Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chinese Developer Forum Leaks 6 Million User Credentials

timothy posted more than 2 years ago | from the it's-curtains-for-you-elizabeth-my-dearbook dept.

China 102

gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."

cancel ×

102 comments

Sorry! There are no comments related to the filter you selected.

The apology letter (-1, Troll)

elrous0 (869638) | more than 2 years ago | (#38460034)

We really sorry
We no joke
Didn't mean to put pee-pee in your coke.

Re:The apology letter (-1)

Anonymous Coward | more than 2 years ago | (#38460066)

We rearry sorry

FTFY

Re:The apology letter (0)

Anonymous Coward | more than 2 years ago | (#38460184)

China, not NK. Dumbass.

Re:The apology letter (0)

Anonymous Coward | more than 2 years ago | (#38460238)

you not know your engrish.

Re:The apology letter (0)

Anonymous Coward | more than 2 years ago | (#38467334)

When are you idiots going to stop trusting this 'cloud' crap and move onto P2P as web based usage as the correct way of using 'your' trusted information??? Other than that the web should be for reference only!

Interesting... (0)

thestudio_bob (894258) | more than 2 years ago | (#38460070)

The hackers got hacked?

Re:Interesting... (0)

Anonymous Coward | more than 2 years ago | (#38461256)

Max Vision is back!

'dearbook'? (1)

1s44c (552956) | more than 2 years ago | (#38460090)

What does 'dearbook' mean something to the chinese? It sounds like nonsense to a native English speaker.

Clear text passwords - idiots.

some thing to do with dearleader? (0)

Anonymous Coward | more than 2 years ago | (#38460128)

good that he is dead

Re:some thing to do with dearleader? (0)

InterestingFella (2537066) | more than 2 years ago | (#38460174)

I kinda find it funny that it is labeled as "surprisingly". US people still cant get that there are other cultures and languages in the world.

Re:some thing to do with dearleader? (1)

Anonymous Coward | more than 2 years ago | (#38460244)

Do you really think that is true? Especially in the technical world? That US people have no idea that there are other cultures in the world? Pfftt ... BTW ... do YOU know what a dearbook is? Show me YOUR lack of ignorance! And do it without searching the Internet :)

I find it "surprising" that people continue to stereotype all US people as ignorant of other cultures.

Re:some thing to do with dearleader? (1)

somersault (912633) | more than 2 years ago | (#38460388)

Especially in the technical world, yes. I was reading an interview with Linus where he says that most people use English when talking about technical matters even if they both have the same first language.

Re:some thing to do with dearleader? (2, Insightful)

Baloroth (2370816) | more than 2 years ago | (#38460458)

But that doesn't mean people are ignorant of cultures. English is simply a good language for technical matters, for a large number of reasons. Being the de facto standard is only the most obvious.

Also, I should point out the British invented English, not the US, and they spread it around the world, so I'm really not sure what your point here is. Point of fact, the US probably has more variety of culture than any other nation in the world.

Re:some thing to do with dearleader? (0)

Runaway1956 (1322357) | more than 2 years ago | (#38460556)

Actually, I think the English invented their language. And, that predated Great Britain by a couple of years, at least.

Re:some thing to do with dearleader? (1)

sqldr (838964) | more than 2 years ago | (#38460824)

Sort of. It and "Lowland Scots" evolved alongside eachother with the same root. They diverged over a couple of centuries, but they are still very similar, and it's quite comprehensible to a native English speaker.

Re:some thing to do with dearleader? (1)

somersault (912633) | more than 2 years ago | (#38460584)

It doesn't necessarily, but it does mean that many people can speak to others online assuming they're American just because they speak English. People assume I'm American all the time..

Re:some thing to do with dearleader? (4, Informative)

cyfer2000 (548592) | more than 2 years ago | (#38460396)

it's an online book store.

Re:some thing to do with dearleader? (0)

Anonymous Coward | more than 2 years ago | (#38467062)

That I can understand - but why did over 3000 people chose 1qaz2wsx ?

Re:some thing to do with dearleader? (1)

pntkl (2187764) | more than 2 years ago | (#38467648)

That string comes up all over the place. Seems pretty difficult to figure out, in just a moment. This is my favorite result: http://www.metacafe.com/watch/4130367/1qaz2wsx/ [metacafe.com] :P

Re:some thing to do with dearleader? (2)

_0xd0ad (1974778) | more than 2 years ago | (#38467832)

1 2 3 4 5 6 7 8 9 0
q w e r t y u i o p
a s d f g h j k l ;
z x c v b n m , .

Re:some thing to do with dearleader? (0)

Anonymous Coward | more than 2 years ago | (#38463580)

No, not ALL US citizens, but definitely MOST US citizens.

Re:'dearbook'? (0)

Anonymous Coward | more than 2 years ago | (#38460146)

That's the same password I use for our naval carrier. I should change it.

signed - Lo Wang

Re:'dearbook'? (0)

Anonymous Coward | more than 2 years ago | (#38463742)

What a coincidence. I have the same password on my luggage.

Sorry, I had to say it. Move along people; nothing to see here.

Re:'dearbook'? (0)

Anonymous Coward | more than 2 years ago | (#38460150)

No, sounds like something YOU don't get, regardless of language.

Re:'dearbook'? (5, Informative)

Anonymous Coward | more than 2 years ago | (#38460216)

dearbook.com.cn is a chinese online technical book retailer owned by CSDN.

Re:'dearbook'? (0)

1s44c (552956) | more than 2 years ago | (#38460344)

dearbook.com.cn is a chinese online technical book retailer owned by CSDN.

The first answer that doesn't take the piss. Thanks.

Re:'dearbook'? (0)

Anonymous Coward | more than 2 years ago | (#38465020)

Frosty Piss?

Re:'dearbook'? (1)

Anonymous Coward | more than 2 years ago | (#38460232)

It's the Chinese' answer to Amazon (dearbook.com.cn). Probably devs for said site.

Re:'dearbook'? (1)

somersault (912633) | more than 2 years ago | (#38460440)

All 47000?

Do excuse me for this. Ahem. "lol".

Re:'dearbook'? (0)

Anonymous Coward | more than 2 years ago | (#38462834)

I think the password arrangement is telling of what the most reused passwords are.

Seriously the passwords picked I wouldn't be surprised if they're just robo-spam signups. Just because we don't visit China doesn't mean they don't have the same spamming issues we do. The dearbook suggests maybe a default password or maybe the targeted site itself.

Re:'dearbook'? (2)

TheModelEskimo (968202) | more than 2 years ago | (#38460332)

Checking it out a bit further, looks like Dearbook is the name of an online IT community or something similar. I found some relation between Dearbook and this CSDN thing so maybe it's like somebody using the password "Geeknet" for Slashdot? Something in that vein, anyway.

Re:'dearbook'? (2)

Baloroth (2370816) | more than 2 years ago | (#38460480)

Wait, how do you know my password?! You hacker!!

Re:'dearbook'? (-1)

Anonymous Coward | more than 2 years ago | (#38460428)

> What does 'dearbook' mean something to the chinese? It sounds like nonsense to a native English speaker.

well.. everyone is fucking your language,dude..get used to it :D

Re:'dearbook'? (2)

robbo (4388) | more than 2 years ago | (#38460466)

Could be cultural but my money is on several thousand spammer-created accounts using the same password.

Re:'dearbook'? (1)

robbo (4388) | more than 2 years ago | (#38460522)

Ok, I'm wrong about this- most likely the bookstore...

Re:'dearbook'? (2)

jc42 (318812) | more than 2 years ago | (#38460698)

Another likely cause is some software package that uses "dearbook" as the default password, or uses it in examples. People have a way of making minimal changes in things that they install, out of fear of breaking something. They also tend to copy examples literally, even the fields that are supposed to contain personal information.

How many people here on slashdot (1)

Obble (1680532) | more than 2 years ago | (#38460144)

see there own passwords in the list?

* guilty :-(

Re:How many people here on slashdot (4, Funny)

g0bshiTe (596213) | more than 2 years ago | (#38460504)

I looked for mine, 1234 wasn't on the list.

Shit! Now I have to change it. I'll just add a 5.

Re:How many people here on slashdot (2)

kbg (241421) | about 2 years ago | (#38469536)

That's amazing. I've got the same combination on my luggage

Re:How many people here on slashdot (0)

Anonymous Coward | more than 2 years ago | (#38460996)

see there own passwords in the list?

* guilty :-(

gee, it wasn't number 72 on the list eh?
'3.1415926', 1200 accounts.

"Who cares" level of password (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38460176)

They all seem to be the sort of password I'd type in for an account that I really don't care about, and am only creating because it's mandatory.

Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

Re:"Who cares" level of password (2)

jabbany (2425264) | more than 2 years ago | (#38460634)

Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

As a CSDN user, I'd say : No.

Still, it doesn't prevent millions of users, who are too 'busy' to even bother use a dummy password, from actually using their main passwords (web banking, email etc.) on the AD riddled forum.

Before April 2009 (4, Insightful)

tchernobog (752560) | more than 2 years ago | (#38460228)

passwords created before April 2009 had been stored in plain text

UPDATE users SET password = SHA1(password) WHERE created_at

There. Did it for you. Won't prevent everything getting stolen, but at least you don't give away any more passwords reusable on other websites.

I mean... seriously?? So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

Re: before April 2009 (2)

tchernobog (752560) | more than 2 years ago | (#38460252)

UPDATE users SET password = SHA1(password) WHERE created_at <= '2009-04-01';

I hate angular brackets in HTML.

Re: before April 2009 (0)

Anonymous Coward | more than 2 years ago | (#38460562)

Now that you've showed them how to do it, I am sure they will get right on it...

Re: before April 2009 (0)

Anonymous Coward | more than 2 years ago | (#38466388)

Aww man, [password] was an nvarchar(20) column - too short for a 40 hex character SHA-1 hash. Now nobody can login!

Re:Before April 2009 (4, Informative)

OverlordQ (264228) | more than 2 years ago | (#38460286)

So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

Mediawiki is (re: was) like that. When it changes password schemes it detects which version the pw is stored in, authenticates using that (older) method and then upgrades you to the new format.

Re:Before April 2009 (1)

Anonymous Coward | more than 2 years ago | (#38460418)

This is because the old format was ALSO hashed (but not salted). You can't do the update query above unless you have the plaintext.

Re:Before April 2009 (1)

AmiMoJo (196126) | more than 2 years ago | (#38461184)

If it only updates after login and you don't login any more because you got fed up with wiki*...

Re:Before April 2009 (3, Insightful)

Ex Machina (10710) | more than 2 years ago | (#38460308)

That's cool, but there should be salting. http://en.wikipedia.org/wiki/Salt_(cryptography) [wikipedia.org]

Re:Before April 2009 (1)

Anonymous Coward | more than 2 years ago | (#38461186)

Ex Machina, you culturally ignorant slut. Don't try forcing your Occidental mores on other cultures. In China they season their passwords with MSG instead of salt.

Re:Before April 2009 (0)

Anonymous Coward | more than 2 years ago | (#38460312)

Can somebody pass this guy some salt?

Re:Before April 2009 (1)

RobertinXinyang (1001181) | more than 2 years ago | (#38466866)

I live in China, the problem is not that the technicians do not know how to do this (well many are shockingly incompetent; if I described my desktop XP install, here in my office, you would blanch); the problem is that the decisions are not made by the people doing the work. The decisions about what needs to be done are made by leaders.

The leaders do not need to hear ideas from below, if the people below had any worthy ideas then they would be leaders. They give orders and the orders are acted on; or not depending on if the capacity to follow the order is present. What they do not do is listen. As such, they do not allow actions that the "workers" see as needed. Further, if an order is given and the capacity is not present, the work just doesn't get done. Then, at the next meeting they demand that it get done in a more forceful manner; but, they still do not listen to why it wasn't done.

The typical result is that what needs to be done is eventually accomplished; but, in an outlandishly inefficient manner because the workers are using makeshift tool and methods.

Back to the problem, I suspect that many see the problem; however, until a "leader" sees the problem then no orders will be given and nothing will be done.

I've never understood clear text passwords (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38460230)

It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

Re:I've never understood clear text passwords (0)

Anonymous Coward | more than 2 years ago | (#38460356)

Unsalted MD5 is fairly weak when compared to storage costs and rainbow tables.
SHA1 is a step up from MD5. Add salt to improve it.

Still not as good though as 'cut the cord, encase in cement' security, but more usable.

Re:I've never understood clear text passwords (4, Insightful)

_0xd0ad (1974778) | more than 2 years ago | (#38460544)

If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.

Re:I've never understood clear text passwords (1)

ftobin (48814) | more than 2 years ago | (#38461030)

What you say is true, but one benefit of doing an MD5 before it's sent is that one can't infer other passwords from a MD5 hash. A person might use passwords that follow a similar pattern that can be deduced by looking at cleartext, but not from hashes. For example, passwords a person might use could be "mypassword@slashdot", and "mypassword@sourceforge", one could probably guess their Facebook password.

Added salt helps even further.

The conclusion is that the authenticator should never receive the client's plaintext password in any form; it should always be one-way transformed before it leaves the client.

Re:I've never understood clear text passwords (3, Insightful)

_0xd0ad (1974778) | more than 2 years ago | (#38461440)

There's nothing wrong with hashing your own password so that someone can't infer "mypassword@sourceforge" from "mypassword@slashdot", but you can't trust a client-side hash function any more than you can trust the server-side authentication, unless it's your client-side hash function.

There's no benefit in designing a login form that hashes the password before it's sent, as long as the form is using SSL. Furthermore, there's no backward-compatibility for people who have Javascript disabled. They can't log in.

Re:I've never understood clear text passwords (1)

ftobin (48814) | more than 2 years ago | (#38462852)

You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide, even in the case of SSL transport, in case the receiver is compromised. In other words, it's possible that one component of the authentication process that handles the client-side-generated string (either a hash or cleartext password) is compromised, but not the authentication prompter itself. In this sort of case, there are clear benefits to client-side hashing.

I should note that I'm not limiting my discussion to webpage-style authentication. If the protocol enforces hashing on the client-side before sending, you don't have to worry about trusting the client-side or javascript being disabled.

Re:I've never understood clear text passwords (1)

_0xd0ad (1974778) | more than 2 years ago | (#38463362)

You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide

From the user's perspective, the same benefits would be obtained equally well by simply not re-using passwords. From the web designer's perspective, there's no benefit to hashing on the client vs. on the server.

even in the case of SSL transport, in case the receiver is compromised

The hash is still the password, so if the receiver is compromised, you get the password.

If the protocol enforces hashing on the client-side before sending, you don't have to worry about trusting the client-side or javascript being disabled.

Maybe you have confused hashing with encryption.

Re:I've never understood clear text passwords (1)

pclminion (145572) | more than 2 years ago | (#38463914)

How about a browser plugin that causes every password text box to automatically hash its contents before submitting the form? Something like this:

User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is actually submitted to the form.

Now you've forced your password to be salted and hashed regardless of what the web site is doing with it. Even if they store it in plain text, no matter.

Re:I've never understood clear text passwords (1)

_0xd0ad (1974778) | more than 2 years ago | (#38464368)

That's why I said there's nothing wrong with hashing your own passwords. However, in practice, just about every web site has its own quirky rules about what can or can't be used as a password, which makes it hard to use any single system for all of them.

Re:I've never understood clear text passwords (1)

Arrepiadd (688829) | more than 2 years ago | (#38465636)

If I understood what you meant; how do I log in from another computer?

Re:I've never understood clear text passwords (0)

pclminion (145572) | more than 2 years ago | (#38466190)

If I understood what you meant; how do I log in from another computer?

Well, you'd need to install the plug-in on any browser you'd want to use, which I admit is a drawback. But the salt DB could easily be put out in the cloud somewhere. The hashes themselves aren't sensitive information.

Re:I've never understood clear text passwords (0)

pclminion (145572) | more than 2 years ago | (#38466208)

Err, the salts aren't sensitive information, is what I meant.

Re:I've never understood clear text passwords (1)

scdeimos (632778) | more than 2 years ago | (#38466464)

User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is actually submitted to the form.

I guess you can say goodbye to federated authentication schemes like OpenLogin.

Re:I've never understood clear text passwords (1)

Anonymous Coward | more than 2 years ago | (#38461372)

there's an easy way to fix this kind of flaws: browser could send md5(password) but the db could store md5(md5(password))

Re:I've never understood clear text passwords (0)

Anonymous Coward | more than 2 years ago | (#38464662)

If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.

Waaaaaa ?

So you say by sending md5-hash-pw to a portal that do md5 after receiving the plaintext pw by form (as it is the proper way, use SSL if you need to by pass plaintext ... ) will let them pass ?

so md5(pw) = md5(md5(pw) ) ???

WTF is wrong with you?!

Insightfull my a**

Re:I've never understood clear text passwords (1)

_0xd0ad (1974778) | more than 2 years ago | (#38465152)

No. Perhaps I should try to explain it again, very carefully. See if you can follow this.

If it's hashed on the client side, either it is or it isn't also hashed on the server side. Consider these scenarios separately:

First, assuming it's only hashed once, on the client side. That hash is transmitted and stored on the server. If someone dumps the database and gets those hashes, they don't need the original password: hack the client-side to just send the correct hash without needing the original password to create that hash.

The other scenario, where it's hashed at both the client and the server, implies that you don't trust the website to transmit your un-hashed password - in which case, you shouldn't trust it to have your un-hashed password in the first place. Hash your password first, then use that as a password for that site.

In neither case does automatically hashing the password on the client-side accomplish anything useful. The first is woefully insecure and the second is no more secure than sending the password itself. If you're using SSL, it should be fine.

Re:I've never understood clear text passwords (2, Informative)

jabbany (2425264) | more than 2 years ago | (#38460572)

It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

Actually, doing MD5 on a client side script is severe no-no if it were the only form of authentication. A hacker could simply run a script running through all 16^32 possiblities of the MD5 hash instead of the almost infinite possiblities of the original password. Doing a client side MD5 actually weakens many passwords instead of strenthening them. You're left with something around an 18 character alpha-numeric-symbol password - no matter how long or difficult your original password was.

Re:I've never understood clear text passwords (0)

Anonymous Coward | more than 2 years ago | (#38460804)

If you know the server is going to use MD5, you can just feed it exactly the same 16^32 possibilities. You don't even need to match the original password, you just need to feed it a string that will match the original password's MD5 (i.e., essentially a rainbow table). In other words, the issue isn't where the MD5 is made; it's MD5 itself. But feeding 16^32 passwords to a server (whether pre-hashed or not) is not really viable, unless the server has no flood protection.

Re:I've never understood clear text passwords (2)

_0xd0ad (1974778) | more than 2 years ago | (#38460868)

Do you have any idea how many that is?

16^32 = 3.4x10^38

If they could try 1M hashes per second, that would take over 10^25 years...

Re:I've never understood clear text passwords (0)

Anonymous Coward | more than 2 years ago | (#38464758)

Actually, doing MD5 on a client side script is severe no-no if it were the only form of authentication. A hacker could simply run a script running through all 16^32 possiblities of the MD5 hash instead of the almost infinite possiblities of the original password. Doing a client side MD5 actually weakens many passwords instead of strenthening them. You're left with something around an 18 character alpha-numeric-symbol password - no matter how long or difficult your original password was.

There, you are the one who should be rated insightful

What happened to REAL dev who can THINK ? Glad to hear there are still some left on Slashdot.

Re:I've never understood clear text passwords (1)

jrumney (197329) | more than 2 years ago | (#38467210)

md5 it in javascript and never bother collecting the clear text, is it the most secure ever?

Doing it like you describe, it is effectively a cleartext password, albeit a different one than the user typed.

Ah, the smell of security (-1, Flamebait)

DeathToBill (601486) | more than 2 years ago | (#38460262)

1 in 10 accounts uses one of the top 10 passwords. It's still better than iPhone users.

Download link for file? (-1)

Anonymous Coward | more than 2 years ago | (#38460292)

anyone have alt download link for the list? nice little wordlist to have floating around

That's the stupidest password I've ever heard! (0, Flamebait)

jtownatpunk.net (245670) | more than 2 years ago | (#38460322)

The kind of thing an idiot would have on his luggage!

Re:That's the stupidest password I've ever heard! (0)

Anonymous Coward | more than 2 years ago | (#38460498)

I knew it, I'm surrounded by assholes...

Re:That's the stupidest password I've ever heard! (0)

Anonymous Coward | more than 2 years ago | (#38460602)

We were lost, none of us knew where we were. Then Harry starts 'feeling around on all the trees' and he says... "I got it we on Pluto", I say, 'Harry how can ya tell", and he says, "from the bark, you dummies. Ha-ha! From the bark!"

What... (1)

CAIMLAS (41445) | more than 2 years ago | (#38460434)

After looking at port scans this morning, I have one thing to say: what goes around comes around. I have a hard time thinking such incompetence as would lead to so many exploited machines is possible without just a little bit of malice.

Storing cleartext passwords is asking for trouble. (1)

mortonda (5175) | more than 2 years ago | (#38460532)

I'm looking at you, Mailman... http://www.list.org/ [list.org]

Is it now warranted to store passwords on paper? (0)

Anonymous Coward | more than 2 years ago | (#38460564)

Yada yada, everything says that you should memorize passwords. In theory each site should have a different one. People have been told forever that they MUST NOT write down the password to anything anywhere, and the corresponding behaviour is to reuse passwords.

It stuck me the other day - given that the scope of online activities and identities seems to increase, but human capacity for good passwords and online security does not, and given common constraints e.g. the assumption that many people will reuse passwords - would it make sense to go back to storing passwords on paper?

I have 3 systems myself:
A very widely used password in the form of a jumble of letters I tweak 2 letters of depending on the name of the website.
A "special" password for a small number of more important sites.
A couple of phrases with a special character in them for encrypted data.

18th password? (2)

Sollord (888521) | more than 2 years ago | (#38460690)

I understand where a lot of the passwords come form but what is the basis for the 18th on the list "xiazhili" What does it mean? I doesn't line up with anything I can figure out like the others

Re:18th password? (1)

Mojo66 (1131579) | more than 2 years ago | (#38461226)

The Chines language is made of thousands of symbols and there is a translation table to map those symbols to the 26 western characters. "xiazhili" might be chinese for 'swordfish'.

Re:18th password? (0)

Anonymous Coward | more than 2 years ago | (#38461352)

It's semi-phonetic. I can't actually read it, but I'm told it can be pronounced as the original chinese (in one of the dialects).

Re:18th password? (1)

amicusNYCL (1538833) | more than 2 years ago | (#38461896)

My favorites are line 82 ("!@", with 1006 accounts using it), and line 94 (empty string, with 863 accounts).

So in addition to storing passwords in clear text, they also have (had?) no password requirements at all.

And I bet some of the people there are the same people hacking into our critical infrastructure. What does that say about us?

Re:18th password? (1)

LokiMorgan (1757026) | more than 2 years ago | (#38463430)

poor password and iloveyou, knocked down to the top 30!

Re:18th password? (0)

Anonymous Coward | more than 2 years ago | (#38467544)

XiaZhiLi is an user with a popular avatar picture in CSDN. http://d.download.csdn.net/user/xiazhili

I'm safe (0)

Anonymous Coward | more than 2 years ago | (#38460898)

Whew!

My password is waaaaaaaaay down in the 40s!

... for new malware attack vector (1)

Transdimentia (840912) | more than 2 years ago | (#38461334)

... for new malware attack vector on daft news readers.

Download (0)

Anonymous Coward | more than 2 years ago | (#38461538)

http://dazzlepod.com/csdn/

DearBook and 1234... really? (0)

Anonymous Coward | more than 2 years ago | (#38461542)

If this is any indication of the level of security that China has on their exposed systems then I doubt that our security agencies are having any trouble infiltrating Chinese systems.

password swiping (1)

fdor (2537456) | more than 2 years ago | (#38461668)

We've had at least 3 engineers from Chinese companies visit us that put their index finger on 1 and swipe 23456789 all in one motion for their laptop password. I had never seen that before working with the Chinese. Is swiping the keyboard for passwords only popular in China, or do idiots everywhere do that?

Re:password swiping (0)

Anonymous Coward | more than 2 years ago | (#38462112)

FWIW, it really only works with laptops - when I try it on a normal keyboard I get a different result every time...
12457890
1234576890
123460
12357890
123570
124680-
146890
135890
1246890
12468990
1790
1467890
123467890

fraction (0)

Anonymous Coward | more than 2 years ago | (#38461756)

in china 6million is just like 0000.6 % of the population so really not that bad:-)

Re:fraction (1)

ElementOfDestruction (2024308) | more than 2 years ago | (#38463692)

Thank god. Here I was thinking it was 000.6% or - even worse - 00.6%!

mod 3ow-n (-1)

Anonymous Coward | more than 2 years ago | (#38464068)

had Become like

n00bs (0)

Anonymous Coward | more than 2 years ago | (#38465212)

lol n00bs in China leakin' ur passwords

Chinese number combos (1)

damian2k (2358426) | more than 2 years ago | (#38467528)

english 'iloveyou' is at #26 but the Mandarin for the same is 'wo ai ni' ... 'woaini1314' is at #83. the 1314 means "forever" ... because it sounds like forever when pronounced in Cantonese. At #93 is '5845201314' - when pronounced in mandarin - 'wo fa shi, wo ai ni, yi san yi si'. ... which sounds like - "i swear to love you forever and ever"... More here: http://en.wikipedia.org/wiki/Numbers_in_Chinese_culture#Combinations [wikipedia.org]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>