The way I have organised is to have 5 varying levels. This limits the volume of passwords I have to recall whilst maintaining variety. While there is still opportunity for cross-use if one is hacked it does create breakage points from areas more likely to be hacked and avoids a single point of failure. It's structured something like this;
1) Random sign-ups.
2) Slightly personal information e.g. Hackernews
3) Personal or slightly financial: e.g. mail accounts
4) Financial: e.g. Banking/Share trading
5) Work accounts
I've been wondering if I should expand this to have the same as above but bring in a component of the URL into the password to create variance for all but keeping it easy to remember. Does that seem a good method or do people have better systems?
Isn't there greater risk in using these than my method?
My logic: If one of these solutions e.g. LastPass is compromised then I am compromised across all sites. They may even bypass 2 factor authentication that goes via my email/messaging. Whereas using my method if one website gets hacked then I only give access to a segment. If it is worst case and a financial site is compromised they still don't have the password for accounts where they could see any 2-factor authentication messages. Does that make sense or am I missing something?
You are missing something, LastPass and other password services don't actually store your information in any way they can read them. What they do is store the password information as a encrypted blob and the public key derived from your password. When you "log in" you actually are running the key derivation function on your password locally then signing a message with your private key and sending that to Lastpass. When they receive the signed message they check it against your public key and if it passes they send you your password information. Which you then decrypt clientside. So anyone who compromises lastpass gets nothing except a bunch of encrypted blobs and public keys. The only way to get at your lastpass information is to retrieve the unencrypted copy off your computers memory, but if a hacker can do that they can just steal your passwords as your type them in anyways.
KeePass is just an encrypted database stored on your machine. If it's compromised, your machine is compromised, so you're screwed either way. Meanwhile, if any of many online services you use are compromised (and some inevitably will be), you have minimised the cost of that.
1) Random sign-ups.
2) Slightly personal information e.g. Hackernews
3) Personal or slightly financial: e.g. mail accounts
4) Financial: e.g. Banking/Share trading
5) Work accounts
I've been wondering if I should expand this to have the same as above but bring in a component of the URL into the password to create variance for all but keeping it easy to remember. Does that seem a good method or do people have better systems?