Password Reuse Tool Makes It Easy To ID Vulnerable Accounts On Other Sites

Dan Goodin, reporting for Ars Technica: Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites. Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May. "I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now."

Beware Facebook

Facebook records the passwords used in your failed login attempts. If you forgot which of your passwords is used on a given site, you are potentially divulging your passwords to many sites. Facebook may not be alone in this.