CNBC Tried, and Massively Failed, to Teach People About Password Security
With the court fight between Apple and the FBI as a news peg, CNBC tried to teach people that accounts secured by simple passwords can easily be guessed or brute-forced with a custom-coded tool that analyzed readers passwords. But the first capital sin of this article was asking users to type in their own passwords in order to check how secure they wereover a website that doesnt use HTTPS web encryption, no less.
This was first noticed by Google security engineer Adrienne Porter Felt:
That means that after a user typed in her password, the password was initially sent to a Google spreadsheet, travelling completely insecurely through the internet. Anyone on the waysay, a hacker snooping on the Starbucks WiFi connection you were reading the article oncan now steal it.
Did you type your real password? Congratulations, its now been shared not just with CNBC and that friendly Starbucks hacker, but also with more than 30 third parties, such as advertisers and analytics providers who pull data from CNBC.com, as noted by independent security and privacy researcher Ashkan Soltani. (Also please stop using one password for everything and start using a password manager. Hackers know that people reuse passwords and will test it against Facebook, Bank of America, and so on.)
http://motherboard.vice.com/read/cnbc-tried-and-massively-failed-to-teach-people-about-password-security