CNBC’s secure password tutorial sent your password in the clear to 30 advertisers.
This article from ‘boingboing’ is very appropriate as a compliment to this week’s podcast on cyber security and the relationship it has to corporate governance. The Guardian Podcast can be heard here on the web site, or on Sound Cloud (https://soundcloud.com/harold-nicoll/connecting-information-security-and-corporate-governance) or iTunes (https://itunes.apple.com/us/podcast/connecting-information-security/id977764101?i=365753826&mt=2).
One thing is certain from the podcast and the cautionary tale below; never, ever share your password with anyone or anything for any reason. CNBC sent these passwords to Starbucks, and other advertisers. It was a cynical ruse at worst or a bungled public service at best. But those who willingly typed in their passwords are also complicit. As Ryn says in this week’s podcast, cyber security is everyone’s business and part of everyone’s job. So sharing a password is right up there with sharing a social security number in that it should never be done.
Of course, to avoid all that clicking and leaving the site, we have the article right here!
CNBC’s Big Crunch blog put up a well-intentioned, but disastrously designed tutorial on secure password creation, which invited users to paste their passwords into a field to have them graded on how difficult it would be to guess them.
Teaching users about password strength is very important for so long as we’re still using them as the first line of defense in an increasingly breach-riven Internet where attackers can use offline brute-force techniques against huge corpuses of badly secure passwords leaked by incompetent online service providers, then recycle those passwords to breach an ever-expanding cloud of services that have been wired to the Internet. For example, an attacker with access to your email account can reset and take over the ignition and locks on your $200,000 Tesla.
But CNBC’s execution was terrible. Its password testing form was transmitted in the clear, which means that anyone who shared your Internet connection (that is, everyone on the same WiFi or neighborhood-wide cable modem connection as you) could see you sending it. CNBC sent all the passwords it received to a Google Doc spreadsheet (itself a prime target for hacking/breaching), despite a notice that said, “No passwords are being stored.” Worst of all, perhaps, is that the way that CNBC’s website was set up, all 30 of the advertisers whose ads appeared on the page could also spy on your password.
To add insult to injury, CNBC’s system wasn’t very good at scoring passwords, giving them higher grades than they deserved.
Did you type your real password? Congratulations, it’s now been shared not just with CNBC and that friendly Starbucks hacker, but also with more than 30 third parties, such as advertisers and analytics providers who pull data from CNBC.com, as noted by independent security and privacy researcher Ashkan Soltani. (Also please stop using one password for everything and start using a password manager. Hackers know that people reuse passwords and will test it against Facebook, Bank of America, and so on.)
CNBC Tried, and Massively Failed, to Teach People About Password Security [Lorenzo Franceschi-Bicchierai/Motherboard]