPS is necessary but not sufficient.
Question 2 Multiple Choice
You visit your bank's login page and your password manager fails to autofill your credentials, even though you've logged in there before. What does this most likely indicate?
AYour password manager has a bug and you should type the password manually
BThe bank updated its login page and autofill is no longer compatible
CThe current URL does not match the domain where your credentials were saved, suggesting a possible phishing page
DYour session has expired and you need to reset your password
Password managers autofill credentials only on the exact domain they were originally saved for. If autofill fails on a page claiming to be your bank, the most likely reason is that the URL is different — a strong indicator of a phishing page mimicking the real site. This is one of the most reliable phishing detectors available and works even when the page visually appears identical to the real thing.
Question 3 True / False
A newsletter signup form is asking for your date of birth and phone number in addition to your email address. These fields are optional. You should fill them out to complete the form properly.
TTrue
FFalse
Answer: False
The principle of data minimization means you should provide only information necessary for the stated purpose. A newsletter only needs your email to send you content. Optional fields collecting a birth date or phone number serve marketing or data monetization purposes, not the newsletter itself. Providing more than necessary increases your exposure if the site is breached. Optional means optional — you are not required to fill these fields.
Question 4 True / False
HTTPS in a website's address bar guarantees the website itself is legitimate and not a phishing site.
TTrue
FFalse
Answer: False
HTTPS guarantees that the connection between your browser and the server is encrypted, preventing interception in transit. It does NOT verify the identity or legitimacy of the website owner. Attackers routinely obtain valid HTTPS certificates for phishing domains because certificate authorities only verify domain ownership, not intent. You must separately verify the domain name matches the real organization.
Question 5 Short Answer
Why is a dedicated password manager with a master password generally safer than saving passwords in a browser for high-value accounts like banking or email?
Think about your answer, then reveal below.
Model answer: A dedicated password manager requires a master password to unlock stored credentials, adding an independent authentication layer. Browser-saved passwords typically unlock automatically for anyone logged into the operating system, and certain malicious browser scripts (cross-site scripting attacks) can attempt to extract them. A dedicated manager also only autofills on exact matching domains, which detects phishing pages.
The key distinction is that browser autofill is tied to OS login state — if someone accesses your computer while you're logged in, your saved passwords are exposed. A password manager requires a separate master password, creating defense in depth. The domain-matching behavior is an additional security benefit: the manager acts as a phishing detector, refusing to autofill on URLs that don't exactly match where the password was saved.