CNBC Just Collected Your Password and Shared It With Marketers

SpacemanukBEJY.53u writes: An article published by CNBC on Tuesday offered tips on how to create a secure password, complete with a form that tested submitted passwords. While well-intended, security experts said it exposed passwords to third-party advertisers. Also, the form created to test a password didn't use SSL/TLS, which meant someone on the same network could have sniffed it. Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet. CNBC quickly withdrew the article.

Re:Not a suprise

[mwvdlee]

Having recently made a random password generator (http://random.toyls.com/), I ended up concluding nothing that tries to help users with passwords can guarentee they are not spied upon.

There's either server code that generates code or javascript that generates it client-side (my solution). In the first case, the server knows the codes before sending them to the user, in the second case, there has to be javascript running, which could basically track everything the user does. (either AJAX, cookies or local storage for later retrieval). And than there's the possibility of third party javascript, either included on the page or provided through browser extensions, which are completely out of control. I make some effort to try and block these javascripts access on my site, but there's really nothing that could stop a determined hacker using a browser extension.