Purloined password re-use checker pees in the security soup

Lazy password reusers are at even higher risk of having accounts compromised following the publication of a proof-of-concept tool that can quickly test credentials against a host of sites.

The work is the penmanship of Netsuite security bod Philip O'Keefe who uploaded his tool dubbed Shard to GitHub.

Shard tests shared passwords against Reddit, Twitter, Instagram, Facebook, and LinkedIn.

O'Keefe writes that users can easily cook their own modules to test other sites.

Attackers could wreak maximum damage by feeding into Shard any of the more than 600 million credentials leaked this year alone.

Even dusty dumps repackaged and rebranded as unique breaches would be helpful to the password plunderer. Dictionaries could be used to conduct brute forcing attacks for databases with valid emails but bogus credentials.

Rate-limiters in place at most competent technology sites would prevent huge numbers of log in attempts against any one account, while conscious security types would be quick to notice IP addresses pumping passwords against their properties in rapid succession. ®