Password Reuse Tool Makes It Easy To ID Vulnerable Accounts On Other Sites (arstechnica.com) 60
Dan Goodin, reporting for Ars Technica: Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites. Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May. "I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now."
Re: (Score:1, Informative)
How many people in the US have to die before we realize that private ownership of guns is terrible idea?
You don't need a gun. If you have one, you can dispose of it at any police station, no questions asked.
If you're referring to the shooting in MI that's all over the news right now, this had nothing to do with private gun ownership. A criminal defendant in a courthouse grabbed a gun from a bailiff and shot two court officers.
Nice try.
Re: (Score:1)
This is why people transporting prisoners should not carry guns. If the bailiff hd been armed with a nightstick, there would very likely be three more people alive tonight.
Re: (Score:3)
Which one? How about both points I made:
http://www.pewresearch.org/fac... [pewresearch.org]
http://crimeresearch.org/2015/... [crimeresearch.org]
Somehow the gun control crowd thinks that it's worse now than ever, but the available evidence just doesn't support that claim.
Re: (Score:1)
It's called sensationalisim. Our media is more about entertainment and less about news.
Europeans need to understand that our news is more like the "SUN" and other tabloid news and less like the BBC.
Re: (Score:2)
http://crimeresearch.org/2015/... [crimeresearch.org]
And yet strangely enough we don't hear the same rhetoric about Canada, Norway, or the dozens of other countries who allow private ownership of firearms. I honestly thing Europeans who say what you say are just full of themselves. Especially the ones who say "the rest of the world does x", or saying that "the US right of the rest of the world" when they're just talking about Europe as if just fucking Europe is the entire rest of the world. (I especially find it odd that they
Re: (Score:2)
Considering I am american your whole argument fell apart like the poorly assembled straw man it is.
Re: (Score:2)
I've got 6 guns! and I can hear them all whisper to me to go on a murder spree... I tell them to shut up and cover my head at night with a pillow so I cant hear those dirty rotten guns trying to get me to go kill...
Why did they not tell me that guns do mind control and are sentient? I need to sue the Firearms store for not telling me!
Re: (Score:3)
How many people in the US have to die before we realize that private ownership of guns is terrible idea?
You don't need a gun. If you have one, you can dispose of it at any police station, no questions asked.
Although there may be some merit to what you say, I fail to see what it has to do with a password reuse tool.
Re: (Score:1)
Re: (Score:2)
If it is SSL/TLS, it doesn't matter. It's the same as when you send the actual password.
Re: Black Lives Matter (Score:2, Informative)
That really seems to depend on the state. In Arizona at least, there were 27 white guys shot by police last year. And yet, there was just 1 black person shot.
If we follow black lives matter logic, then police are clearly discriminating against white people in my state, and we should start a white lives matter movement.
Or if we simply follow rational logic instead, then we clearly see different behavior patterns in different racial groups in different geographical regions.
Arizona has some of the most lax gun
Re: (Score:2)
The later makes sense, actually. You won't hear a progressive admit this even though deep down they know it's a fact, but progressive is really just a label that somebody places upon themselves when they're convinced that they've somehow figured it all out, and that only their views can possibly be the way forward, so fuck everybody else's perspective on any given matter because they're the only enlightened one in the world.
And speak of perspective, progressive, by the way, is a term that groups such as pro
no password manager (Score:5, Insightful)
A security researcher didn't already use a password manager? That, 8-character password, and password reuse doesn't inspire confidence in the tool he wrote...
Re: (Score:2)
But, can you trust the password manager? A bug (or back door) in it could expose all your passwords.
And how good is the encryption protecting your passwords?
Re: (Score:2)
Indeed. A "security researcher" who thought an 8 character password--regardless of whether it was randomly-generated--was in any way sufficient for a single site, let alone across so many sites that they can't remember where they've used it, is not a researcher I would trust. Simply on account of the large numbers involved, it's virtually guaranteed that others would also land on that same password, as this researcher discovered.
Moreover, for any site not employing best techniques (i.e. hash+salt), you don'
Beware Facebook (Score:3, Informative)
Facebook records the passwords used in your failed login attempts. If you forgot which of your passwords is used on a given site, you are potentially divulging your passwords to many sites. Facebook may not be alone in this.
Re: (Score:2)
"Facebook records the passwords used in your failed login attempts."
Cite for that? (I'm not suggesting its not true; and I don't use facebook so I have no horse in this race. I just want to know more; and what possible reason there could be for it, etc...)
I've often speculated this would be a good attack vector to harvest people's -other- passwords. To simply deny them access to something with their legit password, and harvest the other stuff they try.
Re: (Score:2)
Dunno about Facebook, but Windows domain servers sure do. Not that they actually record passwords (so far as I know), but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text, one line above your actual userID which you presumably typed in your next attempt to log in.
Re: (Score:2)
but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text,
Yes, I think that's happened to all of us at one point or another.
I'm not sure you can fault windows for this behavior, though. I mean, would it be better to have 'an unknown user' tried logging in as the only recorded event? On some level knowing who tried to login to the server is a good thing. If some poor sap submits his password as the user name... there's only so much you can do.
And this can happen in any application; I've also variously pasted my password from the password manager into the URL bar, a
Re: (Score:1)
So they actually store the text of people's mistyped passwords (not as a hashed value) which might be only a single character different from their actual passwords? That doesn't seem like a very good idea if anyone gets hold of that database.
random? (Score:2)
the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May
Either he was part of the leak, and then it doesn't matter how long and strong his password was, only that he reused it (and the site did not salt enough); or it was someone else's password too by chance, but then it wasn't random, by at least three orders of magnitude, if it was found among ~2E8 "random" passwords.
Idiot Alert (Score:2)
"The security researcher said he developed the tool after discovering that the randomly generated eight-character password"
Wait, what do you mean he "discovered" this? Doesn't this "researcher" know what his own fucking passwords are?
-
"I used that password as a general password for many services," he wrote in an e-mail.
What he meant to say was, "I claim to be a security researcher but really I'm just a hypocritical idiot who doesn't practice what I preach."
I must be good then (Score:2)
I use the same login here, at Soylent, Fark, Ars, and a couple others I can't think of off the top of my head. Guess what? I use the same password too. Why? I don't care if someone steals my
My banks and anyone with my credit card #? You bet they all have different logins and passwords, for which I use keepass to manage.
LastPass has done this for awhile now (Score:1)
Seems like a more useful solution for most ppl since you want to trust the thing you give all your passwords to .. . a lot. Plus the fact that ppl might actually use it if LastPass or Google do it.
Google can just implement it right in their password sync feature.
Lastpass (Score:2)
Or just start using Lastpass...
TBH i didn't get how this software works. You type the password and it checks it against a few sites? Thats it? That would be incredibly ineffective...
I have over 100 sites and passwords on my Lastpass Vault and it can tell me where and what passwords are currently being reused.