CNBC Tried, and Massively Failed, to Teach People About Password Security
Dear news organizations, please don’t do this, ever.
Thanks to endless data breaches, hacks, and the US government's seemingly endless fight against encryption, privacy and security have now effectively become mainstream news topics.
That's good! We should all be aware of the fact that everything on the internet is fundamentally broken, and how we're vulnerable because of it. But that's also not so good because now we're getting security advice from a lot of people who have no idea what they're talking about.
Take, for example, a post titled "Apple and the construction of secure passwords" on CNBC's data-driven blog The Big Crunch. The intention behind it was great: Teach internet users of the vital importance of having a strong and unique password. Too bad the execution was just infuriatingly bad. The story has been taken down with no explanation, but you can see an archived version here.
With the court fight between Apple and the FBI as a news peg, CNBC tried to teach people that accounts secured by simple passwords can easily be guessed or brute-forced with a custom-coded tool that analyzed reader's passwords. But the first capital sin of this article was asking users to type in their own passwords in order to check how secure they were—over a website that doesn't use HTTPS web encryption, no less.
This was first noticed by Google security engineer Adrienne Porter Felt:
That means that after a user typed in her password, the password was initially sent to a Google spreadsheet, travelling completely insecurely through the internet. Anyone on the way—say, a hacker snooping on the Starbucks' WiFi connection you were reading the article on—can now steal it.
Did you type your real password? Congratulations, it's now been shared not just with CNBC and that friendly Starbucks hacker, but also with more than 30 third parties, such as advertisers and analytics providers who pull data from CNBC.com, as noted by independent security and privacy researcher Ashkan Soltani. (Also please stop using one password for everything and start using a password manager. Hackers know that people reuse passwords and will test it against Facebook, Bank of America, and so on.)
What's more, CNBC's tool to evaluate password strength also seemed to be underestimating how quickly short passwords can be cracked.
"This is a story of exactly what *NOT* to do when trying to educate users about password security," Soltani wrote in a tweet.
CNBC did not immediately respond to a request for comment. At least it got one thing right in the original piece: including this excellent Xkcd comic strip on password strength.
Perhaps they should have just replaced the whole article with that.