The article itself is a perfectly competent explanation of how passwords can be brute forced, and how to make sure yours is as hard to guess as possible. You can still see an archived version of the article. The catastrophic failure is not in the writing of that piece, but the little password testing widget right in the middle. The idea is to put in your passwords and see how the score for security. Not only was the test inaccurate, assigning higher scores to weak passwords than they deserved, but even more problematic was the way CNBC’s testing widget worked.
We’ve learned time and time again that people are really bad at picking strong passwords. Look at any list of leaked passwords, and the most popular ones will no doubt be things like “123456” and “password.” CNBC had the best of intentions when it ran an online feature on password security recently. The implementation, however, resulted in many users exposing their passwords for all to see.
For starters, it was transmitting all the passwords entered into it in the clear over HTTP. That means anyone listening in on your local network or between you and CBNC’s servers would be able to read the password. So that’s not great, but where were the passwords being transmitted to anyway? This isn’t the first password analysis tool on a webpage, but they usually go out of their way to explain how the analysis is done inside the browser so nothing is transmitted. It turns out CNBC was storing passwords entered into the widget, even though they said they weren’t.
If CNBC’s goal was to teach people to be more careful about password security, it might have done just that. Not with actual education, but by putting people at risk of being hacked. CNBC has not spoken about this disastrous crash course in password security. The article has been taken down, so no more unsuspecting users will give away their passwords.
After a password was submitted in the widget, CNBC’s page would copy it to a Google Docs spreadsheet for ranking. You can imagine that spreadsheet is a veritable goldmine for malicious hackers. The spreadsheet is at least private. Perhaps the worst part of all this is that advertisers and analytics firms, of which were were more than 30 on that page, all had access to the data from that password widget. If you entered your real password, you just gave it to 30 companies which may or may not have secure data storage themselves.