Now it’s easy to see if leaked passwords work on other sites

Share this…

Freely available tool follows the release of more than 642 million account credentials.

Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there’s software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.


Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O’Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among themore than 177 million LinkedIn passwords that were leaked in May.

“I used that password as a general password for many services,” he wrote in an e-mail. “It was a pain to remember which sites it was shared and to change them all. I use a password manager now.”

While O’Keefe developed Shard solely for defensive purposes, it’s not hard to envision attackers repurposing it for much more nefarious uses. Technically, the tool will check an unlimited number of credentials leaked from one site on other sites. It wouldn’t be hard to update the code to make it check accounts for banks and other financial services. And with only a little more work, it could also be modified to add a few random characters to a base word to account for users who may use “p@$$w0rd11” on one site and “p@$$w0rd22” on another.

All that would be left would be devising a way to bypass the rate limiting most services use to prevent a single IP address from trying to log into a suspiciously large number of accounts. Malicious hackers with access to huge numbers of already-infected computers could use their botnets to work around such measures.

“I think it is difficult for services to ban traffic originating from this tool because it looks like normal traffic, like a real user is logging in using a browser,” O’Keefe said.

So far, Ars isn’t aware of reports of such malicious tools circulating in the wild, but it wouldn’t be surprising if they exist and are already being used. Readers are once again advised to use a password manager to store a unique, randomly generated password that’s a minimum of 10 characters long and contains a mix of upper- and lower-case letters, numbers, and special characters. Whenever possible, people should also used multi-factor authentication.