this sort of thing is why I append the name of the website + a unique identifier + password, so that I don't have to bother changing my password during such nonsense, ugh.
Doesn't that make your passwords predictable? If you use the same secret for every domain and now if an attacker figures out your one secret then they would be able to find out all your passwords.
A master password is at least generating random passwords though and encrypting the passwords themselves. Let's say your master password gets compromised, but not the password database itself... then attackers would still have no way to access your other passwords. With the method being described, simply obtaining the "secret" makes other passwords known without even needing access to the password database itself.
Eventually, some website you use is going to get hacked. They’ll have stored passwords as plaintext. From there, anyone who wants to hack any of your accounts knows your password format. It’s going to be obvious to them that they just need to replace the domain.
how would they figure out the unique identifier? couldn't you say the same thing about using an arbitrarily unique password and then a password manager. if your password manager is hacked then they'd get the encrypted passwords for all sites you use along with all the personal information.
of course, you'll say, don't use a crappy password manager. and that's correct. same reason I use a separate format for sketchy sites.
for what it's worth my format isn't really as described, but it is similarly deterministic, but not visually so. the cipher is basic enough to do in your head but complicated enough that you wouldn't know from a glance
a real password example for your scrunity:
m0m2a2yiplagsosowgolredd1o2t3c!o!m2
steps:
m a i l g o o g l e d o t c o m
strategy
zip
secret
mypassword123!!
offset (publicly determinable)
0
unique: 2022
m0m2a2yiplagsosowgolredd1o2t3c!o!m2
i use a password manager so the long text generally is irrelevant. the main reason I do this is because I don't feel comfortable needing my password manager. I like being able to figure out my actual password completely independent of a phone or internet or app.
the strategy depends on how sensitive the app is (strategies include: zip, append, vowel-zip, no-vowel-zip, num-zip, all the same but with a reverse-offset). unique is usually something like when I joined, or something determinable from the site and my head.
all of this seems much more complicated than it is. once you understand you could calculate the password in your head in a couple seconds.
It does reduce the search space for a brute force attempt. Depending on how short your identifier is. Also if two sites passwords are leaked it could make someone’s job a lot easier.
By your example, your passwords are a set of fixed or knowable data, plus a unique identifier that in your examples is three characters long. Therefore knowing one of your passwords gives all except three characters of every other password, thus making your effective password length three characters (substitute the actual length of your unique identifier if it's more than three).
Sure, that's slightly better, but you're putting in quite a lot of effort for minimal reward - there still isn't much entropy here compared to the size of the password, and you're relying on security through obscurity (that no-one will work out your method). Password crackers on modern GPUs can chew through many millions of guesses per second so having such a significant leg up would likely make your strategy trivial to break.
Also plenty of perfectly respectable sites have been compromised in the past so your estimation about how safe the site is unfortunately doesn't help much.
I really think you'd be better off using long randomly-generated strings and keeping multiple backups of your password database. There are lots of options that don't put you in the hands of a third party. All (?) sites offer password reset facilities in case of emergency, and you could memorise your email account password so that you can always at least get into that.
the main goal for myself is to be able to have complicated passwords and remember them without a computer. the problem with all password managers is ultimately it must be possible to get them in plain text by design, so if someone gets that they get all of your passwords.
it's deterministic, but obviously I can't tell you the secret ;)
that being said there are a lot of things you could use. you could use information in the whois, you could use the birthdate of the founder of the site, etc.
personally I believe people should use the same password for all sites and then something similar to what I described. though I use a password manager, I do always feel nervous about the implementation leaking out details
This means that if a breach reveals more than one of your passwords, the pattern is easily recognized and you just made ALL your passwords extremely weak. Not a great idea.
