This week an article on CNBC’s Big Crunch blog attempted to promote password security but ended up compromising user passwords. Entitled “Apple and the Construction of Secure Passwords," the article offered users an opportunity to test their passwords for complexity. Users were encouraged to create passwords using a combination of upper- and lower-case letters, numbers, and symbols to make them harder to crack.

The tool which proposed to test their password’s complexity attempted to tell users how long it would take a hacker to crack their password.  It turned out that the tool was insecure, stored users’ passwords, and transmitted the passwords to CNBC’s advertising partners. 

Soon after the article was published, a number of online security experts weighed in. Adrienne Porter Felt, a part of the Google Chrome security team, pointed out that the password was transmitted without basic encryption. This could have allowed another user on the same network to view the password as it was sent in clear text. 

According to Ashkan Soltani, a privacy and security researcher, the password form also transmitted user passwords to CNBC’s advertising partners including Google’s advertising service and comScore, an online marketing company.

Kane York, a programmer and member of the Let’s Encrypt project, analyzed the traffic from the CNBC article and discovered that the passwords being submitted were being stored in a Google Docs document without the user's knowledge. 

CNBC promptly pulled the article from their website without a follow-up or explanation. The password security article did make a good point about password security, though inadvertently. You should never use a single password across all your accounts, it greatly increases your chances of being compromised in a hack or data breach, as attackers would gain access to more than one of your services at a time. Also, never provide your password to a third party for the purposes of research, testing, or if they offer you magic beans.