I actually really like this idea. I guess if your attacker did get your password in the clear (bad encryption or whatever) then they'd basically have access everything right? I mean, the number of letters at the start is presumably fairly constant, they'd know the site it was for so they could then work out the "unique secret" in the middle right?
That said, there's a certain amount of security through obscurity I guess.
Still, for any of the sites I really care about I use two factor authentication. I'd take a mediocre password and 2FA over a strong password (But happy to be proved wrong ;)
why would anyone need to know your secret? Except that it would give them more characters in the substitution cypher. The card assumes a user will keep the same secret for each site, so just keep the start of the PW the same.
That said, there's a certain amount of security through obscurity I guess.
Still, for any of the sites I really care about I use two factor authentication. I'd take a mediocre password and 2FA over a strong password (But happy to be proved wrong ;)