Shard: Open source tool checks for password re-use

Security researcher Philip O’Keefe has created a tool that allows users to check whether they have reused a password on multiple accounts.

The impetus behind the creation of Shard – as O’Keefe dubbed the command-line utility – was the recent massive leak of LinkedIn passwords. He knew that he had reused the same password on many accounts, but couldn’t remember the exact ones, he explained to Dan Goodin.

password re-use

He has since switched to using a password manager, and likely unique passwords for every online account, but judged that others could use the tool he created so published its source code on GitHub.

The modules currently offered with Shard can test one or multiple sets of login credentials on Facebook, LinkedIn, Reddit, Twitter and Instagram. O’Keefe offered instructions on how to create new modules for other sites.

Of course, Shard can also be misused by attackers checking out login credentials leaked online. And, unfortunately, with the recent mega-leaks – LinkedIn, Tumblr, Twitter, VK, and so on – there is no shortage of credentials to test.

Goodin pointed out that attackers could use bots to get around the sites’ rate limiting defenses, but also that it’s more than likely that a similar tool already exists and is used by criminals.