CNBC Just Collected Your Password and Shared It With Marketers (pcworld.com) 143
SpacemanukBEJY.53u writes: An article published by CNBC on Tuesday offered tips on how to create a secure password, complete with a form that tested submitted passwords. While well-intended, security experts said it exposed passwords to third-party advertisers. Also, the form created to test a password didn't use SSL/TLS, which meant someone on the same network could have sniffed it. Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet. CNBC quickly withdrew the article.
Idiot Test (Score:5, Funny)
Has your credit card number been stolen? Enter it here to find out!
Re: (Score:2, Funny)
And enter your name and CV2 code to prove that you are checking your OWN card number.
Re: (Score:3)
Never not give random numbers.
Actually, I had some fun poisoning a database with the car warantee scam people. Dude called and tried to pretend like the car maker gave them my name. Well I wanted their company name before I pulled the do not call card.... so I play along.
I had a new car but, I wanted to make his pitch sound really stupid and contradictory, so I told him I had a 1992 Buick Lesaber. Yes, the car manufacturer gave you my name shit really makes sense now, please do go one though :)
Well long sto
Re: (Score:3, Funny)
The variety of spam I get is quite interesting, and probably has to do with how many different times I've done that.
I'm both an over-80 fundamentalist Christian woman AND a bisexual 30-year old WIccan!
Re: (Score:2)
Re: (Score:1)
the only important question on the internet is "Bang or not?"
Re: (Score:2)
That is nothing dude. About 15 years ago I found a Chick Tract and looked up their website. I couldn't help myself, I ordered a box set of full size chick comic books. I mean, how can you NOT want comic books about how Islam was founded by the Catholic Church, which is headed by Satan? Fucking GOLD!
But whats really gold..... it put me on their mailing lists.... OMG the WOW!
Re:Idiot Test (Score:4, Funny)
Has your credit card number been stolen? Enter it here to find out!
341 9207 4491 1246
How long does it take to have an answer?
Re:Idiot Test (Score:4, Funny)
Re: (Score:1)
I know you are lying because Auschwitz has no school.
Re: (Score:1)
I know her maiden name, but I have no idea of what her favorite pet is or where she went to school.
Re: (Score:2)
Re: (Score:1)
We do actually sell this service. Obviously it wouldn't make sense to buy a service which does this from a company you don't trust, but customers trust us. We offer the service on behalf of major banks for example.
We have an arm's length contractor who hires people to steal from thieves. So basically say J Random Crook steals ten thousand credit card details from some crappy MySQL-based e-commerce website in Poland and is trading them to other criminals. Daryl Grey has some means (social engineering, zero d
Re: (Score:2)
I totally trust AC with all my credit card security needs.
And a bathtub full of ice (Score:1)
I've always like the kidney harvesting [xkcd.com] joke myself
Re: (Score:2)
You laugh, but it actually happened to a friend of mine. [youtube.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
4000 1234 5678 9010
Re: (Score:2)
You're the idiot [youtube.com]
Sound strategy (Score:3)
They were obviously applying Torvalds' Secret Sauce.
They even pushed it one step further: Willing is for willers. Does just Do.
Not a suprise (Score:2)
I saw something years ago that was an online password strength checker. There was just no way I was going to use it because my immediate thought was that exactly this could happen.
People that persist with weak passwords are a lost cause but there are people who take the security a bit more seriously and are vaguely aware of password strength even if they don't know what password entropy is and they *want* to know if they've made a good password, making them easy fodder for traps like this.
I guess I should a
Re:Not a suprise (Score:5, Interesting)
Having recently made a random password generator (http://random.toyls.com/), I ended up concluding nothing that tries to help users with passwords can guarentee they are not spied upon.
There's either server code that generates code or javascript that generates it client-side (my solution). In the first case, the server knows the codes before sending them to the user, in the second case, there has to be javascript running, which could basically track everything the user does. (either AJAX, cookies or local storage for later retrieval). And than there's the possibility of third party javascript, either included on the page or provided through browser extensions, which are completely out of control. I make some effort to try and block these javascripts access on my site, but there's really nothing that could stop a determined hacker using a browser extension.
Re: (Score:2, Insightful)
"Having recently made a random password generator (http://random.toyls.com/), I [...]"
Also used http instead of https, and don't forward visitors to https either.
Great job.
Re: (Score:1)
Uh, it's Javascript. The script generates the password entirely on the client, and the password itself never traverses the network. Not to mention that the Javascript itself is simple, and by no means a secret. What utter cretin modded you up?
Re: (Score:1)
The script generates the password entirely on the client
Without HTTPS to be sure that you're receiving the script you thought you were, how can you be sure?
Re: (Score:1)
Erm, are we seriously having this conversation right now? You're already putting your trust in a 3rd party, entirely unnecessarily I might add, to generate very, very sensitive data, using a tool that is so simple, you could have written it yourself, and used it from the safety of your own workstation quicker than you could have audited the Javascript you just received over HTTPS.
Seriously, what are you even trying to argue? If you inspect the Javascript, which you did because you're supposedly security con
Re: (Score:2)
Here's a thought question for you: set up a webserver to serve up foo.js with caching disabled. Load the webpage that loads foo.js, then open the source of foo.js in a browser. Prove that when the browser fetches foo.js a second time in order to display its source, that the foo.js you're looking at now is the same foo.js that is running in the window. (This is the current behavior in Chrome, YMMV on other browsers)
Re: (Score:2)
Worrying about https implies that you have increased trust if it is https.
This is the internet. Stop trusting.
I'm not saying not to use HTTPS. But complaining that things aren't trustworthy without it is daft. Things are not trustworthy.
There are a whole bunch of steps that should be taken before even being willing to consider trust. Those haven't been taken when it is a link from some guy in the comments on a website. There is no trust to be had. The only reason to worry about HTTPS in that case would be i
Re: (Score:2)
There are some great tools available.
For password checking, you can try Kaspersky's
https://blog.kaspersky.com/pas... [kaspersky.com]
You can disconnect your computer from the network while using it.
For generating a password:
http://correcthorsebatterystap... [correcthor...staple.net]
Re: (Score:2)
For both; just store the password in a cookie or local storage and wait for the next network-connected visit.
As for the correcthorsebatterystaple generator; without reading the JavaScript, it could be entirely non-random for all you know.
Ofcourse, this goes for code that claims to produce random data. Atleast with JavaScript you have the option of verifying the code.
These problems are not limited to just these two, but to the very concept of password checker and/or generator websites, including my own.
In th
Re: (Score:1)
Re: (Score:2)
If your password is "+cvcy9oTt", just send "-dt7vQprg" to the online password strength checker. :D
PS: Talking about online password security : I used my usual password generator (pwdhash) with slashdot.org at first, without realising it would generate my account password. It's amazing how stupid I can be
Re: (Score:2)
More realistic scenarios, for people who need their password checked:
If your password is bob, send over mom and see what it says.
If your password is 1234, send over 5678. (Honestly, 5678 is a million times more secure than 1234, but it's still the same ballpark.)
If your password is Snuggie7, send over Cuddly9.
If your password is your current pet's name, send over your previous pet's name.
If your password is your kid's name, send over the name of a niece or nephew.
If your password is your spouse's name, if y
Re: (Score:2)
Before pasting that into a shell, you might want to add:
| head -20
Especially if you're doing it on a remote box over ssh with large buffers and a slow link :-(
Re: (Score:2)
Interesting, thanks.
Here's my modified version. I save my master password in ~/.master
The advantage is that I get the same password everytime, only depending on the domain name.
=> [mwnwO;syq|m9^kWZsn7
Is it too late? (Score:1)
I want to go enter 12345 [youtube.com], hunter2 [bash.org], and the standard test machine password at both HP and Microsoft: abc123.
Automatic Password Filter (Score:5, Funny)
It's good that Slashdot uses an automatic password filter that converts posted passwords into stars.
For example, my password is ******** but it doesn't show up in the post. Yeah, I know eight characters really isn't long enough but the first character is an uppercase letter and has a number at the end.
Why don't you all give it a try.
Re:Automatic Password Filter (Score:4, Funny)
**********
Seems legit.
Re:Automatic Password Filter (Score:5, Funny)
hunter2
doesnt look like stars to me
Re: (Score:1)
It's working. All I see is seven stars.
Re: (Score:1)
Heh, something similar actually happened to me some time ago, when I needed to modify an outdated URL.
The original URL was something like "/tas/secure/incident?unid=[-UNID-]&action=edit&field0=gereed&value0=1&j_username=HTTPrequest&j_password=*******" and braindead me called the guy who wrote this, to ask him for the real password XD
Re: (Score:2)
12345
I dunno, doesn't seem to be working.
Re: (Score:2)
Re: (Score:2)
MARTY!
Re: (Score:2)
I don't know. It seems awful susceptible to accidentally leaking the password in the case you accidentally use it in a ********.
my password from now on is... (Score:2)
Re: (Score:1)
Password invalid. Your password must be between 7.33 and 8.42 characters long and must contain at least one lowercase character, exactly two uppercase characters, three numbers, a Serbian saying written in Cyrillic, the true name of The One Who Waits Behind the Wall, and a stool sample.
Re: (Score:3)
Mathematically, a passphrase using four random dictionary words totalling 44 characters would be unbreakable through the heat death of the universe. On the other hand, a string of 10 random ASCII characters would take about... 6 hours to break on a Pentium 90?
Password policies have been doing it WRONG.
Re: (Score:2)
Re: (Score:2)
A P90 *year* is equivalent to about 10GFLOPS. IBM's BlueGene/L ran 596TFLOPS. That's about 1.8 trillion times faster.
Re: (Score:2)
Your example (thequickbrownFox) by simple virtue of the single character being uppercase actually doubles the character pool from 26 to 52. You get from relatively short timescales (3700 years at rack-full-of-Blade-GPU speeds) to break, to multiples of Universes by the addition of that character space. Now do the same again, only this time with the entire ASCII extended character set.
Yep, good luck bruteforcing THAT.
Re: (Score:1)
Your example (thequickbrownFox) by simple virtue of the single character being uppercase actually doubles the character pool from 26 to 52...
Are you assuming that the crackers test all of the lower case patterns before they check upper case? How likely is that?
The odds depend on the algorithms the cracker uses, not so much the password. Unless it is something like "12345", that they check first.
Re: (Score:2)
of course they don't if they don't need to, the math depends on the entire character space being tested using the given pool. Nobody I know switches between upper and lower case when say making a throwaway email acount.
Re: (Score:1)
of course they don't if they don't need to, the math depends on the entire character space being tested using the given pool. ...
The point is that they don't know what the pool is, or whether they have to test that, until -after- they break the password. So what is chosen may have no difference at all in how long it takes. But they might run lower case test sequence first, just because so many people do it that way...
Re: (Score:2)
Hence the key word "random" in the phrase "using four random dictionary words"
Re: (Score:2)
with 10k words that's still 416 trillion combinations. Even at 2k that's still 664 billion. Thing is you don't know which 10k or 2k to pool from (there are just over 1 million words in the English language as of January 2014 (source: Global Language Monitor)), so let's take from the entire pool: 1,025,000 words. That gives you 4.599E+22 possible combinations. That's forty six heptillion. Random words strung together don't necessarily make sense (horse correct battery staple makes fuck all sense to me, how l
Re: (Score:2)
2000 is very fucking generous. Most people would have a library under half that.
People need to stop taking technical advice from a shitty, shitty web comic.
Re: (Score:2)
that's where you get into the quintillion-year break times for relatively short strings. I'm talking about strings using purely the 26-character space in the Latin alphabet.
Re: (Score:1)
CNBC is a lame business site (Score:1)
CNBC would never attract real business people or investors. It's a lame mostly liberal business site that mostly caters to the consumer investor who is happy with mostly amateur investor advice. It's not surprising they would do something lame and a security problem. This remember is a site who worships Jim Cramer as some investment guru.
"Just" stop with the clickbait (Score:5, Insightful)
Can we please stop with the clickbait headlines? News that's more than one hour old did not "just" happen. Unless you're live-blogging on Twitter, whatever you're posting about is going to sound instantly dated. Moreover, it "just" sounds unprofessional — in terms of journalistic "voice," your news now lacks authority and sounds as if it's being delivered by a teenager.
I worked in journalism for 12 years, full-time and freelance. The dumbing-down of journalism and the rise of clickbait-style reporting are driving away readers, not attracting them. That's especially true for sites like /. where people do actually, sometimes, expect informative and accurate stories ...
Re: (Score:1)
Re: (Score:1)
What ? I've lurked here for 15 years. I've maybe clicked through 5 links to actual articles. Probably all of them NASA. This isn't "real news". It's real nerds discussing things.
Re: (Score:2)
News that's more than one hour old did not "just" happen.
I love the Slashdot pedant tradition as much as the next guy, but is that really true? The "just" adverb is used for the present perfect [edufind.com] in English. That site describes using "just" to denote "An action that was completed in the very recent past" and since the event in question happened yesterday, surely it qualifies. No?
I worked in journalism for 12 years, full-time and freelance.
But you can't tell the difference between someone's Twitter "what I shat today" feed and real news stories which sometimes take days to unfold and more days for the effects to be fully
Re: (Score:2)
The trouble is, clickbait headlines always increase readership at first, until their credibility is lost. It is a very easy trap to fall into, as readership is the primary stat media is concerned with and has continuous statistics on, while reputation statistics are very infrequent.
Just two days short... (Score:1)
Just to days short and CNBC would have make fool of itself on April Fool's day! ;)
After researcher on Valve, season is starting early this year.
No it didn't. Bloody clickbait headlines. (Score:3)
CNBC Just Collected Your Password and Shared It With Marketers
No it didn't. Please try writing a real headline.
LOL (Score:2)
So the test password I entered:
$#%DFGSDFGHZafb39dg2##$!
is out there for everyone to use? *tears up sticky note attached to monitor with the password written on it*
(This joke inspired by a co-worker who used to have an index card with a 5x5 grid of UserIDs and passwords for 25 different internal/external sites he had to access regularly taped to his monitor....)
Re: (Score:2)
(This joke inspired by a co-worker who used to have an index card with a 5x5 grid of UserIDs and passwords for 25 different internal/external sites he had to access regularly taped to his monitor....)
I do have one such list on my wall, except that they are all fake and badly handwritten, with plenty of ambiguity (1/I/l, 0/O...), so subject to plenty of retries if an attacker has time to spend.
Re: (Score:2)
You could also write the passwords backward, or shifted by one character. The former may still be guessable (particularly if any part of your password looks like a real word or date) and the latter may be tough to remember. I kind of like putting in a dummy first and last character and just remembering to drop them.
More than 90 and less than 180 (Score:1)
> Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet.
I dunno, I thought he was kind of ugly.
Ohhhh, you mean *obtuse*? Sorry.
The same idiots just got farmed on Facebook (Score:2)
You see those "games" that leave you with "your dragon ninja name" or other such bullshit, after first collecting the first three digits of your ATM PIN then the name of your first pet then the last digit of your PIN? That's what I'm talking about.
The number of people that scam catches and they don't even realise it, makes me weep.
Example of the media knowing nothing (Score:2)
What people should learn from this is that while the media loves to think that they know everything about everything, they really don't know jack squat. Sadly, far too many people believe the media particularly when they cherry-pick elements of a story or pull the NPR tactic of reporting one specific incident hoping that the listener will generalize in that direction.
Another wake up call to use Ad Blocking (Score:3)
Might Ad-blocking have stopped this? The industry wants to ban ad-blocking, but every other day there is a story about malicious 3rd party exploits using ads as a vector. Why does a news site have to have some horrible complicated Javascript Ad intwined code to function? Note to industry, the ad can be sandboxed as a static entity separate from the main page Javascript. Likely this time the passwords didn’t end up in the hands of hostiles, but who knows, especially since now they know to go look to see if it was collected as part of other behind the scenes shenanigans. The idea that the page should be “Collecting” page event information from the page for 3rd parties is pretty scary.
LOL, too funny (Score:2)
"... an acute observer found they were actually being inputted into a Google Docs spreadsheet."
Now that's the absolute height of security, nothing could possibly be more secure than that.
Re: (Score:3)
They should've used LibreOffice, of course.
Now they have another article they can write (Score:2)
But if they wanted to make it more informative / memorable, they could describe how they may be able to impersonate someone if they can associate one of the entered passwords with one of their registered users (via IP address; not perfect but perhaps good enough) and if that the user used that same password on other
Oxymoron? (Score:1)
By sharing data with a "news" service you get what you deserve! Isn't that what they do, is share?
(And here I am online on the double-entendre of wholly-owned subsidiary of a media company.)
Re: (Score:1)
Perhaps you are a little young, I used several non MS OS'es and desktops before MS managed to put a stranglehold on development
Maybe you forgot that the company was founded in 1975, and their forté in the early years was development tools (compilers and interpreters).
When reminded of that, people tend to go like 'ah yeah, MSX Basic'. No -- MSX was one of the later products, half way into the 1980's. I'm talking Fortran-80, Basic-80, Cobol-80.
With 80 not signifying a year or decade, but a microprocessor family.
Re: (Score:2)
nope. Intel 8080, which was the next step up from the 8008 and the predecessor to the 8085.
Re: (Score:2)
Nope. First used MS-BASIC in a 16KB TRS-80 (Model 1??) in 1979.
Re: (Score:1, Redundant)
If it hadn't been Microsoft then it would have been some other company that became dominant supplying operating systems to desktops. The move to smaller and more mobile computing would have happened regardless as the technology enabled it. Maybe a bit differently but still inevitably. And whatever company did gain the dominance on the desktop would have been unpopular too.
Re: MSFT is Evil, but not for the reason you think (Score:2)
That gives me an idea. In the modern world sys admins could sell their services like gardeners or pool guys do. One could have one's own sys admin butler person.