Shard discovers shared passwords between most popular web services

Pierluigi Paganini July 14, 2016

Shard is a free tool that could be used by hackers to discover shared passwords between most popular web services, including Facebook, LinkedIn, Reddit, Twitter, or Instagram.

In the past months, we have read about numerous data breaches, LinkedIn, MySpace, VerticalScope are just a few examples of illustrious victims.

Hundreds of thousands of millions of credentials have flooded the criminal underground, a precious commodity for hackers that could try to exploit them to hack into users’ account when the owner share the same username and password.

Of course, the activity is time-consuming, hackers need to test login credentials included in a data dump against various services available online.

Now this activity can be sped up by using Shard, a command-line tool that was developed to allow users to test if a password they use for one site is also used on other popular services, including Facebook, LinkedIn, Reddit, Twitter, or Instagram.

Below the list of available modules:

$ java -jar shard-1.3.jar -l
Available modules:

The Shard receives a username and password as input then it will attempt to authenticate with multiple sites.

“I used that password as a general password for many services,” he wrote in an e-mail. “It was a pain to remember which sites it was shared and to change them all. I use a password manager now.” Philip O’Keefe, Shard creators, told to Arstechnica.

Mozilla password disclosed

Obviously, a similar application is a powerful tool in the hackers’ hands. The code of the Shard tool is available on GitHub, it is likely crooks will adapt it to make it works with other services, including financial ones.

We know that the password reuse is a very common bad habit, in the best case users apply simple modifications to a base password to reuse it on several web services. A few modification to the code could allow the Shard to hack the account also in this last scenario.

Let’s think for example to the use of “mypassoword01” on a website and “mypassoword02” on a second website, in this case, a modified version of the tool could easily guess the login credentials.

Potentially the unique limitation of the tool is the number of attempts from a single IP, a limitation that could be easily bypassed if the attacker leverages on a botnet.

Users must adopt different credential for each web service, adopt strong passwords and enable two-factor authentication when available.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Shard, passwords)

you might also like

leave a comment