The website login password "naked body to be tied" The electric business recruit class is annihilated

Experts say common sniffing tools can steal passwords

Ms. Li, who lives in Shanghai, was stolen from the Saturday Jingdong Mall account and was frantically shopping with her points. "I just registered a new account in March, just bought a few times home appliances, unexpectedly was stolen, it is terrible!" Ms. Li did not know that her password was already in danger. May 29, the Ministry of Industry and Information technology, computer and Microelectronics Development Research Center (China Software Evaluation Center) and other departments issued the "website User password processing security external evaluation report" (hereinafter referred to as the "report") pointed out that in 100 sample sites, Taobao, Beijing-east, Ctrip, Century Jiayuan and other 85 web sites can get the original user password in the server, only 8 sites take the most secure user password transmission mode.

Electric Business Recruitment website annihilated

At the end of 2011, sites such as CSDN, Tianya and mop were "brushed" by the plaintext password store, with more than 50 million user accounts and passwords spreading openly online. The security of data storage is enhanced by the major websites. However, there are still many hidden dangers in the process of user password transmission. In general, users in the Web site, enter the user name and password, from the user's computer to the Web server, will be password transmission, password storage certification process. And the report shows that most of the sample Web site in the transmission of passwords, no encryption processing. Among them, 12 E-commerce network, 15 recruitment network, 10 marriage websites adopted the most unsafe "original password plaintext transmission", the password did not take any technical means to encrypt.

One of the main principals of the report, Liu Tao, deputy general manager of Information security research at China Software Evaluation Center, told the IT Times reporter that the assessment adopted a client analysis software that simulates user clicks and listens to the interactive process between the browser's internal page and the server by simulating the username and password on the website. To automatically match the packets in the interaction, you can understand whether the user name and password are transmitted in clear text form, "This method is evaluated by its own simulation registration and matching degree, without affecting other people's username and password." ”

The original password plaintext transmission is more insidious than the database plaintext password store. Shanghai Telecom Technology expert Zhou Coming told reporters that the user name and password through the pipeline to the Web server, if the operator laid the pipeline safe, can withstand external attacks; If the user's own network is unsafe, such as a private-built WiFi network in the same network segment of hackers, You can get user password information through Simple network sniffing or corporate espionage tools. Even if the user password is set to be more complex, is also a fictitious. ”

Some sites acknowledge vulnerabilities

For the content of the report, the IT Times reporter randomly interviewed several named websites. Taobao development team said Taobao in the user password transmission processing does have a certain flaw. They have considered this issue in the development of a new version of the security control, which will fix this defect and implement a high level of encryption transfer mode as the release of the new version of the security control.

Jingdong Mall also said that will strengthen the password transmission process of security measures. Love website Cherish the network's PR department said to the reporter, the Treasure NET uses is the clear text transmission, but if uses the encryption method, may cause some users not to be able to log in normally.

Zhou Coming said that the use of encrypted transmission, it does cause some Web site login complex. As online banking payments, both download the control, enter the user name, password, but also to obtain dynamic passwords, and so on, it may affect the speed of Web page opening, but the effect of confidentiality is better.

"The password ' streaking ' is not a technical problem. "Liu Tao said that the site on the user password security maintenance is not difficult, a common programmer can be basically done, the reason for all kinds of omissions, may be not enough security awareness of the site." "It's very dangerous for users to use a password ' all '," he said. Ms Li's password leak is probably because she uses the same password on many websites, and once stolen, it's all exposed. So consumers in a variety of websites not only to set different passwords, but also often change the password. ”

No explicit specification for password encryption method

In the face of the report mentioned many sites for password Express transmission of the situation, many netizens questioned, "if because of this situation password leaked, personal information stolen or caused economic losses, the site is responsible?" Chen, deputy director of Shanghai Rui Fu law firm, said that users login to the website with a registered password, which is equivalent to a kind of contract fulfillment between the two parties. If the information is captured by hackers, hackers should assume the first responsibility, the site should bear joint and several liability. However, in the actual situation, there is no express method for password transmission encryption.

"In the password transmission, some websites take the ordinary encryption way, some website does not even encrypt, does not have the concrete standard, the user encounters the password to be stolen the event, is very difficult to raise the safeguard to these websites." "Chen said.

Network security expert Tiejun introduced, in fact, the industry in the password processing only some common sense principle, but at present there is no relevant institutions and organizations, the above scattered principles to be standardized documents.

"Currently in the site User password processing, there is no clear standard or specification, how to deal with user passwords This privacy is very strong user personal information, can only rely on site developers, operators of security knowledge and self-discipline." The development and clarity of standards will be the direction of personal information protection work. "Tiejun said.