experts say ordinary sniffer tools can steal passwords
IT Times reporter especially Xin Fei
Ms. Lee, who lives in Shanghai last Saturday, Jingdong mall account stolen, upon inquiry, the other party is frantically using her points shopping
. "I just registered a new account in March, only a few times to buy home appliances, it was stolen, it is too terrible!" Lee did not know, her password is already in danger. In May 29th, the Ministry of industry and information technology of computer and Microelectronics Development Research Center (Chinese Software Testing Center) website user password handling security and other departments issued the external evaluation report "(hereinafter referred to as the" report ") pointed out that in a sample of 100 sites, Jingdong, Taobao, Ctrip, Jiayuan 85 web users can access the original password on the server, only 8 websites take the user password safe transmission mode.
electricity supplier recruitment website
The whole army was wiped out.By the end of 2011,
, CSDN, and other sites because Tianya mop.com storage is the plaintext password brush library, more than 50 million user accounts and passwords on the Internet spread open. Major sites have strengthened the security measures of data storage. However, there are still a lot of hidden dangers in the transmission process of user password. In general, users log on to the site, enter the user name and password, from the user’s computer to the web server, will be password transmission, password storage authentication process. The report shows that most of the sample site in the transmission of passwords, did not do encryption. Among them, the 12 e-commerce network, 15 recruitment network, the site of the most popular use of the 10 most insecure passwords original password, the password did not take any technical means encryption.
is mainly responsible for the "report", one of the Chinese software testing center of information security research department deputy general manager Liu Tao told the "IT times" reporter, this evaluation using a client analysis software, through the simulation of the registered user name and password on the website, the user clicks on the interaction process of simulation, the browser and the server internal monitoring, interactive the data packets for automatic matching, we can understand the user name and password is transmitted in plaintext form, "this method through its own simulation registration and matching degree to the evaluation, will not affect the others with a username and password."
original password plaintext transmission than the database password storage potential is greater. Shanghai telecom technology expert Zhou Xueming told reporters, the username and password to the web server through the pipeline, if the safety of pipeline operation set up shops, can resist external attacks; if the user itself where the network is not secure, such as in the construction of private WiFi network, in the same network hackers, you can access the user password information through the network sniffer or enterprise simple spy tools. Even if the user password is set too complex, but also useless."
part of the site to recognize the existence of loopholes
for the content of the report, "IT times"