What’s in a password? Chinese security habits revealed in online study

By JING GAO

The recent controversy over the massive data breach that occurred at Ashley Madison has triggered widespread discussion on cybersecurity and privacy, which happens to be a hot topic in China. 

In the past two months, hackers infiltrated the Ashley Madison website and dumped the personal details of 32 million user accounts held with the company. Ashley Madison, which operates an online dating platform for people seeking extramarital affairs, has incurred serious damage to its brand as a result of the data breach and the ensuing fallout has had far reaching implications for much of society. Several users have taken the website to court; two former users have reportedly taken their lives and company CEO Noel Biderman has stepped down.

Security breaches also affect hundreds of thousands of Chinese. More than six million email accounts hosted at the well-known software developer community Chinese Software Developer Network, were stolen and exposed by hackers in December 2011, according to Techweb.

In March 2014, Ctrip, the largest travel booking website operating in China – home to 50 million users – was breached because of security loopholes. Important credit card details like names, account numbers, cvv codes and user identification numbers were exposed.

The most recent case was in December 2014, when hackers dumped personal accounts stolen from China’s ‘China Railway Customer Service Center’ the official train ticket sales outlet for train passengers in China. The usernames, passwords and email addresses of 131,389 users were dumped onto the Internet

Security experts, after sorting through and analyzing the data set released by the hackers, had several interesting things to say about user passwords. Freebuf.com, a Chinese blog focusing on hackers, geeks and cybersecurity, published a revealing post with graphical representations of user security habits online. Their conclusion: while most user habits are universal, some are generation-specific.

pw1

Among the 131,389 users whose personal information was compromised, people born between 1980 and 1989, or the ‘post-80’s generation’, account for 65 percent of total accounts compromised. The size of the ‘post-80’s’ group is more than twice as large as its latter counterpart the ‘post-90’s’ group, which accounts for the second largest age demographic in the compromised accounts graph.

Habit I: passwords comprised of common words.

pw2

Turns out Chinese people are quite the romantics!

Chinese symbolic numbers ‘520’ and ‘521’ took the greater share of elected passwords, because when read in sequence, ‘520/1’ both happen to sound very similar to the Chinese phrase ‘wo ai ni’ or ‘I love you’ in English. Similarly, ‘1314’ also proved popular because it sounds like the Chinese idiom ‘yi sheng yi shi’ or ‘a whole lifetime’. Next to Chinese declarations of romantic love was the second place classic ‘123456’.  

Habit II: passwords derived from date of birth.

2,326 people nominated their six-digit date of birth as their password. All China Tech would like to think this is probably common in other countries as well. A great many people seem to use their date of birth as part of a larger password and the overwhelming majority again, points to the ‘post-80s’ crowd, with a whopping 83.8 percent of nominations.  

Habit III: use of username or email in password.

pw3

More than 1,700 people elected to repeat their username as password of choice. 2,396 users simply printed their email address as password. According to Freebuf, this problem is less common among the ‘post-90s’ group.

Habit IV: use of cellphone number in password.

61 people used their cellphone number as password, most of whom were from the ‘post-60s’ group.

Habit V: shared responsibility

pw5

Perhaps the most frightening revelation from this dataset is that the China railways website holds user payment information. These types of websites are quite distinct from one of many internet forums – where one might spend time posting grumpy cat pictures or ranting about terrible restaurants – but despite this, only 46 percent of users bothered to use more than one type of character in their passwords. 54 percent of passwords were comprised of either numbers only or letters only. Out of the 131,389 accounts that were breached, only 163 attempted to use a special character or symbol in their password, a mere 0.012 percent.

For those who argue that this dataset is unreliable and biased and that it is exactly because of the nature of the weak passwords used by users that their accounts were compromised, a closer look at the website in question can be illuminating.

It is standard industry practice in today’s world for users of websites to have to diversify their password with a mixture of letters, numbers and even symbols during signup. This means essentially that none of the 131,000-plus accounts that were compromised should have been approved by the website operators to begin with.

The fact that users are permitted to use patently poor password choices like ‘123456’ during registration and then go on to make purchases on China’s state-owned railway ticket website or any other Chinese website for that matter tells you at least one thing. Security online is a two way stream; it appears the websites themselves have also been neglecting their cybersecurity responsibilities.

Jing Gao

Jing founded her own blog Ministry of Tofu and worked with Los Angeles Times, Greenpeace and LinkAsia. She graduated with a master's degree in Journalism from the University of Illinois.

No Comments Yet

Leave a Reply

Your email address will not be published.

AllTechAsia is a startup media platform dedicated to providing the hottest news, data service and analysis on the tech and startup scene of Asian markets in English.
Contact us: info@alltechasia.com

About Us

FOLLOW US ON

Subscribe to Our Newsletter