This tool can tell you if you’ve been dangerously reusing your passwords

The utility can work for good… or for an attacker.

David bisson
David Bisson

This tool can tell you if you've been dangerously reusing your passwords

A new command-line tool is capable of detecting passwords that are shared across multiple web accounts.

Security researcher Philip O’Keefe developed the utility, known as Shard, to accept a username and password combination and attempt to authenticate on Facebook, LinkedIn, Reddit, Twitter, and Instagram:

Screen shot 2016 07 12 at 10.19.53 am

Sign up to our free newsletter.
Security news, advice, and tips.

The tool also allows a user to test for multiple credentials if supplied with a filename.

O’Keefe writes that Shard, which is hosted on GitHub, helped him find a randomly generated password he had used across multiple websites among the 117 million LinkedIn account credentials posted online in May.

“I used that password as a general password for many services. It was a pain to remember which sites it was shared and to change them all. I use a password manager now.”

A smart idea, as password managers help users remember – and in some instances create – strong, unique passwords for each of their web accounts.

Username and password Password managers therefore help prevent against credential reuse attacks, such as the ones that forced Pandora, GoToMyPC, and other services to reset all users’ passwords in the past couple of weeks.

Unfortunately, while O’Keefe used his tool to beef up his password security, others note that bad actors could potentially use the utility to target unsuspecting users.

For instance, Dan Goodin of Ars Technica explains an attacker could modify the tool to authenticate a stolen set of credentials across a broad array of websites, including financial and banking organizations.

If a botnet operator gained access to the tool, they could use millions of infected computers to effectively circumvent rate limiting most sites use to prevent a single IP address from attempting to access too many accounts too many times.

The attacker’s rate of success would improve based upon the intrinsic design of the tool. O’Keefe elaborates:

“I think it is difficult for services to ban traffic originating from this tool because it looks like normal traffic, like a real user is logging in using a browser.”

At this time, there are no known instances of anyone abusing Shard in the wild.

Readers are urged to use a password manager and to implement a strong, unique password for each of their web accounts. They should also activate multi-factor authentication on any of their accounts that make the feature available.

Read more about two-step verification:

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “This tool can tell you if you’ve been dangerously reusing your passwords”

  1. John

    We use Passwork (( and we don’t have to ask each other about passwords for hosting, mail, accounting, social networks and other services that we use. We using it to store passwords for more than a year. Everything is simple and clear. Same feature can be found at password managers like Keeper and Lastpass. All of them use an encrypton and the cloud storage, that mean your data always secured

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.