A Blunder by CNBC Reminds Us to Keep Our Passwords Private
Whenever you're connected to the Internet, whether you're online shopping on your laptop or checking scores on your smartphone, it's important to consider the security of your private and personal information. Any field that prompts you to enter your information should be viewed with scrunity—even if it's one that promises to enhance your online security.
According to PCWorld, reputable news outlet CNBC recently ran a story online about password security that included a password strength checker. The tool included a caption that ensured users the tool was intended for "entertainment and educational purposes only" and that the info would not be saved. But security experts, programmers, and security researchers took issue with the lack of encryption on the page and did some digging.
Privacy and security researcher Ashkan Soltani suggested on Twitter that the passwords were sent to third parties, which PCWorld identified as Google's DoubleClick advertising service and a marketing company called Scorecard Research.
A programmer named Kane York shared screenshots of the code that revealed that the passwords were stored in a private spreadsheet. The director of Gawker Media’s Editorial Labs, Adam Pash, explained to Gizmodo that when passwords are entered into the form, it reloads the unencrypted webpage with the password as a part of the URL. "In theory, if there’s someone sniffing traffic on your network, they could see these URLs being requested in plain text, and then try sniffing on other traffic coming from you that might indicate some account information,” he said. "I’m not sure it’s a serious threat, but it's dumb."
The story with the password checker has since been removed from the CNBC website.
This just goes to show that you should surf the web with a healthy dose of skepticism, and avoid entering your password (or other private information) into online forms unless you're completely sure the website is SSL/TLS (Secure Socket Layer/Transport Layer Security) encrypted—look for URLs starting with "https."
[h/t PCWorld]