Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Developer Forum Leaks 6 Million User Credentials

Posted by timothy on from the it's-curtains-for-you-elizabeth-my-dearbook dept.

gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."

102 comments

  1. The apology letter by elrous0 · · Score: -1, Troll

    We really sorry
    We no joke
    Didn't mean to put pee-pee in your coke.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:The apology letter by Anonymous Coward · · Score: -1

      We rearry sorry

      FTFY

    2. Re:The apology letter by Anonymous Coward · · Score: 0

      China, not NK. Dumbass.

    3. Re:The apology letter by Anonymous Coward · · Score: 0

      you not know your engrish.

    4. Re:The apology letter by Anonymous Coward · · Score: 0

      When are you idiots going to stop trusting this 'cloud' crap and move onto P2P as web based usage as the correct way of using 'your' trusted information??? Other than that the web should be for reference only!

  2. Interesting... by thestudio_bob · · Score: 0

    The hackers got hacked?

    --
    The real Sig captains the Northwestern. This one captains /.
    1. Re:Interesting... by Anonymous Coward · · Score: 0

      Max Vision is back!

  3. 'dearbook'? by 1s44c · · Score: 1

    What does 'dearbook' mean something to the chinese? It sounds like nonsense to a native English speaker.

    Clear text passwords - idiots.

    1. Re:'dearbook'? by Anonymous Coward · · Score: 0

      That's the same password I use for our naval carrier. I should change it.

      signed - Lo Wang

    2. Re:'dearbook'? by Anonymous Coward · · Score: 0

      No, sounds like something YOU don't get, regardless of language.

    3. Re:'dearbook'? by BigMattyC · · Score: 2, Insightful

      It is probably a reference to Mao's Little Red Book. http://en.wikipedia.org/wiki/Quotations_from_Chairman_Mao#Images_from_.22The_Little_Red_Book.22

    4. Re:'dearbook'? by Anonymous Coward · · Score: 5, Informative

      dearbook.com.cn is a chinese online technical book retailer owned by CSDN.

    5. Re:'dearbook'? by Anonymous Coward · · Score: 1

      It's the Chinese' answer to Amazon (dearbook.com.cn). Probably devs for said site.

    6. Re:'dearbook'? by TheModelEskimo · · Score: 2

      Checking it out a bit further, looks like Dearbook is the name of an online IT community or something similar. I found some relation between Dearbook and this CSDN thing so maybe it's like somebody using the password "Geeknet" for Slashdot? Something in that vein, anyway.

    7. Re:'dearbook'? by 1s44c · · Score: 0

      dearbook.com.cn is a chinese online technical book retailer owned by CSDN.

      The first answer that doesn't take the piss. Thanks.

    8. Re:'dearbook'? by Anonymous Coward · · Score: -1

      > What does 'dearbook' mean something to the chinese? It sounds like nonsense to a native English speaker.

      well.. everyone is fucking your language,dude..get used to it :D

    9. Re:'dearbook'? by somersault · · Score: 1

      All 47000?

      Do excuse me for this. Ahem. "lol".

      --
      which is totally what she said
    10. Re:'dearbook'? by robbo · · Score: 2

      Could be cultural but my money is on several thousand spammer-created accounts using the same password.

      --
      So long, and thanks for all the Phish
    11. Re:'dearbook'? by Baloroth · · Score: 2

      Wait, how do you know my password?! You hacker!!

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    12. Re:'dearbook'? by robbo · · Score: 1

      Ok, I'm wrong about this- most likely the bookstore...

      --
      So long, and thanks for all the Phish
    13. Re:'dearbook'? by jc42 · · Score: 2

      Another likely cause is some software package that uses "dearbook" as the default password, or uses it in examples. People have a way of making minimal changes in things that they install, out of fear of breaking something. They also tend to copy examples literally, even the fields that are supposed to contain personal information.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    14. Re:'dearbook'? by Anonymous Coward · · Score: 0

      I think the password arrangement is telling of what the most reused passwords are.

      Seriously the passwords picked I wouldn't be surprised if they're just robo-spam signups. Just because we don't visit China doesn't mean they don't have the same spamming issues we do. The dearbook suggests maybe a default password or maybe the targeted site itself.

    15. Re:'dearbook'? by Anonymous Coward · · Score: 0

      What a coincidence. I have the same password on my luggage.

      Sorry, I had to say it. Move along people; nothing to see here.

    16. Re:'dearbook'? by Anonymous Coward · · Score: 0

      Frosty Piss?

    17. Re:'dearbook'? by kramulous · · Score: 1

      A work friend's response:
      ----------------
      From what I guess, (just for fun)

      In English,
      1."Oh Dear"=="Oh God"
      divide "Oh" on both sides=> dear==god
      thus "dearbook" =="godbook"

      In Chinese,
      "tian"=="god"
      "shu"=="book"

      "tian shu" literally means a book that only God can read. It is basically a book has nothing but blank pages. :)

      --
      .
  4. some thing to do with dearleader? by Anonymous Coward · · Score: 0

    good that he is dead

    1. Re:some thing to do with dearleader? by InterestingFella · · Score: 0

      I kinda find it funny that it is labeled as "surprisingly". US people still cant get that there are other cultures and languages in the world.

    2. Re:some thing to do with dearleader? by Anonymous Coward · · Score: 1

      Do you really think that is true? Especially in the technical world? That US people have no idea that there are other cultures in the world? Pfftt ... BTW ... do YOU know what a dearbook is? Show me YOUR lack of ignorance! And do it without searching the Internet :)

      I find it "surprising" that people continue to stereotype all US people as ignorant of other cultures.

    3. Re:some thing to do with dearleader? by somersault · · Score: 1

      Especially in the technical world, yes. I was reading an interview with Linus where he says that most people use English when talking about technical matters even if they both have the same first language.

      --
      which is totally what she said
    4. Re:some thing to do with dearleader? by cyfer2000 · · Score: 4, Informative

      it's an online book store.

      --
      There is a spark in every single flame bait point.
    5. Re:some thing to do with dearleader? by Baloroth · · Score: 2, Insightful

      But that doesn't mean people are ignorant of cultures. English is simply a good language for technical matters, for a large number of reasons. Being the de facto standard is only the most obvious.

      Also, I should point out the British invented English, not the US, and they spread it around the world, so I'm really not sure what your point here is. Point of fact, the US probably has more variety of culture than any other nation in the world.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    6. Re:some thing to do with dearleader? by Runaway1956 · · Score: 0

      Actually, I think the English invented their language. And, that predated Great Britain by a couple of years, at least.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    7. Re:some thing to do with dearleader? by somersault · · Score: 1

      It doesn't necessarily, but it does mean that many people can speak to others online assuming they're American just because they speak English. People assume I'm American all the time..

      --
      which is totally what she said
    8. Re:some thing to do with dearleader? by sqldr · · Score: 1

      Sort of. It and "Lowland Scots" evolved alongside eachother with the same root. They diverged over a couple of centuries, but they are still very similar, and it's quite comprehensible to a native English speaker.

      --
      I wrote my first program at the age of six, and I still can't work out how this website works.
    9. Re:some thing to do with dearleader? by Anonymous Coward · · Score: 0

      No, not ALL US citizens, but definitely MOST US citizens.

    10. Re:some thing to do with dearleader? by Anonymous Coward · · Score: 0

      That I can understand - but why did over 3000 people chose 1qaz2wsx ?

    11. Re:some thing to do with dearleader? by pntkl · · Score: 1

      That string comes up all over the place. Seems pretty difficult to figure out, in just a moment. This is my favorite result: http://www.metacafe.com/watch/4130367/1qaz2wsx/ :P

    12. Re:some thing to do with dearleader? by _0xd0ad · · Score: 2

      1 2 3 4 5 6 7 8 9 0
      q w e r t y u i o p
      a s d f g h j k l ;
      z x c v b n m , .

    13. Re:some thing to do with dearleader? by Anonymous Coward · · Score: 0

      The British might have invented English but well... talking to them ain't easy. From my experience (of a random European mainlander):

      "I have got a notebook"
      "We don't use it, it's an old fashioned pile of sheets of paper"
      "So what do you use as a portable computer?"
      "A laptop."
      "I see... and you got a lot of mist there right?"
      "No, what do you mean by that?"
      "That earie look from the Baskerville's Hound movie.
      "We call it fog here..."

  5. How many people here on slashdot by Obble · · Score: -1

    see there own passwords in the list?

    * guilty :-(

    1. Re:How many people here on slashdot by g0bshiTe · · Score: 4, Funny

      I looked for mine, 1234 wasn't on the list.

      Shit! Now I have to change it. I'll just add a 5.

      --
      I am Bennett Haselton! I am Bennett Haselton!
    2. Re:How many people here on slashdot by Anonymous Coward · · Score: 0

      see there own passwords in the list?

      * guilty :-(

      gee, it wasn't number 72 on the list eh?
      '3.1415926', 1200 accounts.

    3. Re:How many people here on slashdot by kbg · · Score: 2

      That's amazing. I've got the same combination on my luggage

  6. "Who cares" level of password by Anonymous Coward · · Score: 4, Insightful

    They all seem to be the sort of password I'd type in for an account that I really don't care about, and am only creating because it's mandatory.

    Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

    1. Re:"Who cares" level of password by jabbany · · Score: 2

      Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

      As a CSDN user, I'd say : No.

      Still, it doesn't prevent millions of users, who are too 'busy' to even bother use a dummy password, from actually using their main passwords (web banking, email etc.) on the AD riddled forum.

  7. Before April 2009 by tchernobog · · Score: 4, Insightful

    passwords created before April 2009 had been stored in plain text

    UPDATE users SET password = SHA1(password) WHERE created_at

    There. Did it for you. Won't prevent everything getting stolen, but at least you don't give away any more passwords reusable on other websites.

    I mean... seriously?? So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

    --
    42.
    1. Re: before April 2009 by tchernobog · · Score: 2

      UPDATE users SET password = SHA1(password) WHERE created_at <= '2009-04-01';

      I hate angular brackets in HTML.

      --
      42.
    2. Re:Before April 2009 by OverlordQ · · Score: 4, Informative

      So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

      Mediawiki is (re: was) like that. When it changes password schemes it detects which version the pw is stored in, authenticates using that (older) method and then upgrades you to the new format.

      --
      Your hair look like poop, Bob! - Wanker.
    3. Re:Before April 2009 by Ex+Machina · · Score: 3, Insightful

      That's cool, but there should be salting. http://en.wikipedia.org/wiki/Salt_(cryptography)

    4. Re:Before April 2009 by Anonymous Coward · · Score: 0

      Can somebody pass this guy some salt?

    5. Re:Before April 2009 by Anonymous Coward · · Score: 1

      This is because the old format was ALSO hashed (but not salted). You can't do the update query above unless you have the plaintext.

    6. Re: before April 2009 by Anonymous Coward · · Score: 0

      Now that you've showed them how to do it, I am sure they will get right on it...

    7. Re:Before April 2009 by AmiMoJo · · Score: 1

      If it only updates after login and you don't login any more because you got fed up with wiki*...

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Before April 2009 by Anonymous Coward · · Score: 1

      Ex Machina, you culturally ignorant slut. Don't try forcing your Occidental mores on other cultures. In China they season their passwords with MSG instead of salt.

    9. Re: before April 2009 by Anonymous Coward · · Score: 0

      Aww man, [password] was an nvarchar(20) column - too short for a 40 hex character SHA-1 hash. Now nobody can login!

    10. Re:Before April 2009 by RobertinXinyang · · Score: 1

      I live in China, the problem is not that the technicians do not know how to do this (well many are shockingly incompetent; if I described my desktop XP install, here in my office, you would blanch); the problem is that the decisions are not made by the people doing the work. The decisions about what needs to be done are made by leaders.

      The leaders do not need to hear ideas from below, if the people below had any worthy ideas then they would be leaders. They give orders and the orders are acted on; or not depending on if the capacity to follow the order is present. What they do not do is listen. As such, they do not allow actions that the "workers" see as needed. Further, if an order is given and the capacity is not present, the work just doesn't get done. Then, at the next meeting they demand that it get done in a more forceful manner; but, they still do not listen to why it wasn't done.

      The typical result is that what needs to be done is eventually accomplished; but, in an outlandishly inefficient manner because the workers are using makeshift tool and methods.

      Back to the problem, I suspect that many see the problem; however, until a "leader" sees the problem then no orders will be given and nothing will be done.

  8. I've never understood clear text passwords by Anonymous Coward · · Score: 2, Insightful

    It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

    1. Re:I've never understood clear text passwords by Anonymous Coward · · Score: 0

      Unsalted MD5 is fairly weak when compared to storage costs and rainbow tables.
      SHA1 is a step up from MD5. Add salt to improve it.

      Still not as good though as 'cut the cord, encase in cement' security, but more usable.

    2. Re:I've never understood clear text passwords by _0xd0ad · · Score: 4, Insightful

      If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.

    3. Re:I've never understood clear text passwords by jabbany · · Score: 2, Informative

      It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

      Actually, doing MD5 on a client side script is severe no-no if it were the only form of authentication. A hacker could simply run a script running through all 16^32 possiblities of the MD5 hash instead of the almost infinite possiblities of the original password. Doing a client side MD5 actually weakens many passwords instead of strenthening them. You're left with something around an 18 character alpha-numeric-symbol password - no matter how long or difficult your original password was.

    4. Re:I've never understood clear text passwords by Anonymous Coward · · Score: 0

      If you know the server is going to use MD5, you can just feed it exactly the same 16^32 possibilities. You don't even need to match the original password, you just need to feed it a string that will match the original password's MD5 (i.e., essentially a rainbow table). In other words, the issue isn't where the MD5 is made; it's MD5 itself. But feeding 16^32 passwords to a server (whether pre-hashed or not) is not really viable, unless the server has no flood protection.

    5. Re:I've never understood clear text passwords by _0xd0ad · · Score: 2

      Do you have any idea how many that is?

      16^32 = 3.4x10^38

      If they could try 1M hashes per second, that would take over 10^25 years...

    6. Re:I've never understood clear text passwords by ftobin · · Score: 1

      What you say is true, but one benefit of doing an MD5 before it's sent is that one can't infer other passwords from a MD5 hash. A person might use passwords that follow a similar pattern that can be deduced by looking at cleartext, but not from hashes. For example, passwords a person might use could be "mypassword@slashdot", and "mypassword@sourceforge", one could probably guess their Facebook password.

      Added salt helps even further.

      The conclusion is that the authenticator should never receive the client's plaintext password in any form; it should always be one-way transformed before it leaves the client.

    7. Re:I've never understood clear text passwords by Anonymous Coward · · Score: 1

      there's an easy way to fix this kind of flaws: browser could send md5(password) but the db could store md5(md5(password))

    8. Re:I've never understood clear text passwords by _0xd0ad · · Score: 3, Insightful

      There's nothing wrong with hashing your own password so that someone can't infer "mypassword@sourceforge" from "mypassword@slashdot", but you can't trust a client-side hash function any more than you can trust the server-side authentication, unless it's your client-side hash function.

      There's no benefit in designing a login form that hashes the password before it's sent, as long as the form is using SSL. Furthermore, there's no backward-compatibility for people who have Javascript disabled. They can't log in.

    9. Re:I've never understood clear text passwords by ftobin · · Score: 1

      You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide, even in the case of SSL transport, in case the receiver is compromised. In other words, it's possible that one component of the authentication process that handles the client-side-generated string (either a hash or cleartext password) is compromised, but not the authentication prompter itself. In this sort of case, there are clear benefits to client-side hashing.

      I should note that I'm not limiting my discussion to webpage-style authentication. If the protocol enforces hashing on the client-side before sending, you don't have to worry about trusting the client-side or javascript being disabled.

    10. Re:I've never understood clear text passwords by _0xd0ad · · Score: 1

      You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide

      From the user's perspective, the same benefits would be obtained equally well by simply not re-using passwords. From the web designer's perspective, there's no benefit to hashing on the client vs. on the server.

      even in the case of SSL transport, in case the receiver is compromised

      The hash is still the password, so if the receiver is compromised, you get the password.

      If the protocol enforces hashing on the client-side before sending, you don't have to worry about trusting the client-side or javascript being disabled.

      Maybe you have confused hashing with encryption.

    11. Re:I've never understood clear text passwords by pclminion · · Score: 1

      How about a browser plugin that causes every password text box to automatically hash its contents before submitting the form? Something like this:

      User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is actually submitted to the form.

      Now you've forced your password to be salted and hashed regardless of what the web site is doing with it. Even if they store it in plain text, no matter.

    12. Re:I've never understood clear text passwords by _0xd0ad · · Score: 1

      That's why I said there's nothing wrong with hashing your own passwords. However, in practice, just about every web site has its own quirky rules about what can or can't be used as a password, which makes it hard to use any single system for all of them.

    13. Re:I've never understood clear text passwords by Anonymous Coward · · Score: 0

      If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.

      Waaaaaa ?

      So you say by sending md5-hash-pw to a portal that do md5 after receiving the plaintext pw by form (as it is the proper way, use SSL if you need to by pass plaintext ... ) will let them pass ?

      so md5(pw) = md5(md5(pw) ) ???

      WTF is wrong with you?!

      Insightfull my a**

    14. Re:I've never understood clear text passwords by Anonymous Coward · · Score: 0

      Actually, doing MD5 on a client side script is severe no-no if it were the only form of authentication. A hacker could simply run a script running through all 16^32 possiblities of the MD5 hash instead of the almost infinite possiblities of the original password. Doing a client side MD5 actually weakens many passwords instead of strenthening them. You're left with something around an 18 character alpha-numeric-symbol password - no matter how long or difficult your original password was.

      There, you are the one who should be rated insightful

      What happened to REAL dev who can THINK ? Glad to hear there are still some left on Slashdot.

    15. Re:I've never understood clear text passwords by _0xd0ad · · Score: 1

      No. Perhaps I should try to explain it again, very carefully. See if you can follow this.

      If it's hashed on the client side, either it is or it isn't also hashed on the server side. Consider these scenarios separately:

      First, assuming it's only hashed once, on the client side. That hash is transmitted and stored on the server. If someone dumps the database and gets those hashes, they don't need the original password: hack the client-side to just send the correct hash without needing the original password to create that hash.

      The other scenario, where it's hashed at both the client and the server, implies that you don't trust the website to transmit your un-hashed password - in which case, you shouldn't trust it to have your un-hashed password in the first place. Hash your password first, then use that as a password for that site.

      In neither case does automatically hashing the password on the client-side accomplish anything useful. The first is woefully insecure and the second is no more secure than sending the password itself. If you're using SSL, it should be fine.

    16. Re:I've never understood clear text passwords by Arrepiadd · · Score: 1

      If I understood what you meant; how do I log in from another computer?

    17. Re:I've never understood clear text passwords by pclminion · · Score: 0

      If I understood what you meant; how do I log in from another computer?

      Well, you'd need to install the plug-in on any browser you'd want to use, which I admit is a drawback. But the salt DB could easily be put out in the cloud somewhere. The hashes themselves aren't sensitive information.

    18. Re:I've never understood clear text passwords by pclminion · · Score: 0

      Err, the salts aren't sensitive information, is what I meant.

    19. Re:I've never understood clear text passwords by scdeimos · · Score: 1

      User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is actually submitted to the form.

      I guess you can say goodbye to federated authentication schemes like OpenLogin.

    20. Re:I've never understood clear text passwords by jrumney · · Score: 1

      md5 it in javascript and never bother collecting the clear text, is it the most secure ever?

      Doing it like you describe, it is effectively a cleartext password, albeit a different one than the user typed.

  9. Ah, the smell of security by DeathToBill · · Score: -1, Flamebait

    1 in 10 accounts uses one of the top 10 passwords. It's still better than iPhone users.

    --
    Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
  10. Download link for file? by Anonymous Coward · · Score: -1

    anyone have alt download link for the list? nice little wordlist to have floating around

  11. That's the stupidest password I've ever heard! by jtownatpunk.net · · Score: 0, Flamebait

    The kind of thing an idiot would have on his luggage!

    1. Re:That's the stupidest password I've ever heard! by Anonymous Coward · · Score: 0

      I knew it, I'm surrounded by assholes...

    2. Re:That's the stupidest password I've ever heard! by Anonymous Coward · · Score: 0

      We were lost, none of us knew where we were. Then Harry starts 'feeling around on all the trees' and he says... "I got it we on Pluto", I say, 'Harry how can ya tell", and he says, "from the bark, you dummies. Ha-ha! From the bark!"

  12. What... by CAIMLAS · · Score: 1

    After looking at port scans this morning, I have one thing to say: what goes around comes around. I have a hard time thinking such incompetence as would lead to so many exploited machines is possible without just a little bit of malice.

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  13. Storing cleartext passwords is asking for trouble. by mortonda · · Score: 1

    I'm looking at you, Mailman... http://www.list.org/

  14. Is it now warranted to store passwords on paper? by Anonymous Coward · · Score: 0

    Yada yada, everything says that you should memorize passwords. In theory each site should have a different one. People have been told forever that they MUST NOT write down the password to anything anywhere, and the corresponding behaviour is to reuse passwords.

    It stuck me the other day - given that the scope of online activities and identities seems to increase, but human capacity for good passwords and online security does not, and given common constraints e.g. the assumption that many people will reuse passwords - would it make sense to go back to storing passwords on paper?

    I have 3 systems myself:
    A very widely used password in the form of a jumble of letters I tweak 2 letters of depending on the name of the website.
    A "special" password for a small number of more important sites.
    A couple of phrases with a special character in them for encrypted data.

  15. 18th password? by Sollord · · Score: 2

    I understand where a lot of the passwords come form but what is the basis for the 18th on the list "xiazhili" What does it mean? I doesn't line up with anything I can figure out like the others

    1. Re:18th password? by Mojo66 · · Score: 1

      The Chines language is made of thousands of symbols and there is a translation table to map those symbols to the 26 western characters. "xiazhili" might be chinese for 'swordfish'.

    2. Re:18th password? by Anonymous Coward · · Score: 0

      It's semi-phonetic. I can't actually read it, but I'm told it can be pronounced as the original chinese (in one of the dialects).

    3. Re:18th password? by amicusNYCL · · Score: 1

      My favorites are line 82 ("!@", with 1006 accounts using it), and line 94 (empty string, with 863 accounts).

      So in addition to storing passwords in clear text, they also have (had?) no password requirements at all.

      And I bet some of the people there are the same people hacking into our critical infrastructure. What does that say about us?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    4. Re:18th password? by LokiMorgan · · Score: 1

      poor password and iloveyou, knocked down to the top 30!

    5. Re:18th password? by Anonymous Coward · · Score: 0

      XiaZhiLi is an user with a popular avatar picture in CSDN. http://d.download.csdn.net/user/xiazhili

  16. I'm safe by Anonymous Coward · · Score: 0

    Whew!

    My password is waaaaaaaaay down in the 40s!

  17. ... for new malware attack vector by Transdimentia · · Score: 1

    ... for new malware attack vector on daft news readers.

  18. Download by Anonymous Coward · · Score: 0

    http://dazzlepod.com/csdn/

  19. DearBook and 1234... really? by Anonymous Coward · · Score: 0

    If this is any indication of the level of security that China has on their exposed systems then I doubt that our security agencies are having any trouble infiltrating Chinese systems.

  20. password swiping by fdor · · Score: 1

    We've had at least 3 engineers from Chinese companies visit us that put their index finger on 1 and swipe 23456789 all in one motion for their laptop password. I had never seen that before working with the Chinese. Is swiping the keyboard for passwords only popular in China, or do idiots everywhere do that?

    1. Re:password swiping by Anonymous Coward · · Score: 0

      FWIW, it really only works with laptops - when I try it on a normal keyboard I get a different result every time...
      12457890
      1234576890
      123460
      12357890
      123570
      124680-
      146890
      135890
      1246890
      12468990
      1790
      1467890
      123467890

  21. fraction by Anonymous Coward · · Score: 0

    in china 6million is just like 0000.6 % of the population so really not that bad:-)

    1. Re:fraction by ElementOfDestruction · · Score: 1

      Thank god. Here I was thinking it was 000.6% or - even worse - 00.6%!

  22. mod 3ow-n by Anonymous Coward · · Score: -1

    had Become like

  23. n00bs by Anonymous Coward · · Score: 0

    lol n00bs in China leakin' ur passwords

  24. Chinese number combos by damian2k · · Score: 1

    english 'iloveyou' is at #26 but the Mandarin for the same is 'wo ai ni' ... 'woaini1314' is at #83. the 1314 means "forever" ... because it sounds like forever when pronounced in Cantonese. At #93 is '5845201314' - when pronounced in mandarin - 'wo fa shi, wo ai ni, yi san yi si'. ... which sounds like - "i swear to love you forever and ever"... More here: http://en.wikipedia.org/wiki/Numbers_in_Chinese_culture#Combinations