“I used that password as a general password for many services,” he wrote in an e-mail. “It was a pain to remember which sites it was shared and to change them all. I use a password manager now.”
While O’Keefe developed Shard solely for defensive purposes, it’s not hard to envision attackers repurposing it for much more nefarious uses. Technically, the tool will check an unlimited number of credentials leaked from one site on other sites. It wouldn’t be hard to update the code to make it check accounts for banks and other financial services. And with only a little more work, it could also be modified to add a few random characters to a base word to account for users who may use “p@$$w0rd11” on one site and “p@$$w0rd22” on another.
All that would be left would be devising a way to bypass the rate limiting most services use to prevent a single IP address from trying to log into a suspiciously large number of accounts. Malicious hackers with access to huge numbers of already-infected computers could use their botnets to work around such measures.
“I think it is difficult for services to ban traffic originating from this tool because it looks like normal traffic, like a real user is logging in using a browser,” O’Keefe said.
So far, Ars isn’t aware of reports of such malicious tools circulating in the wild, but it wouldn’t be surprising if they exist and are already being used. Readers are once again advised to use a password manager to store a unique, randomly generated password that’s a minimum of 10 characters long and contains a mix of upper- and lower-case letters, numbers, and special characters. Whenever possible, people should also used multi-factor authentication.