CNBC’s Lesson In Password Security Was a Security Fail

Everyone uses passwords, for your emails and computers to even gaining access to your phone to play flappy birds. With so many systems at risk, we have to make sure our passwords are secure. CNBC wanted to help out with a lesson in password security, except their lesson turned from “do this” to a prime example of how not to handle passwords.

Originally the tool (which can still be found at this web archive link) requested you entered your password before checking to see just how strong your password was. Originally spotted by Google’s one and only Adrienne Porter Felt, the “secure” password checker did a little less than handle your password securely.

worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR

— Adriana Porter Felt (@__apf__) March 29, 2016

First up was the fact that it sent your password to google docs, meaning that not only you were seeing your password but as it was being sent in an unencrypted format, anyone watching your network traffic or in between you and the document had full access to the password.

https://twitter.com/ashk4n/status/714893009226178560

If this wasn’t embarrassing enough the tool also seemed to share your password with 3rd parties, all the while the site claimed that “no passwords are being stored”.

https://twitter.com/ashk4n/status/714889287133691905

Obviously, some people are quite upset by this, with the site not only outright lying (it has now been updated to deal with things in a more secure matter) but to also trick people into entering passwords under the illusion that the site would help you secure your account.

If you’ve ever used an online tool like this, we would recommend changing your password as there is no guarantee that the system or even the site was secure and protected your details.