CNBC's secure password tutorial sent your password in the clear to 30 advertisers


#1

[Read the post]


#2

Seems like they should be criminally responsible for the false claims and unsecured data transfer.

It might be totally unintentional, but they asked for your password and have no warning not to use your real password.

They even stored it after explicitly claiming they wouldn’t.


#3

Sounds like it was a pretty good lesson in password security.


#4

Well they would certainly fall foul of the data protection and retention directive in the EU. Not sure if they would end up paying out though.

I suspect that the way it was a one-off and not part of their actual business would mean they wouldn’t be fined for it.

They may well be liable in tort if any damage occurs.


#5

On the plus side, apparently the “Archer” inspired password ‘eat/a/bag/of/dicks’ is secure enough to last long past the end of the known universe, with a whopping 180 billion years required to break it.


#6

<yoink>'eat/a/bag/of/dicks'</yoink>

(adds to dictionary…)


#7

But a password isn’t much use without a username, is it? Suppose I found out somebody, somewhere, uses password123… so what?


#8

Attack dictionaries just got larger, for one.


#9

At the very least, I guess you could add it to the password dictionary used by your password-cracking tool.

Or maybe CNBC or one of the advertisers has a cookie which can identify the person directly.


#10

The stupid… it burns.
That one is grade A dumbness of the sort that can get CNBC a class action. Where the hell were the IT security guys on this one? Probably not told and too overworked to notice what somebody set up for a website.


#11

Ok, well this brings me to my favorite work related security anecdote.

For a month at an ex work of mine there were posters up about improving security and the chief security officer was spamming everyone with emails about how to improve security and passwords and whatnot, finally they were going to hold a contest regarding who had the best password so she sent an email asking everyone to send their password, I of course thought it was a joke but I was still insulted so I sent a rude email back and was informed that no, it was definitely real.

The next day she sent an email announcing the winner of the contest’s name and the winning password.


#12

Wow… that’s umm a very special type of security there. How long did you last in that environment?


#13

well I lasted several years until the international project I was working on was done, I just never took any part in workplace contests.


#14

Hey, what a great phishing vector!


#15

I once had a user on an FTP server (which didn’t enforce regular password changes) who occasionally needed her password reset. I first time I set it to “changeme” and told her to change it right away. The next time I did that she said “oh yeah, that was my old password.” So the next time I changed it to “changemerightnow”. And I made a note of the hash so I could see if she changed it. She never did.
So the next time she got “ChangeThisPasswordRightNowWendyYouMUSTChangeItToSomethingNewBeforeUsingTheServer.”

A few months later I was in the room when she had to upload something and she complained that the password I gave her was so long to type every time.


#16

Maybe … the advertisers will cross reference with facebook and other tracking cookies?


#17

Incredibly hard to prove, I imagine.

The fraudulent claims and the negligence though, it should be criminal!


#18

Did y’all know that if you type your discourse password in bOINGbOING, it shows up as plaintext to you, but everybody else just sees a row of asterisks? Look, here’s mine!

******************

Try it, it’s fun!*

 

 

* disclaimer: not actually fun, for you.


#19

Medieva1istisaPoopyHead!

Wow, that’s really cool.


#20

This is fine as long as they say that every password is extremely easy to hack and should be changed immediately.

“Your password is very insecure because you don’t know how to safeguard it.”