Recently, CNBC ran an article on password security. Embedded in the article was a tool they invited readers to use to test the strength and integrity of their passwords. The tool was supposed to estimate how long it would take a hacker to “crack” your password, and the tool was given with assurances that passwords would not be stored, and would not be sent to third parties. Sadly, neither of those things proved to be true.
Security experts who visited the site, read the article and analyzed the tool found a trio of disturbing problems with it. First and most obviously, the site was not served with SSL/TLS encryption. It is this encryption that keeps would-be hackers from intercepting data as it is being sent from your computer to the host computer, which is why it is used by banks, eCommerce sites, and the like. Its absence on this page meant that anyone could intercept the data you submitted.
Second, despite claims to the contrary, when you entered your password and clicked the submission button, the site ran a script called in part “script.google.com.” Once the script had run, the message it returned was “success”, row: XXXX,” where XXXX was a number. The number would increment by one with each new password entered, a clear indication that the script was actually storing the passwords by adding a line to a spreadsheet, or a record to a database.
Third, security consultants found evidence that the passwords entered via the tool were actually forwarded on to Google’s DoubleClick ad service and Scorecard Research.
CNBC has since removed the article, but so far, as offered no official explanation regarding the findings of security professionals who evaluated the page and the tool it contained.
The lesson here, is simple: Don’t enter your passwords anywhere except for the applications you’ve established them for. Doing so, even in cases where tools are offered by respected companies, could put your passwords at risk. It’s simply a risk you do not need to take.