It all started with a well-intentioned CNBC article in The Big Crunch, which included an interactive tool that would test the security of readers’ passwords. Once you entered your chosen string, the site determined how common your password was, how long and varied the characters involved were, and ultimately, how secure it was. The problem, however, was that no matter how secure your password may have been before you submitted it, CNBC then proceeded to share it (unbeknownst even to the company, it would seem).
The article (and faulty tool) has since been taken down in acknowledgement of the huge oversight in security practices. Adrienne Porter of Google initially pointed out that your password was sent through the CNBC site unencrypted, which means that anyone could’ve intercepted it at just about any point. And worse yet, while CNBC insisted that “no passwords are being stored,” that was a lie. In fact, your password was sent not only to a Google spreadsheet, but also to over 30 third parties including advertisers and analytics providers.
@jeremybowers found my new master password pic.twitter.com/odUT4E8bAo
— Ben Lamb (@bennyfactor) March 29, 2016
Needless to say, people were not pleased with these significant failures, and Twitter users were almost immediately up in arms. As independent security and privacy researcher Ashkan Soltani tweeted, “This is a story of exactly what *NOT* to do when trying to educate users about password security.”
Oh, and by the way, the tool was apparently also providing incorrect information as to the actual security of your password. But honestly, that’s probably the least of CNBC’s concerns at this point.
