Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Reuse Tool Makes It Easy To ID Vulnerable Accounts On Other Sites (arstechnica.com)

Posted by msmash on from the easy-fix dept.

Dan Goodin, reporting for Ars Technica: Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites. Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May. "I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now."

60 comments

  1. Stupid idea by Anonymous Coward · · Score: 0

    Lets use a tool that sends a known password to a whole bunch of sites to see if it works there. What could possibly go wrong?

    This idea is fundamentally flawed.

    1. Re:Stupid idea by buchner.johannes · · Score: 1

      If it is SSL/TLS, it doesn't matter. It's the same as when you send the actual password.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Stupid idea by Anonymous Coward · · Score: 0

      It is not about eavesdropping. It is about you sending a working password for another site to potential untrusted third parties.

    3. Re: Stupid idea by Anonymous Coward · · Score: 0

      and a security researcher who doesnt know how bruteforcing works and uses a 8 char password that is both quick to brute AND hard to remember.

  2. Re:Another Day Another Mass Shooting by Anonymous Coward · · Score: 1, Informative

    How many people in the US have to die before we realize that private ownership of guns is terrible idea?

    You don't need a gun. If you have one, you can dispose of it at any police station, no questions asked.

    If you're referring to the shooting in MI that's all over the news right now, this had nothing to do with private gun ownership. A criminal defendant in a courthouse grabbed a gun from a bailiff and shot two court officers.

    Nice try.

  3. Re:Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    We don't need guns in court houses either, IMHO.

  4. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    Courthouses should be secure, which is why police protect them with guns and other weapons. It makes perfect sense that police and armed guards would be present in a place where violent criminals are also present, just like police and and armed guards provide security at prisons. You, however, cannot bring guns or other weapons into courthouses. That is why you have to go through a metal detector and empty your pockets on the way in.

  5. no password manager by Anonymous Coward · · Score: 5, Insightful

    A security researcher didn't already use a password manager? That, 8-character password, and password reuse doesn't inspire confidence in the tool he wrote...

    1. Re: no password manager by Anonymous Coward · · Score: 0

      Not to mention , why bother with the tool at all ? The solution is to use a password manager. The result of the tool is meaningless.

    2. Re: no password manager by UnderCoverPenguin · · Score: 1

      But, can you trust the password manager? A bug (or back door) in it could expose all your passwords.

      And how good is the encryption protecting your passwords?

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
    3. Re: no password manager by Anonymous Coward · · Score: 0

      Trust it until there's a reason not to. Take good care of it and whatever it's on. Keys to the kingdom.

      I have three password managers for various things ;)

    4. Re: no password manager by Anonymous Coward · · Score: 0

      They're built in to Mac OS X and many Linux desktop environments. Apps can query the password manager for your passwords, which is handled automatically if you're logged in. You can also request that it asks for a master password every time an app requests a password, for example: Chrome browser asking for your Facebook password.

    5. Re:no password manager by Anonymous Coward · · Score: 0

      Must have it written on a post-it and stuck to the bottom of the keyboard. Wait, why didn't he also write the host on it? Would have made it insecure I guess. :)

      Instead of a tool to check if a password is used on a site why not make a tool that can change the password on all sites to a new random password (one per site) and update the password manager?

    6. Re:no password manager by Anubis+IV · · Score: 1

      Indeed. A "security researcher" who thought an 8 character password--regardless of whether it was randomly-generated--was in any way sufficient for a single site, let alone across so many sites that they can't remember where they've used it, is not a researcher I would trust. Simply on account of the large numbers involved, it's virtually guaranteed that others would also land on that same password, as this researcher discovered.

      Moreover, for any site not employing best techniques (i.e. hash+salt), you don't have to look around online for too long to find databases that can provide a reverse-lookup to go from a pre-generated list of hashes back to the passwords that produced them (e.g. rainbow tables). Last year when I looked around, the lookups could be done on most of the common hash methods and would work on any password up to 14 or 15 characters in length. I wouldn't be surprised if they've gotten even further by this point. So if any of those sites you used your 8 character password at were hacked and weren't employing best techniques, your password would be one of the easiest ones to decipher.

      First thing I did when I switched to using a password manager years and years ago was to have it tell me which passwords were duplicates of each other, then go through and update each of them to max-length, randomly-generated passwords. Perhaps ironically, banking and other financial institutions in my experience seem to have the strictest limits on how long a password can be, which makes it all the more important to ensure that they are not reused elsewhere, and that additional factors for authentication are layered on top as well.

  6. 8-character...lol by Anonymous Coward · · Score: 0

    On a list. Haha

  7. Beware Facebook by Anonymous Coward · · Score: 3, Informative

    Facebook records the passwords used in your failed login attempts. If you forgot which of your passwords is used on a given site, you are potentially divulging your passwords to many sites. Facebook may not be alone in this.

    1. Re:Beware Facebook by vux984 · · Score: 1

      "Facebook records the passwords used in your failed login attempts."

      Cite for that? (I'm not suggesting its not true; and I don't use facebook so I have no horse in this race. I just want to know more; and what possible reason there could be for it, etc...)

      I've often speculated this would be a good attack vector to harvest people's -other- passwords. To simply deny them access to something with their legit password, and harvest the other stuff they try.

    2. Re:Beware Facebook by michelcolman · · Score: 1

      So they actually store the text of people's mistyped passwords (not as a hashed value) which might be only a single character different from their actual passwords? That doesn't seem like a very good idea if anyone gets hold of that database.

    3. Re:Beware Facebook by cellocgw · · Score: 1

      Dunno about Facebook, but Windows domain servers sure do. Not that they actually record passwords (so far as I know), but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text, one line above your actual userID which you presumably typed in your next attempt to log in.

      --
      https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
    4. Re:Beware Facebook by vux984 · · Score: 1

      but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text,

      Yes, I think that's happened to all of us at one point or another.

      I'm not sure you can fault windows for this behavior, though. I mean, would it be better to have 'an unknown user' tried logging in as the only recorded event? On some level knowing who tried to login to the server is a good thing. If some poor sap submits his password as the user name... there's only so much you can do.

      And this can happen in any application; I've also variously pasted my password from the password manager into the URL bar, and into the user name field a couple times. Or just typed it after misclicking the destination field. I've also pasted passwords into the body of email messages, skype messages, and other text editors by mistake forgetting that I had a password on the clipboard and/or because the previous copy-action of whatever I wanted to paste didn't override it, etc, etc.

      In most contexts this is fairly harmless unless I press send or submit etc. But even in the best case it throws it up on my screen in plaintext for anyone overlooking to see. And in some cases, like a web form you type the password in the wrong field and press submit... well you probably submitted it to the server, which wasn't great. And with a lot of forms it now becomes part of the dropdown list of history/suggestions for that form field too (whether its your city or phone number or whatever...)... which can be a hassle to clean up.

      This is the one argument FOR periodic password rotation rules to ensure passwords that leak due to 'oops' mis-clicks get cleaned up.

  8. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    I don't believe you. Link?

  9. Re: Black Lives Matter by ArmoredDragon · · Score: 1, Informative

    That really seems to depend on the state. In Arizona at least, there were 27 white guys shot by police last year. And yet, there was just 1 black person shot.

    If we follow black lives matter logic, then police are clearly discriminating against white people in my state, and we should start a white lives matter movement.

    Or if we simply follow rational logic instead, then we clearly see different behavior patterns in different racial groups in different geographical regions.

    Arizona has some of the most lax gun laws, by the way. For example, you don't need a permit to conceal carry here, and there are practically no limits on the type of weapon you can carry so long as it doesn't break federal rules. You can however sidestep federal rules here if you mill your own weapon.

  10. Re:Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    Allowing arms to rest in the hands of "responsible" governments while denying them to citizens hasn't historically worked better, and the data on modern societies is not statistically sound for projecting success on the US.

  11. Re:Another Day Another Mass Shooting by BitterOak · · Score: 2

    How many people in the US have to die before we realize that private ownership of guns is terrible idea?

    You don't need a gun. If you have one, you can dispose of it at any police station, no questions asked.

    Although there may be some merit to what you say, I fail to see what it has to do with a password reuse tool.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  12. random? by CSMoran · · Score: 1

    the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May

    Either he was part of the leak, and then it doesn't matter how long and strong his password was, only that he reused it (and the site did not salt enough); or it was someone else's password too by chance, but then it wasn't random, by at least three orders of magnitude, if it was found among ~2E8 "random" passwords.

    --
    Every end has half a stick.
    1. Re:random? by Anonymous Coward · · Score: 0

      The LinkedIn leak (which is actually from 2012) has passwords that are SHA1 hashes, without salts. And the leak is about 250M raw hashes based on line count (a lot of them are duplicates, only about 65M unique hashes).

  13. Re:Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    How many people in the US have to die before we realize that private ownership of guns is terrible idea?

    You don't need a gun. If you have one, you can dispose of it at any police station, no questions asked.

    Go ahead and walk into a police station with a gun and let natural selection determine what the results will be.

  14. Re:Another Day Another Mass Shooting by umghhh · · Score: 1

    I have not seen it this way till now but now you convinced me that disarming yourself is an idea that can easily kill you thus should not be followed.

  15. Re: Black Lives Matter by Anonymous Coward · · Score: 0

    If you say "white lives matter", then you're racist.

    If you say "black lives matter", then you're progressive.

  16. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    I find it odd that violent gun crimes are at a record low while at the same time the US actually has fewer mass shootings per capita than Europe, yet somehow these mass shootings in the US are being called epidemic by the media.

    Everything is an epidemic to the media, it's one of their favorite words. Epidemic of cop shootings. Epidemic of lost dogs. Epidemic of divorces. Epidemic of broken cups.

  17. ...why does EVERY site seem to want a sign-up? by Anonymous Coward · · Score: 0

    These days there's dozens if not hundreds of sites you can "sign in with" trivially, but so few support anything more than perhaps Facebook.

    Just avoid passwords entirely: Let one of the big movers/shakers handle your user auth, stop creating accounts yourself. XD

  18. Re: Another Day Another Mass Shooting by mrbester · · Score: 0

    I find it odd that I don't hear about all these European cases, but rather the ones that happen on a daily basis in US.

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  19. Re: Another Day Another Mass Shooting by Lumpy · · Score: 0

    It's called sensationalisim. Our media is more about entertainment and less about news.

    Europeans need to understand that our news is more like the "SUN" and other tabloid news and less like the BBC.

    --
    Do not look at laser with remaining good eye.
  20. Re:Another Day Another Mass Shooting by Lumpy · · Score: 1

    I've got 6 guns! and I can hear them all whisper to me to go on a murder spree... I tell them to shut up and cover my head at night with a pillow so I cant hear those dirty rotten guns trying to get me to go kill...

    Why did they not tell me that guns do mind control and are sentient? I need to sue the Firearms store for not telling me!

    --
    Do not look at laser with remaining good eye.
  21. Idiot Alert by JustAnotherOldGuy · · Score: 1

    "The security researcher said he developed the tool after discovering that the randomly generated eight-character password"

    Wait, what do you mean he "discovered" this? Doesn't this "researcher" know what his own fucking passwords are?

    -

      "I used that password as a general password for many services," he wrote in an e-mail.

    What he meant to say was, "I claim to be a security researcher but really I'm just a hypocritical idiot who doesn't practice what I preach."

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re: Idiot Alert by Anonymous Coward · · Score: 0

      WTF. Indeed this guy should try another job.
      What, you have to write modules to actually test more than 5 sites?
      What, you can store clear text passwords in a list?
      Must be April's fool...

  22. I must be good then by Snotnose · · Score: 1

    As I don't have an account with Facebook, LinkedIn, Reddit, Twitter, nor Instagram, I should be fine then.

    I use the same login here, at Soylent, Fark, Ars, and a couple others I can't think of off the top of my head. Guess what? I use the same password too. Why? I don't care if someone steals my /. karma.

    My banks and anyone with my credit card #? You bet they all have different logins and passwords, for which I use keepass to manage.

    1. Re:I must be good then by Anonymous Coward · · Score: 0

      Yeah, you're missing the big security holes, but Ars, /., and others can leak too. In my case, Googling my name doesn't produce immediate results because there are several other people with my name who are way higher in the search stats, and I'm happy to leave them there as the big targets. Also, the fact that I don't frequent or even have an account at most of the social sites almost certainly helps. OTOH, using a real email address on a comment page or for buying something, even once, usually results in a flurry of spambot attacks lasting several months (luckily, my mail router has a good spam catcher). As somebody's article recently said (and as I told IT for years though they never listened), the internet is actively hostile, not just a bunch of data pipes.

  23. LastPass has done this for awhile now by Anonymous Coward · · Score: 1

    Seems like a more useful solution for most ppl since you want to trust the thing you give all your passwords to .. . a lot. Plus the fact that ppl might actually use it if LastPass or Google do it.

    Google can just implement it right in their password sync feature.

  24. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    Nice try at giving a fake citation. Your "link'" is returning results for "gun crime statistics us graph". Where does Europe come into play here?
    As an european, the last Mass shooting we had was Paris, which is, well, not quite comparable to your domestic gun massacres.

    If you have any real citation, I'd appreciate, but as it stands, you just try to spread FUD.

  25. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    You forgot the epidemic of retarded comments on ./

    I am not an American. You do have a fracking epidemic. The "0 Days since last mass shooting"-Meme is right on spot.

    What you need to do is let your fricking guns go. You do not need them. And when you finally get that, the policing will be metric shitloads (yes, metric, because you will surely adopt the superior metric system before you let your guns go) more effective, because someone who carries a gun is a bloody criminal.

    It does work for about every nation.

  26. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    Americans need to understand that you do have shitty news, but two wrongs do not make a right. You do have a blatantly excessive regime of guns.
    Let them go. You dont need them. Like you can fend of the Evil Government with a gun. No, you cant. You can die trying, thats probably a reasonably cause if one is looking at the whole picture, but in the end, you will be another domestic terrorist or mass shooter. And nothing has changed.

  27. Re: Another Day Another Mass Shooting by bjohnson · · Score: 0

    This is why people transporting prisoners should not carry guns. If the bailiff hd been armed with a nightstick, there would very likely be three more people alive tonight.

  28. Lastpass by dafradu · · Score: 1

    Or just start using Lastpass...

    TBH i didn't get how this software works. You type the password and it checks it against a few sites? Thats it? That would be incredibly ineffective...

    I have over 100 sites and passwords on my Lastpass Vault and it can tell me where and what passwords are currently being reused.

  29. Re:Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    I've got 6 guns!

    You're a psychopath. Nobody needs a single gun let alone 6. I can't wait for the day that all the guns are rounded up and ground down into a fine powder.

  30. Re: Another Day Another Mass Shooting by ArmoredDragon · · Score: 2

    Which one? How about both points I made:

    http://www.pewresearch.org/fac...

    http://crimeresearch.org/2015/...

    Somehow the gun control crowd thinks that it's worse now than ever, but the available evidence just doesn't support that claim.

  31. Re: Another Day Another Mass Shooting by ArmoredDragon · · Score: 1

    http://crimeresearch.org/2015/...

    And yet strangely enough we don't hear the same rhetoric about Canada, Norway, or the dozens of other countries who allow private ownership of firearms. I honestly thing Europeans who say what you say are just full of themselves. Especially the ones who say "the rest of the world does x", or saying that "the US right of the rest of the world" when they're just talking about Europe as if just fucking Europe is the entire rest of the world. (I especially find it odd that they consider the US to be more authoritarian than nearly every Asian country, who far outnumber Europe, in addition to flat out ignoring politics in the Middle East, Africa, and South America...because, you know, all that matters is fucking Europe.)

  32. Re: Black Lives Matter by ArmoredDragon · · Score: 1

    The later makes sense, actually. You won't hear a progressive admit this even though deep down they know it's a fact, but progressive is really just a label that somebody places upon themselves when they're convinced that they've somehow figured it all out, and that only their views can possibly be the way forward, so fuck everybody else's perspective on any given matter because they're the only enlightened one in the world.

    And speak of perspective, progressive, by the way, is a term that groups such as prohibitionists, Nazis, and a number of other infamous groups have applied themselves in the past, even though in the end they turned out to be way wrong.

  33. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    You do hear about "all these European cases", there aren't very many of them. The site "Armored Dragon" linked does an old, old trick of American pro-gun nuts by just claiming it's not a "mass shooting" unless lots of people die. The result is that only a handful of cases, mostly terrorist attacks, show up, whether in the US or Europe and in that noise you can claim it's not an American problem.

  34. Re: Another Day Another Mass Shooting by Anonymous Coward · · Score: 0

    And yet strangely enough we don't hear the same rhetoric about Canada, Norway, or the dozens of other countries who allow private ownership of firearms.

    They do it without the gun fetishism.

  35. "eight-character password" - there's your problem. by Anonymous Coward · · Score: 0

    Right there. What an idiot.

  36. Re: "eight-character password" - there's your prob by Anonymous Coward · · Score: 0

    but its random and very hard to remember!

  37. Re: Another Day Another Mass Shooting by Lumpy · · Score: 1

    Considering I am american your whole argument fell apart like the poorly assembled straw man it is.

    --
    Do not look at laser with remaining good eye.
  38. Re: Black Lives Matter by Anonymous Coward · · Score: 0

    You won't hear a conservative admit this even though deep down they know it's a fact, but conservative is really just a label that somebody places upon themselves when they're convinced that they've somehow figured it all out, and that only their views can possibly be the way to do things, so fuck everybody else's perspective on any given matter because they're the only enlightened one in the world.

    Fixed that for you, or gave you a new perspective on it. Don't tell me it's not true. You know it is. You just don't want to admit it.

    And speak of perspective, conservative, by the way, is a term that groups such as prohibitionists, Nazis, and a number of other infamous groups have applied themselves in the past, even though in the end they turned out to be way wrong.

    True story, Moonshiners often perceived themselves as Conservative, and against the Revenue agents, and went to some lengths to violently resist taxation. The Whiskey Rebellion may be the most prominent, but it wasn't the only example. Of course, the Temperance movement was highly religious, Christian and ultimately Conservative as well. And they were often stridently anti-Catholic due to that religion's continued use of wine.

    And the Nazi's? They were a Fusion Populist Party, they pulled as much from "The Glorious German Past" as any ideas of the future. They embraced as many conservatives as they suppressed. It was all about power for them. If supporting the family got them support, go for it. If supporting some breeding the new superior man was good? Go for it.

    But seriously, so what if they called themselves "progressive" or "socialist" ? It's not like words have defined meanings that can't be used by dishonest men to misrepresent them. Or ignorant. Prairie Dogs aren't canines, and the Holy Roman Empire was none of the above. And there is no cause so pure it can't be used for evil.