Here are some things a website should NOT do when offering a “test your password strength” submission box.
• Fail to use HTTPS web encryption
• Send all submitted passwords to a Google doc
• Share those passwords with dozens of third parties
CNBC made all of these mistakes in a recent well-intentioned password security article, which it has now taken down. Props to Google security engineer Adrienne Porter Felt for spotting the trouble. RP