This tool can tell you if you've been dangerously reusing your passwords

The utility can work for good… or for an attacker.

This tool can tell you if you've been dangerously reusing your passwords

A new command-line tool is capable of detecting passwords that are shared across multiple web accounts.

Security researcher Philip O'Keefe developed the utility, known as Shard, to accept a username and password combination and attempt to authenticate on Facebook, LinkedIn, Reddit, Twitter, and Instagram:

Screen shot 2016 07 12 at 10.19.53 am

The tool also allows a user to test for multiple credentials if supplied with a filename.

O'Keefe writes that Shard, which is hosted on GitHub, helped him find a randomly generated password he had used across multiple websites among the 117 million LinkedIn account credentials posted online in May.

"I used that password as a general password for many services. It was a pain to remember which sites it was shared and to change them all. I use a password manager now."

A smart idea, as password managers help users remember - and in some instances create - strong, unique passwords for each of their web accounts.

Username and passwordPassword managers therefore help prevent against credential reuse attacks, such as the ones that forced Pandora, GoToMyPC, and other services to reset all users' passwords in the past couple of weeks.

Unfortunately, while O'Keefe used his tool to beef up his password security, others note that bad actors could potentially use the utility to target unsuspecting users.

For instance, Dan Goodin of Ars Technica explains an attacker could modify the tool to authenticate a stolen set of credentials across a broad array of websites, including financial and banking organizations.

If a botnet operator gained access to the tool, they could use millions of infected computers to effectively circumvent rate limiting most sites use to prevent a single IP address from attempting to access too many accounts too many times.

The attacker's rate of success would improve based upon the intrinsic design of the tool. O'Keefe elaborates:

"I think it is difficult for services to ban traffic originating from this tool because it looks like normal traffic, like a real user is logging in using a browser."

At this time, there are no known instances of anyone abusing Shard in the wild.

Readers are urged to use a password manager and to implement a strong, unique password for each of their web accounts. They should also activate multi-factor authentication on any of their accounts that make the feature available.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

One Response

  1. John

    September 25, 2016 at 9:41 am #

    We use Passwork ((https://passwork.me) and we don’t have to ask each other about passwords for hosting, mail, accounting, social networks and other services that we use. We using it to store passwords for more than a year. Everything is simple and clear. Same feature can be found at password managers like Keeper and Lastpass. All of them use an encrypton and the cloud storage, that mean your data always secured

Leave a Reply