Chinese Developer Forum Leaks 6 Million User Credentials

gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."

"Who cares" level of password

They all seem to be the sort of password I'd type in for an account that I really don't care about, and am only creating because it's mandatory.

Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

Re:"Who cares" level of password

[jabbany]

Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

As a CSDN user, I'd say : No.

Still, it doesn't prevent millions of users, who are too 'busy' to even bother use a dummy password, from actually using their main passwords (web banking, email etc.) on the AD riddled forum.

Re:'dearbook'?

[BigMattyC]

It is probably a reference to Mao's Little Red Book. http://en.wikipedia.org/wiki/Quotations_from_Chairman_Mao#Images_from_.22The_Little_Red_Book.22

Re:'dearbook'?

dearbook.com.cn is a chinese online technical book retailer owned by CSDN.

Before April 2009

[tchernobog]

passwords created before April 2009 had been stored in plain text

UPDATE users SET password = SHA1(password) WHERE created_at

There. Did it for you. Won't prevent everything getting stolen, but at least you don't give away any more passwords reusable on other websites.

I mean... seriously?? So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

Re: before April 2009

[tchernobog]

UPDATE users SET password = SHA1(password) WHERE created_at <= '2009-04-01';

I hate angular brackets in HTML.

Re:Before April 2009

[OverlordQ]

So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

Mediawiki is (re: was) like that. When it changes password schemes it detects which version the pw is stored in, authenticates using that (older) method and then upgrades you to the new format.

Re:Before April 2009

[Ex+Machina]

That's cool, but there should be salting. http://en.wikipedia.org/wiki/Salt_(cryptography)

I've never understood clear text passwords

It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

Re:I've never understood clear text passwords

[_0xd0ad]

If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.

Re:I've never understood clear text passwords

[jabbany]

It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

Actually, doing MD5 on a client side script is severe no-no if it were the only form of authentication. A hacker could simply run a script running through all 16^32 possiblities of the MD5 hash instead of the almost infinite possiblities of the original password. Doing a client side MD5 actually weakens many passwords instead of strenthening them. You're left with something around an 18 character alpha-numeric-symbol password - no matter how long or difficult your original password was.

Re:I've never understood clear text passwords

[_0xd0ad]

Do you have any idea how many that is?

16^32 = 3.4x10^38

If they could try 1M hashes per second, that would take over 10^25 years...

Re:I've never understood clear text passwords

[_0xd0ad]

There's nothing wrong with hashing your own password so that someone can't infer "mypassword@sourceforge" from "mypassword@slashdot", but you can't trust a client-side hash function any more than you can trust the server-side authentication, unless it's your client-side hash function.

There's no benefit in designing a login form that hashes the password before it's sent, as long as the form is using SSL. Furthermore, there's no backward-compatibility for people who have Javascript disabled. They can't log in.

Re:'dearbook'?

[TheModelEskimo]

Checking it out a bit further, looks like Dearbook is the name of an online IT community or something similar. I found some relation between Dearbook and this CSDN thing so maybe it's like somebody using the password "Geeknet" for Slashdot? Something in that vein, anyway.

Re:some thing to do with dearleader?

[cyfer2000]

it's an online book store.

Re:some thing to do with dearleader?

[Baloroth]

But that doesn't mean people are ignorant of cultures. English is simply a good language for technical matters, for a large number of reasons. Being the de facto standard is only the most obvious.

Also, I should point out the British invented English, not the US, and they spread it around the world, so I'm really not sure what your point here is. Point of fact, the US probably has more variety of culture than any other nation in the world.

Re:'dearbook'?

[robbo]

Could be cultural but my money is on several thousand spammer-created accounts using the same password.

Re:'dearbook'?

[Baloroth]

Wait, how do you know my password?! You hacker!!

Re:How many people here on slashdot

[g0bshiTe]

I looked for mine, 1234 wasn't on the list.

Shit! Now I have to change it. I'll just add a 5.

18th password?

[Sollord]

I understand where a lot of the passwords come form but what is the basis for the 18th on the list "xiazhili" What does it mean? I doesn't line up with anything I can figure out like the others

Re:'dearbook'?

[jc42]

Another likely cause is some software package that uses "dearbook" as the default password, or uses it in examples. People have a way of making minimal changes in things that they install, out of fear of breaking something. They also tend to copy examples literally, even the fields that are supposed to contain personal information.

Re:some thing to do with dearleader?

[_0xd0ad]

1 2 3 4 5 6 7 8 9 0
q w e r t y u i o p
a s d f g h j k l ;
z x c v b n m , .

Re:How many people here on slashdot

[kbg]

That's amazing. I've got the same combination on my luggage