> if you're like most developers and reused any of those passwords elsewhere

Is this true? God I hope not, if developers don't even follow basic security practices then all hope is lost.

I'd assume this is stating the obvious, but storing credentials in environment variables or files is a big no-no. Use a security key or at the very least an encrypted file, and never reuse any credential for anything.