Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Reuse Tool Makes It Easy To ID Vulnerable Accounts On Other Sites (arstechnica.com)

Posted by msmash on from the easy-fix dept.

Dan Goodin, reporting for Ars Technica: Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites. Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May. "I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now."

23 of 60 comments (clear)

  1. Re:Another Day Another Mass Shooting by Anonymous Coward · · Score: 1, Informative

    How many people in the US have to die before we realize that private ownership of guns is terrible idea?

    You don't need a gun. If you have one, you can dispose of it at any police station, no questions asked.

    If you're referring to the shooting in MI that's all over the news right now, this had nothing to do with private gun ownership. A criminal defendant in a courthouse grabbed a gun from a bailiff and shot two court officers.

    Nice try.

  2. no password manager by Anonymous Coward · · Score: 5, Insightful

    A security researcher didn't already use a password manager? That, 8-character password, and password reuse doesn't inspire confidence in the tool he wrote...

    1. Re: no password manager by UnderCoverPenguin · · Score: 1

      But, can you trust the password manager? A bug (or back door) in it could expose all your passwords.

      And how good is the encryption protecting your passwords?

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
    2. Re:no password manager by Anubis+IV · · Score: 1

      Indeed. A "security researcher" who thought an 8 character password--regardless of whether it was randomly-generated--was in any way sufficient for a single site, let alone across so many sites that they can't remember where they've used it, is not a researcher I would trust. Simply on account of the large numbers involved, it's virtually guaranteed that others would also land on that same password, as this researcher discovered.

      Moreover, for any site not employing best techniques (i.e. hash+salt), you don't have to look around online for too long to find databases that can provide a reverse-lookup to go from a pre-generated list of hashes back to the passwords that produced them (e.g. rainbow tables). Last year when I looked around, the lookups could be done on most of the common hash methods and would work on any password up to 14 or 15 characters in length. I wouldn't be surprised if they've gotten even further by this point. So if any of those sites you used your 8 character password at were hacked and weren't employing best techniques, your password would be one of the easiest ones to decipher.

      First thing I did when I switched to using a password manager years and years ago was to have it tell me which passwords were duplicates of each other, then go through and update each of them to max-length, randomly-generated passwords. Perhaps ironically, banking and other financial institutions in my experience seem to have the strictest limits on how long a password can be, which makes it all the more important to ensure that they are not reused elsewhere, and that additional factors for authentication are layered on top as well.

  3. Beware Facebook by Anonymous Coward · · Score: 3, Informative

    Facebook records the passwords used in your failed login attempts. If you forgot which of your passwords is used on a given site, you are potentially divulging your passwords to many sites. Facebook may not be alone in this.

    1. Re:Beware Facebook by vux984 · · Score: 1

      "Facebook records the passwords used in your failed login attempts."

      Cite for that? (I'm not suggesting its not true; and I don't use facebook so I have no horse in this race. I just want to know more; and what possible reason there could be for it, etc...)

      I've often speculated this would be a good attack vector to harvest people's -other- passwords. To simply deny them access to something with their legit password, and harvest the other stuff they try.

    2. Re:Beware Facebook by michelcolman · · Score: 1

      So they actually store the text of people's mistyped passwords (not as a hashed value) which might be only a single character different from their actual passwords? That doesn't seem like a very good idea if anyone gets hold of that database.

    3. Re:Beware Facebook by cellocgw · · Score: 1

      Dunno about Facebook, but Windows domain servers sure do. Not that they actually record passwords (so far as I know), but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text, one line above your actual userID which you presumably typed in your next attempt to log in.

      --
      https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
    4. Re:Beware Facebook by vux984 · · Score: 1

      but since they record every userID used in a login attempt, all you have to do is click the wrong field and enter your password into the 'name' box, and there it is, in clear text,

      Yes, I think that's happened to all of us at one point or another.

      I'm not sure you can fault windows for this behavior, though. I mean, would it be better to have 'an unknown user' tried logging in as the only recorded event? On some level knowing who tried to login to the server is a good thing. If some poor sap submits his password as the user name... there's only so much you can do.

      And this can happen in any application; I've also variously pasted my password from the password manager into the URL bar, and into the user name field a couple times. Or just typed it after misclicking the destination field. I've also pasted passwords into the body of email messages, skype messages, and other text editors by mistake forgetting that I had a password on the clipboard and/or because the previous copy-action of whatever I wanted to paste didn't override it, etc, etc.

      In most contexts this is fairly harmless unless I press send or submit etc. But even in the best case it throws it up on my screen in plaintext for anyone overlooking to see. And in some cases, like a web form you type the password in the wrong field and press submit... well you probably submitted it to the server, which wasn't great. And with a lot of forms it now becomes part of the dropdown list of history/suggestions for that form field too (whether its your city or phone number or whatever...)... which can be a hassle to clean up.

      This is the one argument FOR periodic password rotation rules to ensure passwords that leak due to 'oops' mis-clicks get cleaned up.

  4. Re:Stupid idea by buchner.johannes · · Score: 1

    If it is SSL/TLS, it doesn't matter. It's the same as when you send the actual password.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  5. Re: Black Lives Matter by ArmoredDragon · · Score: 1, Informative

    That really seems to depend on the state. In Arizona at least, there were 27 white guys shot by police last year. And yet, there was just 1 black person shot.

    If we follow black lives matter logic, then police are clearly discriminating against white people in my state, and we should start a white lives matter movement.

    Or if we simply follow rational logic instead, then we clearly see different behavior patterns in different racial groups in different geographical regions.

    Arizona has some of the most lax gun laws, by the way. For example, you don't need a permit to conceal carry here, and there are practically no limits on the type of weapon you can carry so long as it doesn't break federal rules. You can however sidestep federal rules here if you mill your own weapon.

  6. Re:Another Day Another Mass Shooting by BitterOak · · Score: 2

    How many people in the US have to die before we realize that private ownership of guns is terrible idea?

    You don't need a gun. If you have one, you can dispose of it at any police station, no questions asked.

    Although there may be some merit to what you say, I fail to see what it has to do with a password reuse tool.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  7. random? by CSMoran · · Score: 1

    the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May

    Either he was part of the leak, and then it doesn't matter how long and strong his password was, only that he reused it (and the site did not salt enough); or it was someone else's password too by chance, but then it wasn't random, by at least three orders of magnitude, if it was found among ~2E8 "random" passwords.

    --
    Every end has half a stick.
  8. Re:Another Day Another Mass Shooting by umghhh · · Score: 1

    I have not seen it this way till now but now you convinced me that disarming yourself is an idea that can easily kill you thus should not be followed.

  9. Re:Another Day Another Mass Shooting by Lumpy · · Score: 1

    I've got 6 guns! and I can hear them all whisper to me to go on a murder spree... I tell them to shut up and cover my head at night with a pillow so I cant hear those dirty rotten guns trying to get me to go kill...

    Why did they not tell me that guns do mind control and are sentient? I need to sue the Firearms store for not telling me!

    --
    Do not look at laser with remaining good eye.
  10. Idiot Alert by JustAnotherOldGuy · · Score: 1

    "The security researcher said he developed the tool after discovering that the randomly generated eight-character password"

    Wait, what do you mean he "discovered" this? Doesn't this "researcher" know what his own fucking passwords are?

    -

      "I used that password as a general password for many services," he wrote in an e-mail.

    What he meant to say was, "I claim to be a security researcher but really I'm just a hypocritical idiot who doesn't practice what I preach."

    --
    Just cruising through this digital world at 33 1/3 rpm...
  11. I must be good then by Snotnose · · Score: 1

    As I don't have an account with Facebook, LinkedIn, Reddit, Twitter, nor Instagram, I should be fine then.

    I use the same login here, at Soylent, Fark, Ars, and a couple others I can't think of off the top of my head. Guess what? I use the same password too. Why? I don't care if someone steals my /. karma.

    My banks and anyone with my credit card #? You bet they all have different logins and passwords, for which I use keepass to manage.

  12. LastPass has done this for awhile now by Anonymous Coward · · Score: 1

    Seems like a more useful solution for most ppl since you want to trust the thing you give all your passwords to .. . a lot. Plus the fact that ppl might actually use it if LastPass or Google do it.

    Google can just implement it right in their password sync feature.

  13. Lastpass by dafradu · · Score: 1

    Or just start using Lastpass...

    TBH i didn't get how this software works. You type the password and it checks it against a few sites? Thats it? That would be incredibly ineffective...

    I have over 100 sites and passwords on my Lastpass Vault and it can tell me where and what passwords are currently being reused.

  14. Re: Another Day Another Mass Shooting by ArmoredDragon · · Score: 2

    Which one? How about both points I made:

    http://www.pewresearch.org/fac...

    http://crimeresearch.org/2015/...

    Somehow the gun control crowd thinks that it's worse now than ever, but the available evidence just doesn't support that claim.

  15. Re: Another Day Another Mass Shooting by ArmoredDragon · · Score: 1

    http://crimeresearch.org/2015/...

    And yet strangely enough we don't hear the same rhetoric about Canada, Norway, or the dozens of other countries who allow private ownership of firearms. I honestly thing Europeans who say what you say are just full of themselves. Especially the ones who say "the rest of the world does x", or saying that "the US right of the rest of the world" when they're just talking about Europe as if just fucking Europe is the entire rest of the world. (I especially find it odd that they consider the US to be more authoritarian than nearly every Asian country, who far outnumber Europe, in addition to flat out ignoring politics in the Middle East, Africa, and South America...because, you know, all that matters is fucking Europe.)

  16. Re: Black Lives Matter by ArmoredDragon · · Score: 1

    The later makes sense, actually. You won't hear a progressive admit this even though deep down they know it's a fact, but progressive is really just a label that somebody places upon themselves when they're convinced that they've somehow figured it all out, and that only their views can possibly be the way forward, so fuck everybody else's perspective on any given matter because they're the only enlightened one in the world.

    And speak of perspective, progressive, by the way, is a term that groups such as prohibitionists, Nazis, and a number of other infamous groups have applied themselves in the past, even though in the end they turned out to be way wrong.

  17. Re: Another Day Another Mass Shooting by Lumpy · · Score: 1

    Considering I am american your whole argument fell apart like the poorly assembled straw man it is.

    --
    Do not look at laser with remaining good eye.