I did this too, back when I had to use public terminals and obviously could not use password managers. But the idiosyncrasies of password rules on many sites added to the complexity of my own "transformation" of the base password, until the whole thing while workable, became burdensome. These days I do all logging in on my own PC and therefore I see no real need not to use a password manager and unique, random passwords for each site.

The obvious downside to this approach is if I were ever to be caught in a situation where I MUST log in to some site but do not have access to my PC AND phone, and therefore cannot risk opening the password DB on an alien system. Pretty unlikely scenario though.

So your password has a root password and probably 2-4 pseudo random characters appended/prepended/replaced? That means once it has been leaked in 1 breach, your 'true' algorithmic password is only 2-4 characters long. Which should take a few minutes to crack on other sites. And the more breaches you are included in, the easier it would be to work out your algorithm, reducing the number of attempts further.

But they aren't going to target me specifically? They won't. They just find everyone whose password across multiple breaches is similar (Levenshtein distance or something) and brute force the differences.

> But they aren't going to target me specifically? They won't. They just find everyone whose password across multiple breaches is similar (Levenshtein distance or something) and brute force the differences.

Is this possible when the leaked passwords are all only salted hashes?

You mean like LinkedIn (SHA1 hashes without salt), Adobe (Poor Crypto), Dropbox (half of them SHA1), etc., etc.

[1] https://haveibeenpwned.com/PwnedWebsites#LinkedIn

[2] https://haveibeenpwned.com/PwnedWebsites#Adobe

[3] https://haveibeenpwned.com/PwnedWebsites#Dropbox

No, but not everyone follow good crypto practices...

This seemed like a great idea when I first encountered it, but trying to use it was a major fail for me. Encrypted files with a single long passphrase I can actually remember seems less prone to failure.

What exactly is the product name? What is the website name? Does it include www? What about other subdomains?

These are the same kinds of questions that make security questions so frustrating as designed.

"What was your elementary school?" Hm. Is preschool elementary, or separate? Is the private school I went to for K and 1st an "elementary school" (there was no division between those in that school)? Maybe I should use the first school I attended between K-6 that had such a division? Or maybe just when I started public school, since that one was the first one called elementary...?

"What was your mother's maiden name?" I hardly remember my mother, and when I started being asked her maiden name, I had to guess how to spell it. Is this security question one I answered when I was guessing wrong, before I knew how to spell it for real? Even if it's not, did I decide this time to use the old spelling for consistency, or to add a slight hitch to someone who looked that up and is trying to access my account?

Essentially every answer to these kinds of questions that isn't about a number (and some of those!) comes with so many caveats that it seems unlikely I'll remember which path down this tree I took when I added it. The world is so fuzzy. This is like those "puzzles" where the wording of the puzzle actually admits many possible answers depending on how you interpret words and phrases, but everyone seems to settle on a meaning that's obvious to them, but the most "obvious" answer seems different from day to day for me.

I did this myself for a couple years. I soon learned it is a flawed and insecure approach. I don't recommend it for a variety of reasons.

And how many of your passwords need to leak for that scheme to be completely transparent?