If there’s a leak with multiple services, it’s possible some script kiddie will flag it as having a pattern. I’m guessing the rule is simple enough that an unsophisticated attacker could figure it out with several examples.

It’s way better than reusing passwords, but I don’t think it’s better than a password manager, and it takes way more effort esp given all the various password rules companies have (no special characters, must have special character, special character must be one of…). If you’re paranoid, use something like keypassxc that’s just a file.

I don’t know your rule, but when I hear this, usually it includes the name of the service or something, so a script kiddie armed with a levenstein distance algo could probably detect it.

That said, the “safer than the person next to you” rule applies here. You’re probably far enough down that list to not matter.

As for password manager breaches, the impact really depends on what data the password manager stores. If all decryption is done client-side and the server never gets the password, an attacker would need to break your password regardless. That’s how Bitwarden works, so the only things a breach could reveal are my email, encrypted data, and any extra info I provided, like payment info. The most likely attack would need to compromise one of the clients. That’s possible, but requires a bit more effort than a database dump.

No you are right, your method is stronger than using a password manager hahaha of course there will never be a targeted attack or anything like it