When the account is abnormal, the weak password

March 23, Dangdang operating senior director Liang Jianpeng was surprised to find that, from 19th 22 o'clock in the evening to 22nd 24 o'clock 74 hours, Dangdang all the frozen accounts of the users only 6 call Dangdang reflect their account anomalies.

Another data makes Liang Jianpeng more suspicious. 19th Dangdang sent messages and emails to about 500,000 of users with balances and gift cards on their accounts. According to their own assumptions, at least 80% of customers will be able to modify their passwords. But in fact this three-day data shows that fewer than 5% of users have changed their passwords.

Dangdang, risking goodwill damage to the huge risk of the entire network to freeze the account decision, but get this surprising result, this is a miscalculation of the crisis? And what prompted Dangdang CEO Guoqing to make this decision urgently, what happened in the next 74 hours?

Discerned

The anomaly of Dangdang's user account has emerged one months earlier.

According to Dangdang, the head of Customer service center Liang Jianpeng recalls, in February, several sporadic users complained that their password is invalid or not entered.

Dangdang temporarily developed a number of targeted measures to help users restore normal use. But because the distance csdn account stolen has passed two months, two sites of most users overlap is not high, and CSDN is a user large-scale leakage, and at that time Dangdang is only a few users have an exception, so Dangdang and dare not to conclude that the user's account anomaly must be related to the Csdn event.

At that time, Dangdang analysis inferred that the user may not be cautious enough to disclose their own account information-for example, the Internet in public places, or leaked to their friends and relatives, leaked the account number and password. So only take the notice on the home page to remind the user, due to the Cs-dn event, please change the login password to ensure their account security.

After that, it was quite "quiet", and almost nothing happened in the first week of March.

But in the second week of March, a lot of users suddenly began to complain, reflecting their account anomalies, inability to log in, incorrect amounts, or strange orders, sometimes up to twenty or thirty complaint calls a day. Dangdang's customer service and technical staff have realized that things are not so simple, and that the situation is much more serious than expected.

They are in the study of the strategy of the first time to Dangdang's chief executive Guoqing report the matter.

Freeze balances and gift cards in all user accounts is the morning of 19th Dangdang CEO Guoqing convened a multisectoral meeting decision-this time by the Customer Service Center, the technical department, the Ministry of Law and the Department of Operations responsible for a total of seven emergency meeting in fact in the morning and afternoon held two times, The morning meeting by Guoqing personally, decided to freeze all have gift cards and balance accounts, through text messages and mail to notify all users of the Internet password, all users loss when to compensate, and to the public security organs alarm.

On the afternoon of 19th, Guoqing met again, summarizing the implementation of the decisions, and immediately proceeded to set up an improvement on the payment process-to receive the verification code on the phone before payment. Guoqing saw data, from mid-February to March 19, before the freezing of user accounts, the report accounts for a total of 197 cases, the amount of loss accounts ranged from dozens of to hundreds of, only a very high number of individual accounts.

Dangdang then issued a public statement acknowledging the fact that some of the user accounts were stolen. Guoqing instructions, to be through SMS, mail and so on all the way to notify all users quickly to Dangdang to change the password, and check if your account has been embezzled to reduce the user and when your own losses-although the Ministry of Legal Affairs believes that when it may not be necessary to bear full responsibility, but guoqing insist that the loss of the account to the full, partial compensation, The planned time period is two weeks, of course, after verifying that the user has actually suffered a loss.

This time guoqing and his team face the first thorny problem is, how many user accounts are stolen, how many losses? To the Internet company, only through their own website announcements, text messages and mail to remind users to log in their own account, change the new password and check the gift card, account balance is abnormal. In fact, their biggest concern is that the user was stolen but not yet aware of it.

And the other thorny question is what to do with the stolen money and losses-if it is an order that has already occurred, Dangdang not only loses the goods, but also compensates the user, equivalent to double the loss.

Guoqing that although in the jurisprudence may not need full responsibility, but in the sense of Dangdang can not live up to the trust of users, must be full compensation-even millions of yuan.

Guoqing hopes to get most users to update their passwords over a three-day period. He has so much determination and cost to freeze all the money, gift card accounts, perhaps because the security of Chinese users to the value of the password is as A4 paper color as light.

Curse the weak password

According to Dangdang's judgment, is some outlaws to steal the user's account and the password carries on the operation. In fact it's easy for some people who know a bit about technology, and now many users use the same account name and password on different websites, leaving criminals with the opportunity to steal.

The country's largest network security manufacturer 360 Security Center at the end of 2011 issued a "Password Security Guide", according to the domestic popular password crack dictionary software cracking list, collation summed up the Chinese netizens most commonly used 25 "weak password."

According to 360 security experts to provide the information to this newspaper, Chinese netizens commonly used TOP25 "weak password", there are 9 and foreign netizens use the same habits exactly. Among them, in addition to password, abc123, ILOVEYOU, QWERTY and other global netizens common "weak password", the rest are digital combination.

The simple combination of numbers seems to be the favorite of Chinese netizens, accounting for nearly half of the list. For example, "666666" and "888888" such a number of auspicious, almost all Chinese hacker password dictionary is a prerequisite, and "5201314" (I Love you for life) is obviously the people placed a strong emotional color, for Chinese characteristics "weak password."

The "weak password" commonly used by netizens mainly includes the four categories of simple digital combination, sequential character combination, near character combination and special meaning combination. From the Chinese version of the "Weak password" list, domestic netizens are more accustomed to setting 6-bit character password. In TOP25, there were 18 6-digit characters, representing a whopping 72%. In addition, the combination of "a1b2c3" and "p@ssWOrd" is seemingly complex, in fact, in the hacker's focus on the list of passwords.

If the system account or other network account using the "weak password", it is easy for hackers to use the password dictionary automatically "Mongolian", resulting in personal privacy information leakage and even property losses.

Guoqing tried to freeze the three-day account to allow 80% of Dangdang users to set a strong password for their account. However, three days down, 6 users reported abnormal accounts and only less than 5% users to change the password the fact that the people are surprised.

What is the reason for customers not to care about their own account of the property?

Perhaps because the amount of money in the account is relatively small, perhaps because some users have not received the Dangdang account may be stolen news, perhaps because the gift card does not take time, perhaps-they do not care about the reason, it is a reason Dangdang staff do not want to believe, but a high probability of a cause-guoqing "Full compensation" commitment. If lost and not lost the same, why bother to change the password?