This story is over 5 years old.


CNBC Tried, and Massively Failed, to Teach People About Password Security

Dear news organizations, please don’t do this, ever.
Image: wavebreakmedia/Shutterstock

Thanks to endless data breaches, hacks, and the US government's seemingly endless fight against encryption, privacy and security have now effectively become mainstream news topics.

That's good! We should all be aware of the fact that everything on the internet is fundamentally broken, and how we're vulnerable because of it. But that's also not so good because now we're getting security advice from a lot of people who have no idea what they're talking about.


Take, for example, a post titled "Apple and the construction of secure passwords" on CNBC's data-driven blog The Big Crunch. The intention behind it was great: Teach internet users of the vital importance of having a strong and unique password. Too bad the execution was just infuriatingly bad. The story has been taken down with no explanation, but you can see an archived version here.

With the court fight between Apple and the FBI as a news peg, CNBC tried to teach people that accounts secured by simple passwords can easily be guessed or brute-forced with a custom-coded tool that analyzed reader's passwords. But the first capital sin of this article was asking users to type in their own passwords in order to check how secure they were—over a website that doesn't use HTTPS web encryption, no less.

This was first noticed by Google security engineer Adrienne Porter Felt:

worried about security? enter your password into this Adrienne Porter FeltMarch 29, 2016

KaneyMarch 29, 2016

That means that after a user typed in her password, the password was initially sent to a Google spreadsheet, travelling completely insecurely through the internet. Anyone on the way—say, a hacker snooping on the Starbucks' WiFi connection you were reading the article on—can now steal it.

Did you type your real password? Congratulations, it's now been shared not just with CNBC and that friendly Starbucks hacker, but also with more than 30 third parties, such as advertisers and analytics providers who pull data from, as noted by independent security and privacy researcher Ashkan Soltani. (Also please stop using one password for everything and start using a password manager. Hackers know that people reuse passwords and will test it against Facebook, Bank of America, and so on.)


Holy crap: ashkan soltaniMarch 29, 2016

What's more, CNBC's tool to evaluate password strength also seemed to be underestimating how quickly short passwords can be cracked.

"This is a story of exactly what *NOT* to do when trying to educate users about password security," Soltani wrote in a tweet.

Needless to say, this article has sent infosec Twitter into a tailspin, with people angrily tweeting at the CNBC data reporter who worked on the article, as well as other just cracking jokes.

Just working on my new news app. Jeremy BowersMarch 29, 2016

Ben LambMarch 29, 2016

CNBC did not immediately respond to a request for comment. At least it got one thing right in the original piece: including this excellent Xkcd comic strip on password strength.

Perhaps they should have just replaced the whole article with that.