CNBC earlier this week published a piece with the goal of helping users strengthen their password security, but the attempt backfired badly.
An interactive tool provided to help readers detect the strength of their passwords was to blame.
Readers were asked to enter potential passwords into a field, and see how long it would take the system to crack them. They were told that adding capital letters, numbers and symbols would help strengthen a password, and they were assured that no passwords were being stored.
Google security engineer Adrienne Porter Felt raised the alarm shortly after the piece was published.
The site was not encrypted, she said.
Data apparently was sent in the clear to a Google spreadsheet.
CNBC has since taken down the piece. It did not respond to our request to provide further details.
“Worried about security?” Felt tweeted.
worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR
— Adrienne Porter Felt (@__apf__) March 29, 2016
That sparked a lively discussion:
This is a story of exactly what *NOT* to do when trying to educate users about password security https://t.co/Z95wUCvjNr
— ashkan soltani (@ashk4n) March 29, 2016
The “submit” button loaded passwords entered into the interactive tool to a Google Docs spreadsheet, tweeted [email protected].
The data was shared to more than 30 third parties — advertisers and analytics providers — that pulled data from CNBC’s site, Soltani said.
Although access to the Google Docs spreadsheet was controlled, the data could have been intercepted and stolen in transit, since it was sent over HTTP.
Given that the article was about security, it’s difficult to understand why data was transmitted in the clear instead of over HTTPS, which would have provided a secure link.
Chances are, IT was not involved in preparing the article.
“No IT guy would ever do this,” said Rob Enderle, principal analyst at the Enderle Group. “It would not only be a job ender, it would be a career ender. You’re literally told on Day 1 to never ask anyone for passwords, because the liability’s too high.”
It’s possible to provision a site for simple tasks such as running a survey without IT’s help, Enderle told the E-Commerce Times. “There are a lot of very talented kids doing internships who lack experience that can put together stuff like this easily.”
Perhaps the editorial department failed to check with IT about the security behind the tool it used to collect user passwords, speculated Suni Munshani, CEO of Protegrity.
Be Careful What You Ask For
CNBC probably “got a lot of people excited,” mused Mike Jude, a research program manager at Frost & Sullivan.
“They also probably uncovered a bunch of people who are inept about security,” he told the E-Commerce Times. “I mean, really: Submit your password for review — by CNBC? Over an unsecured website? What could go wrong?”
The website exposed participants to identity theft, Enderle suggested. The potential for monetary loss “would be astronomical.”
Passwords have proven to be a huge problem for IT security.
Surveying more than 200 IT professionals at the RSA Security Conference held Feb. 29 to Mar. 4 in San Francisco, Lieberman Software found that 77 percent believed passwords were failing as an IT security method. Further, 53 percent thought modern hacking tools easily could break passwords within their organizations, and 55 percent made their users change their passwords more often than they were required to change administrative credentials.
However, it’s well known that the individual user is lackadaisical about changing personal passwords, and often will use one password for several accounts.
“CNBC’s goal was undoubtedly to promote the need for stronger password security and encryption,” Protegrity’s Munshani told the E-Commerce Times. “Ironically, subsequent news coverage of its huge mistake — and the lessons we can all learn about using stronger passwords — probably reached more people than its original piece.
Users “need to change their passwords at once,” warned Enderle. “Since they tend to use the same password for multiple sites and not remember which sites they used it for, the risk that they won’t catch and change a critical password is very high.”