

100 Million Usernames, Passwords Leaked from Chinese web sites - yaix
http://english.caixin.cn/2011-12-29/100344138.html

======
daeken
> Anti-virus company Qihoo 360's Vice President Shi Xiaohong attributed the
> leak to companies neglecting to encrypt their users' passwords and account
> information, Xinhua reported. Legal experts told Caixin that the massive
> leak also revealed shortcomings in Chinese internet security law and online
> ID theft protections.

Bullshit. Complete and utter bullshit, in fact. Encryption/hashing are your
last line of defense. They're what you hope hold strong when they've blasted
through everything else. Not having them is not the issue, it's simply
indicative of a lack of security knowledge and forethought in everything else;
poorly written apps tend to lack things like proper password storage, but that
doesn't mean that proper password storage makes your app properly written.

Now, I'm not saying that proper password storage or encrypting user data
aren't very important things -- I argue strongly for them all the time -- but
locking your front door is just as important as having a strong safe for your
valuables. If I can walk right in with SQL injection, arbitrary file reads,
command injections, and other fun vectors, then you're largely screwed
regardless.

~~~
rbanffy
> Encryption/hashing are your last line of defense. (...) Not having them is
> not the issue

It pretty much shows they had no line of defense whatsoever. Password hashing
is _very_ easy. Even good, hard-to-crack, hashing is very easy.

~~~
daeken
I completely agree. This is unforgivable -- it's so insanely easy to do this
well (or even somewhere _close_ to well, which is many, many orders of
magnitude better than... doing nothing) that there's no reason it shouldn't be
done. However, my issue is harping purely on this. It's arguing about why the
vault didn't have any cameras when the door was left open.

------
Achshar
Passwords? plain text? that makes no sense, if they were popular Chinese
websites why in the world would they store plain text passwords? doesn't
matter if it was on client side or server side.

~~~
yinhm
Some rumors says these passwords were leaked from government. Back in 2009
Chinese government ask there sites to hand over users password. It explain
everything, but still, rumors are rumors, no other evidence can prove it.

