An attacker who can get two of your passwords will basically have all of your passwords, because by knowing which characters can change, they only have to attack those changes (your effective password length becomes the number of those changes). Additionally the pattern may be discernable with only two passwords, and even if not, each additional brute forced password provides additional information.
Put another way, every time you sign up for a website with a derived password, you are giving out information about your base password.
Special software doesn't reveal any information about your base password and even if the base password is acquired, the attacker still needs access to your vault to do anything about it.
Put another way, every time you sign up for a website with a derived password, you are giving out information about your base password.
Special software doesn't reveal any information about your base password and even if the base password is acquired, the attacker still needs access to your vault to do anything about it.