Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
I use a “password pattern”, rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place
So when someone figures out your rule he has all the passwords
That is assuming that someone will sit there and try to decrypt password rules for that specific person. Chances of that happening are basically 0, unless they are some sort of a high interest person.
If there’s a leak with multiple services, it’s possible some script kiddie will flag it as having a pattern. I’m guessing the rule is simple enough that an unsophisticated attacker could figure it out with several examples.
It’s way better than reusing passwords, but I don’t think it’s better than a password manager, and it takes way more effort esp given all the various password rules companies have (no special characters, must have special character, special character must be one of…). If you’re paranoid, use something like keypassxc that’s just a file.
figure out the rule
figure out the services
figure out the usernames
What’s more likely, a password manager gets a breach or someone targets only me and manages to find out multiple passwords across multiple services and cross compares them works out what the random numbers and letters mean…
I don’t know your rule, but when I hear this, usually it includes the name of the service or something, so a script kiddie armed with a levenstein distance algo could probably detect it.
That said, the “safer than the person next to you” rule applies here. You’re probably far enough down that list to not matter.
As for password manager breaches, the impact really depends on what data the password manager stores. If all decryption is done client-side and the server never gets the password, an attacker would need to break your password regardless. That’s how Bitwarden works, so the only things a breach could reveal are my email, encrypted data, and any extra info I provided, like payment info. The most likely attack would need to compromise one of the clients. That’s possible, but requires a bit more effort than a database dump.
No you are right, your method is stronger than using a password manager hahaha of course there will never be a targeted attack or anything like it