Wednesday, March 30, 2016
CNBC had the neat idea of talking about secure passwords and good practices to create them; unfortunately it had the terrible idea of creating a password assessment test that put all the visitor's passwords at risk.
The idea might seem good at first: a tool to help users check if their passwords were secure enough. But it did it in the worst possible way putting all the checked passwords at risk.
Not only did CNBC failed to use a HTTPS page, making each and every password immediately accessible to anyone intercepting your communication; but the password was also stored in a Google spreadsheet accessible by who knows who. Even worse, the passwords were also automatically sent to dozens of CNBC partners. Not the best way to deal with a piece of sensitive that you'd hope to keep a secret.
Though I imagine none of you would fall for this, it's certainly a situation where lots of people might enter some of their passwords, not realizing the risks of such a simple act. When in doubt, even if it's a reputable site asking for it, just follow one simple rule: don't type your password anywhere other than the service you're login into, and making sure it's using a HTTPS connection (and that you don't use the same password in different services)!