> Then he can do some pattern matching and try the same pattern in some sites like PayPal, Apple, Gmail, etc. Generalize it a bit and you can even create a tool to do this for you for every new database leaked.

It's the bikelock principle. A bikelock is rarely going to be strong enough to secure your bike. It doesn't have to. It just needs to be secure enough that the thief will nick the next bike. Putting pnt12:HackerNews53cureP4ssw0rd and pnt12@gmail.com:HackerNews53cureP4ssw0rd into every service is going to be profitable enough that they don't necessarily have to try the next step.

But in general you're right: don't use these. Reused passwords aren't secure. Use keys generated by so-called password managers.

He would have to break the cryptographic algo to see the salt. Good luck with that. Sure that is possible for the NSA with weak encryption. But most hackers wont be able to do this. The salt does not give a slightly different hash but a totally different hash. Also, using salt (your own or server based) should protect you from some kind of rainbow table attacks.

But just use a PW manager (e.g. enpass.io ) I am very happy with it but I don't use the autofill plug-ins. You can never be paranoid enough.