CNBC just learned a hard, hard lesson about password security. The news outlet posted (and promptly took down) an article on the subject whose centerpiece was a "how strong is your password?" text entry box that, if anything, was a classic example of how not to manage those all-important logins. For a start, Google's Adrienne Porter Felt noticed that the box sent your password unencrypted, guaranteeing that any snoop could intercept it and test it against your real accounts. To make matters worse, others discovered that the site sent the password to not just a Google Docs spreadsheet, but to multiple third parties -- when CNBC said "no passwords are being stored," it was flat-out wrong.
Things wouldn't have gone well even if the text field was airtight. The tool appeared to underestimate how long it would take to crack passwords, potentially lulling you into a false sense of security. In fairness, CNBC is aware of what happened and is spending time improving the tool. The real question is why the initial version didn't appear to get serious scrutiny before it went live -- if you're going to educate the public about the value of good security, you need to practice what you preach.