A new command-line tool is capable of detecting passwords that are shared across multiple web accounts.
Security researcher Philip O’Keefe developed the utility, known as Shard, to accept a username and password combination and attempt to authenticate on Facebook, LinkedIn, Reddit, Twitter, and Instagram:
The tool also allows a user to test for multiple credentials if supplied with a filename.
O’Keefe writes that Shard, which is hosted on GitHub, helped him find a randomly generated password he had used across multiple websites among the 117 million LinkedIn account credentials posted online in May.
“I used that password as a general password for many services. It was a pain to remember which sites it was shared and to change them all. I use a password manager now.”
A smart idea, as password managers help users remember – and in some instances create – strong, unique passwords for each of their web accounts.
Password managers therefore help prevent against credential reuse attacks, such as the ones that forced Pandora, GoToMyPC, and other services to reset all users’ passwords in the past couple of weeks.
Unfortunately, while O’Keefe used his tool to beef up his password security, others note that bad actors could potentially use the utility to target unsuspecting users.
For instance, Dan Goodin of Ars Technica explains an attacker could modify the tool to authenticate a stolen set of credentials across a broad array of websites, including financial and banking organizations.
If a botnet operator gained access to the tool, they could use millions of infected computers to effectively circumvent rate limiting most sites use to prevent a single IP address from attempting to access too many accounts too many times.
The attacker’s rate of success would improve based upon the intrinsic design of the tool. O’Keefe elaborates:
“I think it is difficult for services to ban traffic originating from this tool because it looks like normal traffic, like a real user is logging in using a browser.”
At this time, there are no known instances of anyone abusing Shard in the wild.
Readers are urged to use a password manager and to implement a strong, unique password for each of their web accounts. They should also activate multi-factor authentication on any of their accounts that make the feature available.
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security