Why you shouldn't reuse passwords

So, you register for a site to do something simple. Let's call it "Site.", like it's made by a hipster. You enter your email, username and password. The password you used, well, just on your Google account, Facebook, Twitter, reddit, and just about a million other sites. And Site.

If the password isn't properly encrypted (good hashing + salt), the hash can be decrypted quite easily. Or, even worse, if it isn't encrypted at all - exposing your password to just about everybody who can do a SELECT query.

Now, even worse, if there is an awful bug in the system, a shitty person could do an SQL injection. And get your, horribly encrypted password. (And passwords of other Site. users) Or just a developer trying to see how the login system works.

And that's just what happened the other day. I noticed that on a service I was working on, the only encryption algorithm used was SHA1. Nothing else. No salt, no multiple hashing. Nothing.

So, I tried decrypting it. A Google search query, and I found an online SHA1 decryption tool. I easily decrypted my own password, and a few others from the dummy database, including my co-developers password. Which he reused. Bam, just a hash and a Google search can turn into a weapon just like that. I've got the password to his employer's website, his Google account and much, much more.


So, what am I going to do? I could easily dump his girlfriend, or make the background picture of his employer's site covered in anus photos.



No, I'm just going to write this post and delete the database entry. I really don't want anything to happen to him, I'm not that shitty guy from earlier.

1 comment Add your own

Add your comments

Allowed HTML: <a>, <b>, <blockquote>, <code>, <em>, <i>, <p> and <pre>.

This article is my 9th oldest. It is 290 words long.