CNBC Asks Readers To Submit Their Password To Check Its Strength Into Exploitable Widget

from the p@ssw0rd dept

People's passwords and their relative strength and weakness is a subject I know quite well. As part of my business, we regularly battle users who think very simple passwords, often times relating to their birthdays and whatnot, are sufficient. Sometimes they simply make "password" or a similiar variant their go-to option. So, when CNBC put together a widget for readers to input the passwords they use to get feedback on their strength or weakness, I completely understand what they were attempting to accomplish. Password security is a real issue, after all -- which is what makes it all the more face-palming that the widget CNBC used was found to be exploitable.

A columnist for CNBC’s The Big Crunch tried to make a misguided point about the FBI’s iPhone situation with an interactive tool that asked readers to input their password to see how secure they were. The post is now down, but if you did comply with the CNBC request, it might be a good idea to change your password. A few people on Twitter claimed the widget is an insecure form that actually submits the characters you enter into the text field to third parties.

Since it’s a form field, it reloads the page when you hit “enter,” changing the url and, in effect, saving the password you just typed in.

“In theory, if there’s someone sniffing traffic on your network, they could see these urls being requested in plain text, and then try sniffing on other traffic coming from you that might indicate some account information,” [Gawker Media's Adam] Pash told me. This could be as easy as finding out your email address. And it wouldn’t be hard for these ad trackers to collect a bunch of people’s passwords in their logs.

So while CNBC’s cool tool is not necessarily malicious, it’s more just sloppy. “I’m not sure it’s a serious threat,” says Pash. “But it’s definitely dumb.”
Dumb in general, yes, but all the more dumb specifically as the widget was created to educate readers on password security, while it simultaneously opened up a security threat vector upon those same readers. This is the kind of thing that is almost too hysterical to be true. The very concept of attempting to educate the public about password security by developing an online widget and asking them to input their passwords is hilariously self-contradicting. Whatever the list of password do's and don'ts are, that list must certainly include something about not simply typing your passwords into online search fields for fun. Add to this that CNBC didn't use HTTPS, and it's starting to get difficult to see what its widget did right on matters of security.

And, if the social media accusations are true and CNBC was indeed sharing data with third parties, including the passwords that users were inputting into the widget, then this goes from laugh-inducing to dumpster fire fairly quickly. And, keep in mind that all of this was done supposedly to educate readers about password security. For CNBC to then start sharing those passwords with third parties? That kind of thing earns you an IT death sentence.

CNBC apparently realized its mistake and took the widget down, but not before teaching its readers a valuable security lesson, albeit not the one it had intended to teach: Don't put your passwords into an online widget, no matter who put it up. That's just dumb.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Not an Electronic Rodent (profile), 31 Mar 2016 @ 10:58am

    Only part of the problem

    Whatever the list of password do's and don'ts are, that list must certainly include something about not simply typing your passwords into online search fields for fun.
    The saddest bit is that, stupid though it is, people are largely conditioned to accept this kind of social engineering attack (Yes I know it wasn't an attack, but it may as well have been!).

    How often to banks/credit card companies/insurance companies ring you up and demand you "verify" your identity by handing over all sorts of personal info and/or passwords? Basically the same thing.

    As for password security.. well :
    Obligatory XKCD

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 31 Mar 2016 @ 11:19am

    Re: Only part of the problem

    "Yes I know it wasn't an attack"

    I'm not so sure about that. Clandestine attacks are make to look as though they are simple stupidity.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 31 Mar 2016 @ 11:19am

    Re: Only part of the problem

    You can't help the retards and neither can XKCD.

    You can only help those wanting to learn from their mistakes and the government and the public at large are VERY unwilling to learn from their mistakes.

    reply to this | link to this | view in thread ]

  4. icon
    Synonymous Howard (profile), 31 Mar 2016 @ 11:22am

    To educate readers about password security

    Well, they'll get educated about password security all right.

    reply to this | link to this | view in thread ]

  5. icon
    Agonistes (profile), 31 Mar 2016 @ 11:37am

    Maybe not CNBC, but I'm sure someone was using it after the word got out.

    reply to this | link to this | view in thread ]

  6. icon
    OldMugwump (profile), 31 Mar 2016 @ 11:58am

    "Security researcher"

    In the early days of the web, more than 20 years ago, I recall a self-identified "security researcher" who put up a poll about how secure people's passwords were.

    Questions like:

    How many characters in your password?

    Does it use upper-case, lower-case, or mixed?

    Any non-alphanumeric characters in it?

    etc.

    In other words, *exactly* the questions an attacker would ask to narrow down a password search.

    While it's not too surprising that there were some idiots who provided answers, what I found (and find) surprising is that the so-called "security researcher" didn't recognize the impropriety of such questions.

    Nothing ever really changes.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 31 Mar 2016 @ 12:37pm

    Why should a password strength checking website *ever* be trusted? Operating such a website is an excellent way to build a larger list of known passwords that can be used to run dictionary attacks

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 31 Mar 2016 @ 1:30pm

    Re: Only part of the problem

    My bank has never, not once, called my and requested a password. In fact, my bank has (obnoxiously) often sent me emails telling me they cannot access my password, and will never request it on a phone call or email.

    If someone has called you and asked for this, and you gave it to them, you need to change your password IMMEDIATELY. If it was genuinely your bank, you should change banks.

    reply to this | link to this | view in thread ]

  9. identicon
    Lurker Keith, 31 Mar 2016 @ 3:35pm

    substitution

    On the rare (& I mean rare) occasions I even bother w/ a Password Strength Checker, I never input my actual passwords. Doing that is beyond stupid. No, I formulate a substitute that should be roughly the same strength (similar length, similar character groupings (though, almost never any that could be used as a future password), but different characters).

    I also avoid using the same password for multiple accounts.

    reply to this | link to this | view in thread ]

  10. icon
    Not an Electronic Rodent (profile), 31 Mar 2016 @ 3:38pm

    Re: Re: Only part of the problem

    My bank has never, not once, called my and requested a password. In fact, my bank has (obnoxiously) often sent me emails telling me they cannot access my password, and will never request it on a phone call or email
    Yeah, that's what they say and as far as your online password that's correct. However, phone bank services etc often use a "password" as shorthand, or sometimes certain characters of a passphrase. Failing that, they will usually verify your identity with personal details such as DOB, mother's maiden name etc... in the case of insurance, sometimes make/model/reg of vehicle.

    All this I have no problem with.... except when they phone you and request this kind of info, which (I suppose US banks may not), UK banks etc do all the time.

    And no, I don't give out that kind of information... I find the call centre number independently and ring them back to discuss whatever it is so I can be sure I'm actually talking to the company they claim to be.... I've even complained about the practice and got told "Well that's just how we do it and we have to prevent fraud" - basically a "We're doing it to cover our ass, not yours"

    My point is that this kind of practice conditions most people to simply answer this kind of question to (at least) anyone that they think they have a trust relationship with. People putting their password into the site of a "trusted brand" is hardly surprising considering.

    reply to this | link to this | view in thread ]

  11. icon
    John Fenderson (profile), 31 Mar 2016 @ 5:23pm

    Re: Re: Re: Only part of the problem

    "I suppose US banks may not"

    Not only do they not (or at least, none of the major ones I know of), but they make it a point to tell you very clearly that they don't, and if anyone calls to claim otherwise, don't talk to them.

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, 31 Mar 2016 @ 6:10pm

    Re: Re: Only part of the problem

    Says someone in the public at large.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 31 Mar 2016 @ 9:03pm

    that wasn't a password check. it was an IQ test.

    reply to this | link to this | view in thread ]

  14. icon
    Not an Electronic Rodent (profile), 1 Apr 2016 @ 5:45am

    Re: Re: Re: Re: Only part of the problem

    Not only do they not (or at least, none of the major ones I know of), but they make it a point to tell you very clearly that they don't, and if anyone calls to claim otherwise, don't talk to them.
    But UK banks, credit card companies, insurance companies and others do and if you complain about it, the answer is basically "tough shit".

    reply to this | link to this | view in thread ]

  15. icon
    Ninja (profile), 1 Apr 2016 @ 9:10am

    Re:

    Not sure if funny or insightful. Have both!

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, 1 Apr 2016 @ 11:45am

    Re:

    Why would CNBC be trusted, you can't even trust them on the news and that is supposedly what they area about.

    reply to this | link to this | view in thread ]

  17. icon
    jaack65 (profile), 25 Sep 2016 @ 2:48am

    What CNBC Dummy Approved This Stupidity?

    The CNBC exec who approved this should be TERMINATED for the utmost STUPIDITY! He/she does not realize that SECRET PASSWORD are supposed to be S E C R E T! Passwords are Never to be shared nor sent to any 3rd party, then in the clear to make the unsuspecting dopes believe in this ridiculous apps. power. Why listen to CNBC ever again? Did you get this from Donald Trump to use OTM(Other People's Money)?
    Your credibility as a "news" source will be forever questioned.

    reply to this | link to this | view in thread ]

  18. identicon
    Frank, 21 Nov 2016 @ 1:26pm

    Innovative Method To Protect Passwords

    A utility patent has just been granted for a breakthrough technology to protect passwords, for detailed information, go to : http://nmjava.com/gate/

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.