I use 30+ different passwords for different purposes. I never write the actual passwords down anywhere but instead I write the hint of the username/password for each site. Here's a fake example:
sitename.com: c4 - t/5r
sitemore.com: mrc - pp:9
If someone manually digs around, they can find what the usernames 'c4' and 'mrc' stand for. However, nobody other than me knows what 't/5r' and 'pp:9' expand to and I will never forget what they mean. Sure, it does theoretically make it slightly easier to brute-force my passwords but if 't/5r' = 'tempest/ariel5randa' then brute-force will take forever anyway.
If the browser doesn't auto-fill the password, I just have to look up a single list and takes me seconds to type the password. Whenever I sign up for a new site, I just add the username/password hint and forget about it. I've been using this system for well over a decade and have never had any login problems anywhere.
Essentially you are using a private hashing algorithm. You're trading a bit of convenience for a good chunk more security. If it works for you keep doing it. The important thing is you are using good passwords and segregating sites.
Are you sure that stands up to a targeted attack? If, randomly guessing, those are WoW accounts you now have to keep your HN, WoW and e-mail accounts separate...
Pretty sure it would stand up to a targeted attack. Here's a few of my actual password hints:
/-/
**
1m;
Feel free to login to any of my accounts. And I do keep most types of accounts separate. Bank password is different from Credit Card is different from email is different from HN.
I think for a lot of people their email password would essentially act as a single point of failure anyway. An attacker could go through the email and use recover password on any services they find.
Indeed, regardless of how you choose your passwords email is a huge target. It's good to see Google and Facebook trying to thwart this by adding account activity information, etc.
Every few weeks I go to gmail and search the term "password" as well as some of my more commonly used passwords and permanently delete those messages. I'm forever annoyed when a service sends me my password via email.
I had never heard of PwdHash (linked from the article, https://www.pwdhash.com/) before. SuperGenPass (http://supergenpass.com/) is an alternative that uses a bookmarklet rather than a browser extension. (PwdHash links to a bookmarklet deep on its site, but nothing happened when I tried to use it.) SuperGenPass also allows for variable password length given the same master password, and its site is designed better. If you’re concerned about sites interfering with the bookmarklet using malicious JavaScript, there are unofficial browser extensions for SuperGenPass too. I don’t use any password manager right now, but I would recommend SuperGenPass over PwdHash.
The only factor I’m unsure about is the hashing algorithm: I’m not sure whether either SuperGenPass’s or PwdHash’s is safe. I couldn’t find what PwdHash’s algorithm was after a quick look on its site. SuperGenPass uses multiple iterations of MD5 – bcrypt would be a better algorithm, but I don’t know whether repeated-MD5 is unsafe or acceptable. (The aspect of the hashing algorithms I’m worried about is the speed at which an attacker can brute-force the password.)
I've been using PwdHash for a while now, and I'm really happy with it. Their site lists extensions for Firefox and Chrome which work great. I'm also unfamiliar with their actual algorithm, but there looks to be more info on their project page.
If paranoia is a concern or if there are perceived risks for a master password:
1) Use N-factor auth: fobs, authenticators, otps, etc.
2) N-person keying: require multiple people to enter their part of the password known only to them.
3) Delegate lower privilege access for day-to-day usage, versus aforementioned grand master password that is split amongst multiple people. This means lowering the exposure of a password.
This is in addition to not using the same password anywhere else and not having a guessable password scheme.
This is what i use to ensure i have a differing password for every site, It also has a standalone JavaScript webpage for mobility and ensuring that the extension not updating doesn't screw you over purposes.
If anything the lastpass breach gave me MORE confidence in lastpass. For all we know there was no breach. HOWEVER lastpass immedicately communicated to everyone and discovered an issue in a very paranoid way. I think this is security I wish every site had. However I kid myself thinking that is possible, I rather that a single-point-of-failure is lastpass vs a crappy website that exposes a password which compromises tons of accounts and having to change all of them even if I was notified.
Furthermore lastpass supports youbi key so it supports two-factor auth.
If the browser doesn't auto-fill the password, I just have to look up a single list and takes me seconds to type the password. Whenever I sign up for a new site, I just add the username/password hint and forget about it. I've been using this system for well over a decade and have never had any login problems anywhere.