Oops. Another reason to trust just Fox Business 😉
CNBC’s Big Crunch blog put up a well-intentioned, but disastrously designed tutorial on secure password creation, which invited users to paste their passwords into a field to have them graded on how difficult it would be to guess them.
Teaching users about password strength is very important for so long as we’re still using them as the first line of defense in an increasingly breach-riven Internet where attackers can use offline brute-force techniques against huge corpuses of badly secure passwords leaked by incompetent online service providers, then recycle those passwords to breach an ever-expanding cloud of services that have been wired to the Internet. For example, an attacker with access to your email account can reset and take over the ignition and locks on your $200,000 Tesla.
But CNBC’s execution was terrible. Its password testing form was transmitted in the clear, which means that anyone who shared your Internet connection (that is, everyone on the same WiFi or neighborhood-wide cable modem connection as you) could see you sending it. CNBC sent all the passwords it received to a Google Doc spreadsheet (itself a prime target for hacking/breaching), despite a notice that said, “No passwords are being stored.” Worst of all, perhaps, is that the way that CNBC’s website was set up, all 30 of the advertisers whose ads appeared on the page could also spy on your password…
***************************************************
CNBC did a spot on their network on this very issue and one of the reporters expressed skepticism about actually entering a password on their own site. Guess he was right.