cnbc CNBC taught a horribly botched lesson in password security

[Reefa]

 

CNBC just learned a hard, hard lesson about password security. The news outlet posted (and promptly took down) an article on the subject whose centerpiece was a "how strong is your password?" text entry box that, if anything, was a classic example of how not to manage those all-important logins. For a start, Google's Adrienne Porter Felt noticed that the box sent your password unencrypted, guaranteeing that any snoop could intercept it and test it against your real accounts. To make matters worse, others discovered that the site sent the password to not just a Google Docs spreadsheet, but to multiple third parties -- when CNBC said "no passwords are being stored," it was flat-out wrong.

 

Things wouldn't have gone well even if the text field was airtight. The tool appeared to underestimate how long it would take to crack passwords, potentially lulling you into a false sense of security. In fairness, CNBC is aware of what happened and is spending time improving the tool. The real question is why the initial version didn't appear to get serious scrutiny before it went live -- if you're going to educate the public about the value of good security, you need to practice what you preach.

 

Quote

worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR

— Adrienne Porter Felt (@__apf__)

March 29, 2016

 

SourcE

 

[luisam]

The whole idea is just goofy:

1. Why should I need an application to generate my personal security password.

2. Different sites, like banks, have different criteria about password: mean, about number and sequence of alpha-numeric characters, low and highcase, special characters which may or may not apper, some banks detect if you are using some "personal data", if part of that password was used by you in recent past. etc.

3. Considering point 2., while, yes, there are some completely "computer illiterate" who has no idea about how to generate a workable password, I'm not sure if an applicaton might help them to get the one they really might need.

Of course, the gravy of the lasgna is all that security issu mentioned in the text.

[CODYQX4]

3 minutes ago, luisam said:

The whole idea is just goofy:

1. Why should I need an application to generate my personal security password.

2. While, yes, there are some completely "computer illiterate" who has no idea about how to generate a workable password, I'm not sure if an applicaton might help them to get the one they really might need.

2. Different sites, like banks, have different criteria about password: mean, about number and sequence of alpha-numeric characters, low and highcase, special characters which may or may not apper, some banks detect if you are using some "personal data", if part of that password was used by you in recent past. etc.

Of course, the gravy of the lasgna is all that security issu mentioned in the text.

I use 1Password and can create more secure passwords than I could ever possibly do and remember on my own.

 

What's more likely:

A. Use the same password and email on multiple sites, one site gets hacked, your info unlocks other sites.

B. Someone specifically targets me to steal and brute force my encrypted password database.

 

I've had many sites I've been on get hacked (A, except I didn't have other sites get hacked based off whatever may have leaked about me), but B has yet to happen to me.

[straycat19]

3 hours ago, CODYQX4 said:

I use 1Password and can create more secure passwords than I could ever possibly do and remember on my own.

 

What's more likely:

A. Use the same password and email on multiple sites, one site gets hacked, your info unlocks other sites.

B. Someone specifically targets me to steal and brute force my encrypted password database.

 

I've had many sites I've been on get hacked (A, except I didn't have other sites get hacked based off whatever may have leaked about me), but B has yet to happen to me.

 

Why rely on a password when most email and other important sites offer two factor authentication?  We require two factor authentication as an absolute necessity along with a strong password (2 upper case, 2 lower case, 2 numbers, 2 special characters, minimum size 16, change every 90 days, no password reused for 5 years).  We use RSA devices to generate a key to access servers.  Personally I use Yubikeys and text messages for authentication on those sites I don't want to be hacked on, such as financial and email.  And that works for me since I get at least one message a week that someone has attempted to hack one of my real email accounts, but that has been going on for years without them having any success.  And if they ever did, I leave nothing in the accounts, no contacts, no email, absolutely nothing.  It is all downloaded and securely stored.  Anyone who would try to protect real world information with just a password has a fool for a security officer.

[CODYQX4]

1 hour ago, straycat19 said:

 

Why rely on a password when most email and other important sites offer two factor authentication?  We require two factor authentication as an absolute necessity along with a strong password (2 upper case, 2 lower case, 2 numbers, 2 special characters, minimum size 16, change every 90 days, no password reused for 5 years).  We use RSA devices to generate a key to access servers.  Personally I use Yubikeys and text messages for authentication on those sites I don't want to be hacked on, such as financial and email.  And that works for me since I get at least one message a week that someone has attempted to hack one of my real email accounts, but that has been going on for years without them having any success.  And if they ever did, I leave nothing in the accounts, no contacts, no email, absolutely nothing.  It is all downloaded and securely stored.  Anyone who would try to protect real world information with just a password has a fool for a security officer.

I use 2FA whenever available, especially on email.

 

My average password is 32 digits of random stuff including symbols on top of that. I tend to trash any email I don't need and that purges eventually so it limits the info leaked if someone still gets in.

 

That being said customer service is the weakest link. Amazon is well known for being easily duped over the phone if you have minimal/frequently leaked info on that person, 2FA or not.