Epic fail: CNBC botches online security tutorial, asks readers for passwords
The article “Apple and the construction of secure passwords” was published Tuesday on CNBC’s blog The Big Crunch and asked readers to test password strength with an interactive tool.
The article prompted readers to enter their passwords into a special took to check their security.
It wasn’t long, however, before a number of security experts weighed in, pointing out the experiment’s flaws.
Firstly the site was not using HTTPS web encryption - the secure version of HTTP which ensures communications between browser and website are encrypted - as pointed out by Google security engineer Adrienne Porter Felt.
Once users submitted their password information it was sent to a Googledoc, leaving it open to hackers as it travelled unsecurely through the internet.
Security and privacy researcher Ashkan Soltani also pointed out that the information is shared with third parties, such as advertisers and analytics providers, who take data from CNBC.com.
CNBC have since removed the article, without comment.
Readers asked to type in password over http, stored in google spreadsheet. CNBC should win a Phishing award. https://t.co/uiCPeNiCxc— Richard❌Westmoreland (@RSWestmoreland) March 30, 2016