Slashdot Mirror

← Back to Stories (view on slashdot.org)

CNBC Just Collected Your Password and Shared It With Marketers (pcworld.com)

Posted by BeauHD on from the irony-at-its-best dept.

SpacemanukBEJY.53u writes: An article published by CNBC on Tuesday offered tips on how to create a secure password, complete with a form that tested submitted passwords. While well-intended, security experts said it exposed passwords to third-party advertisers. Also, the form created to test a password didn't use SSL/TLS, which meant someone on the same network could have sniffed it. Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet. CNBC quickly withdrew the article.

18 of 143 comments (clear)

  1. Idiot Test by Anonymous Coward · · Score: 5, Funny

    Has your credit card number been stolen? Enter it here to find out!

    1. Re:Idiot Test by Anonymous Coward · · Score: 2, Funny

      And enter your name and CV2 code to prove that you are checking your OWN card number.

    2. Re:Idiot Test by TheCarp · · Score: 2

      Never not give random numbers.

      Actually, I had some fun poisoning a database with the car warantee scam people. Dude called and tried to pretend like the car maker gave them my name. Well I wanted their company name before I pulled the do not call card.... so I play along.

      I had a new car but, I wanted to make his pitch sound really stupid and contradictory, so I told him I had a 1992 Buick Lesaber. Yes, the car manufacturer gave you my name shit really makes sense now, please do go one though :)

      Well long story short, I can't tell you how many calls I got "About the warantee on your Buick LeSaber". I smiled every single time.

      --
      "I opened my eyes, and everything went dark again"
    3. Re:Idiot Test by Thanshin · · Score: 3, Funny

      Has your credit card number been stolen? Enter it here to find out!

      341 9207 4491 1246

      How long does it take to have an answer?

    4. Re:Idiot Test by Mathinker · · Score: 3, Funny

      The variety of spam I get is quite interesting, and probably has to do with how many different times I've done that.

      I'm both an over-80 fundamentalist Christian woman AND a bisexual 30-year old WIccan!

    5. Re:Idiot Test by RavenLrD20k · · Score: 3, Funny

      Dagobah, Sanctosanctorium, and Auschwitz. Why?

  2. Sound strategy by Thanshin · · Score: 2

    They were obviously applying Torvalds' Secret Sauce.

    They even pushed it one step further: Willing is for willers. Does just Do.

  3. Automatic Password Filter by Anonymous Coward · · Score: 5, Funny

    It's good that Slashdot uses an automatic password filter that converts posted passwords into stars.

    For example, my password is ******** but it doesn't show up in the post. Yeah, I know eight characters really isn't long enough but the first character is an uppercase letter and has a number at the end.

    Why don't you all give it a try.

    1. Re:Automatic Password Filter by Coisiche · · Score: 3, Funny

      **********

      Seems legit.

    2. Re:Automatic Password Filter by Anonymous Coward · · Score: 5, Funny

      hunter2

      doesnt look like stars to me

  4. Re:Not a suprise by mwvdlee · · Score: 4, Interesting

    Having recently made a random password generator (http://random.toyls.com/), I ended up concluding nothing that tries to help users with passwords can guarentee they are not spied upon.

    There's either server code that generates code or javascript that generates it client-side (my solution). In the first case, the server knows the codes before sending them to the user, in the second case, there has to be javascript running, which could basically track everything the user does. (either AJAX, cookies or local storage for later retrieval). And than there's the possibility of third party javascript, either included on the page or provided through browser extensions, which are completely out of control. I make some effort to try and block these javascripts access on my site, but there's really nothing that could stop a determined hacker using a browser extension.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  5. my password from now on is... by ZeRu · · Score: 2

    CNBC is pants.

    --
    If you post as an AC, don't expect me to spend a mod point on you.
    1. Re:my password from now on is... by ihtoit · · Score: 2

      Mathematically, a passphrase using four random dictionary words totalling 44 characters would be unbreakable through the heat death of the universe. On the other hand, a string of 10 random ASCII characters would take about... 6 hours to break on a Pentium 90?

      Password policies have been doing it WRONG.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  6. "Just" stop with the clickbait by H_Fisher · · Score: 4, Insightful

    Can we please stop with the clickbait headlines? News that's more than one hour old did not "just" happen. Unless you're live-blogging on Twitter, whatever you're posting about is going to sound instantly dated. Moreover, it "just" sounds unprofessional — in terms of journalistic "voice," your news now lacks authority and sounds as if it's being delivered by a teenager.

    I worked in journalism for 12 years, full-time and freelance. The dumbing-down of journalism and the rise of clickbait-style reporting are driving away readers, not attracting them. That's especially true for sites like /. where people do actually, sometimes, expect informative and accurate stories ...

  7. Re:Not a suprise by Anonymous Coward · · Score: 2, Insightful

    "Having recently made a random password generator (http://random.toyls.com/), I [...]"

    Also used http instead of https, and don't forward visitors to https either.
    Great job.

  8. No it didn't. Bloody clickbait headlines. by wonkey_monkey · · Score: 2

    CNBC Just Collected Your Password and Shared It With Marketers

    No it didn't. Please try writing a real headline.

    --
    systemd is Roko's Basilisk.
  9. Another wake up call to use Ad Blocking by DumbSwede · · Score: 2

    Might Ad-blocking have stopped this? The industry wants to ban ad-blocking, but every other day there is a story about malicious 3rd party exploits using ads as a vector. Why does a news site have to have some horrible complicated Javascript Ad intwined code to function? Note to industry, the ad can be sandboxed as a static entity separate from the main page Javascript. Likely this time the passwords didn’t end up in the hands of hostiles, but who knows, especially since now they know to go look to see if it was collected as part of other behind the scenes shenanigans. The idea that the page should be “Collecting” page event information from the page for 3rd parties is pretty scary.

    --
    Letter To Iran
  10. Re:LOL, too funny by Hentes · · Score: 2

    They should've used LibreOffice, of course.