CNBC Asks Readers To Submit Their Password To Check Its Strength Into Exploitable Widget
from the p@ssw0rd dept
People’s passwords and their relative strength and weakness is a subject I know quite well. As part of my business, we regularly battle users who think very simple passwords, often times relating to their birthdays and whatnot, are sufficient. Sometimes they simply make “password” or a similiar variant their go-to option. So, when CNBC put together a widget for readers to input the passwords they use to get feedback on their strength or weakness, I completely understand what they were attempting to accomplish. Password security is a real issue, after all — which is what makes it all the more face-palming that the widget CNBC used was found to be exploitable.
A columnist for CNBC’s The Big Crunch tried to make a misguided point about the FBI’s iPhone situation with an interactive tool that asked readers to input their password to see how secure they were. The post is now down, but if you did comply with the CNBC request, it might be a good idea to change your password. A few people on Twitter claimed the widget is an insecure form that actually submits the characters you enter into the text field to third parties.
Since it’s a form field, it reloads the page when you hit “enter,” changing the url and, in effect, saving the password you just typed in.
“In theory, if there’s someone sniffing traffic on your network, they could see these urls being requested in plain text, and then try sniffing on other traffic coming from you that might indicate some account information,” [Gawker Media’s Adam] Pash told me. This could be as easy as finding out your email address. And it wouldn’t be hard for these ad trackers to collect a bunch of people’s passwords in their logs.
So while CNBC’s cool tool is not necessarily malicious, it’s more just sloppy. “I’m not sure it’s a serious threat,” says Pash. “But it’s definitely dumb.”
Dumb in general, yes, but all the more dumb specifically as the widget was created to educate readers on password security, while it simultaneously opened up a security threat vector upon those same readers. This is the kind of thing that is almost too hysterical to be true. The very concept of attempting to educate the public about password security by developing an online widget and asking them to input their passwords is hilariously self-contradicting. Whatever the list of password do’s and don’ts are, that list must certainly include something about not simply typing your passwords into online search fields for fun. Add to this that CNBC didn’t use HTTPS, and it’s starting to get difficult to see what its widget did right on matters of security.
And, if the social media accusations are true and CNBC was indeed sharing data with third parties, including the passwords that users were inputting into the widget, then this goes from laugh-inducing to dumpster fire fairly quickly. And, keep in mind that all of this was done supposedly to educate readers about password security. For CNBC to then start sharing those passwords with third parties? That kind of thing earns you an IT death sentence.
CNBC apparently realized its mistake and took the widget down, but not before teaching its readers a valuable security lesson, albeit not the one it had intended to teach: Don’t put your passwords into an online widget, no matter who put it up. That’s just dumb.
Filed Under: bad security, cnbc, password strength, passwords, security, sharing, unencrypted
Comments on “CNBC Asks Readers To Submit Their Password To Check Its Strength Into Exploitable Widget”
Only part of the problem
The saddest bit is that, stupid though it is, people are largely conditioned to accept this kind of social engineering attack (Yes I know it wasn’t an attack, but it may as well have been!).
How often to banks/credit card companies/insurance companies ring you up and demand you “verify” your identity by handing over all sorts of personal info and/or passwords? Basically the same thing.
As for password security.. well :
Obligatory XKCD
Re: Only part of the problem
“Yes I know it wasn’t an attack”
I’m not so sure about that. Clandestine attacks are make to look as though they are simple stupidity.
Re: Only part of the problem
You can’t help the retards and neither can XKCD.
You can only help those wanting to learn from their mistakes and the government and the public at large are VERY unwilling to learn from their mistakes.
Re: Re: Only part of the problem
Says someone in the public at large.
Re: Only part of the problem
My bank has never, not once, called my and requested a password. In fact, my bank has (obnoxiously) often sent me emails telling me they cannot access my password, and will never request it on a phone call or email.
If someone has called you and asked for this, and you gave it to them, you need to change your password IMMEDIATELY. If it was genuinely your bank, you should change banks.
Re: Re: Only part of the problem
Yeah, that’s what they say and as far as your online password that’s correct. However, phone bank services etc often use a “password” as shorthand, or sometimes certain characters of a passphrase. Failing that, they will usually verify your identity with personal details such as DOB, mother’s maiden name etc… in the case of insurance, sometimes make/model/reg of vehicle.
All this I have no problem with…. except when they phone you and request this kind of info, which (I suppose US banks may not), UK banks etc do all the time.
And no, I don’t give out that kind of information… I find the call centre number independently and ring them back to discuss whatever it is so I can be sure I’m actually talking to the company they claim to be…. I’ve even complained about the practice and got told “Well that’s just how we do it and we have to prevent fraud” – basically a “We’re doing it to cover our ass, not yours”
My point is that this kind of practice conditions most people to simply answer this kind of question to (at least) anyone that they think they have a trust relationship with. People putting their password into the site of a “trusted brand” is hardly surprising considering.
Re: Re: Re: Only part of the problem
“I suppose US banks may not”
Not only do they not (or at least, none of the major ones I know of), but they make it a point to tell you very clearly that they don’t, and if anyone calls to claim otherwise, don’t talk to them.
Re: Re: Re:2 Only part of the problem
But UK banks, credit card companies, insurance companies and others do and if you complain about it, the answer is basically “tough shit”.
To educate readers about password security
Well, they’ll get educated about password security all right.
Maybe not CNBC, but I’m sure someone was using it after the word got out.
"Security researcher"
In the early days of the web, more than 20 years ago, I recall a self-identified “security researcher” who put up a poll about how secure people’s passwords were.
Questions like:
How many characters in your password?
Does it use upper-case, lower-case, or mixed?
Any non-alphanumeric characters in it?
etc.
In other words, *exactly* the questions an attacker would ask to narrow down a password search.
While it’s not too surprising that there were some idiots who provided answers, what I found (and find) surprising is that the so-called “security researcher” didn’t recognize the impropriety of such questions.
Nothing ever really changes.
Why should a password strength checking website *ever* be trusted? Operating such a website is an excellent way to build a larger list of known passwords that can be used to run dictionary attacks
Re: Re:
Why would CNBC be trusted, you can’t even trust them on the news and that is supposedly what they area about.
substitution
On the rare (& I mean rare) occasions I even bother w/ a Password Strength Checker, I never input my actual passwords. Doing that is beyond stupid. No, I formulate a substitute that should be roughly the same strength (similar length, similar character groupings (though, almost never any that could be used as a future password), but different characters).
I also avoid using the same password for multiple accounts.
that wasn’t a password check. it was an IQ test.
Re: Re:
Not sure if funny or insightful. Have both!
What CNBC Dummy Approved This Stupidity?
The CNBC exec who approved this should be TERMINATED for the utmost STUPIDITY! He/she does not realize that SECRET PASSWORD are supposed to be S E C R E T! Passwords are Never to be shared nor sent to any 3rd party, then in the clear to make the unsuspecting dopes believe in this ridiculous apps. power. Why listen to CNBC ever again? Did you get this from Donald Trump to use OTM(Other People’s Money)?
Your credibility as a “news” source will be forever questioned.
Innovative Method To Protect Passwords
A utility patent has just been granted for a breakthrough technology to protect passwords, for detailed information, go to : http://nmjava.com/gate/