Losing bad habits: (weak) password reusal

June 13, 2013 | 3 Minute Read

It’s been a lot of time since I realized that password reusal is a bad, bad bad thing.

Doing some real-world web development made that point even clearer to me: it’s easy to hook a function that logs password used for registration (maybe triggering an email with username, password and email), even without storing the chosen password in cleartext in the database (we could still be hacked, right? Always store salted-hashed password in the database).


The solution has been shown to me by a friend of mine, venom00: password manager and random password.

Yeah, it’s a simple solution, but here’s how I arranged that: my password manager of choice is KeePassX and I generate my password using OpenSSL (which is installed on most gnu/linux boxes by default).

Here’s the (simple) command I use to generate my password:

manu@nadia:~$ openssl rand -base64 20

I think that’s a relatively safe password, with uppercase and lowercase letters, numbers and a special character. I know the special character isn’t that special, still the password is way better than the password I used to use on most websites.


How to realize how bad is password reusal ? That’s dead simple: install a password manager and spend some twenty minutes populating its database: open the password manager in firefox (or google chrome or whatever you use) and try adding all of the username/password combos you find in the browser password manager: if you’re as lazy as i used to be, you’ll see the same password just everywhere.

Now immagine one single website being compromised or, even worse, being run by malicious people (which thus may be logging everything). Can you realize how many sides of your life could they access? They may know you have a google/blogger/youtube/googleplus account, well let’s go try accessing it and see what’up. You may have a Facebook account. Well let’s go try accessing it and see your deepest secrets.


If you spend a lot of time on the Internet, the same way I do, you’re just scared to death now :D


By the way, here’s a good link about several ways to generate random password: http://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/.


Have a nice day!