Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Password Reuse Tool Makes It Easy To ID Vulnerable Accounts On Other Sites (arstechnica.com) 60

Dan Goodin, reporting for Ars Technica: Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites. Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May. "I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now."
This discussion has been archived. No new comments can be posted.

Password Reuse Tool Makes It Easy To ID Vulnerable Accounts On Other Sites

Comments Filter:
  • by Anonymous Coward on Monday July 11, 2016 @04:04PM (#52491975)

    A security researcher didn't already use a password manager? That, 8-character password, and password reuse doesn't inspire confidence in the tool he wrote...

    • Indeed. A "security researcher" who thought an 8 character password--regardless of whether it was randomly-generated--was in any way sufficient for a single site, let alone across so many sites that they can't remember where they've used it, is not a researcher I would trust. Simply on account of the large numbers involved, it's virtually guaranteed that others would also land on that same password, as this researcher discovered.

      Moreover, for any site not employing best techniques (i.e. hash+salt), you don'

  • Beware Facebook (Score:3, Informative)

    by Anonymous Coward on Monday July 11, 2016 @04:13PM (#52492061)

    Facebook records the passwords used in your failed login attempts. If you forgot which of your passwords is used on a given site, you are potentially divulging your passwords to many sites. Facebook may not be alone in this.

    • by vux984 ( 928602 )

      "Facebook records the passwords used in your failed login attempts."

      Cite for that? (I'm not suggesting its not true; and I don't use facebook so I have no horse in this race. I just want to know more; and what possible reason there could be for it, etc...)

      I've often speculated this would be a good attack vector to harvest people's -other- passwords. To simply deny them access to something with their legit password, and harvest the other stuff they try.

      • Dunno about Facebook, but Windows domain servers sure do. Not that they actually record passwords (so far as I know), but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text, one line above your actual userID which you presumably typed in your next attempt to log in.

        • by vux984 ( 928602 )

          but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text,

          Yes, I think that's happened to all of us at one point or another.

          I'm not sure you can fault windows for this behavior, though. I mean, would it be better to have 'an unknown user' tried logging in as the only recorded event? On some level knowing who tried to login to the server is a good thing. If some poor sap submits his password as the user name... there's only so much you can do.

          And this can happen in any application; I've also variously pasted my password from the password manager into the URL bar, a

    • So they actually store the text of people's mistyped passwords (not as a hashed value) which might be only a single character different from their actual passwords? That doesn't seem like a very good idea if anyone gets hold of that database.

  • the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May

    Either he was part of the leak, and then it doesn't matter how long and strong his password was, only that he reused it (and the site did not salt enough); or it was someone else's password too by chance, but then it wasn't random, by at least three orders of magnitude, if it was found among ~2E8 "random" passwords.

  • "The security researcher said he developed the tool after discovering that the randomly generated eight-character password"

    Wait, what do you mean he "discovered" this? Doesn't this "researcher" know what his own fucking passwords are?

    -

      "I used that password as a general password for many services," he wrote in an e-mail.

    What he meant to say was, "I claim to be a security researcher but really I'm just a hypocritical idiot who doesn't practice what I preach."

  • As I don't have an account with Facebook, LinkedIn, Reddit, Twitter, nor Instagram, I should be fine then.

    I use the same login here, at Soylent, Fark, Ars, and a couple others I can't think of off the top of my head. Guess what? I use the same password too. Why? I don't care if someone steals my /. karma.

    My banks and anyone with my credit card #? You bet they all have different logins and passwords, for which I use keepass to manage.
  • by Anonymous Coward

    Seems like a more useful solution for most ppl since you want to trust the thing you give all your passwords to .. . a lot. Plus the fact that ppl might actually use it if LastPass or Google do it.

    Google can just implement it right in their password sync feature.

  • Or just start using Lastpass...

    TBH i didn't get how this software works. You type the password and it checks it against a few sites? Thats it? That would be incredibly ineffective...

    I have over 100 sites and passwords on my Lastpass Vault and it can tell me where and what passwords are currently being reused.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...