I think it all comes down to how you do the combining.
For example, if you take a fixed secret string, append the site name, SHA256 the whole mess, and then derive a password from the hash, that's reasonably secure and only requires you to memorize one secret. The downside is that you need to perform SHA256 whenever you want the password for a particular site.
But if you take a fixed password and merely concatenate something derived from the site name to get the site-specific password, that's not secure. You're counting on the attacker not figuring out your "something derived from" and that's security by obscurity. (Unless your algorithm involves mixing in some hard-to-guess secret, but then you're back at my suggestion above with a bit of extra stuff tacked on.)
This was just a response to the "'Aunt Tillie'-types" comment and replies. I'm not trying to preach to the HN reader. If the average user were setting a password for their google account, and their fixed string was U$erN4m3* and their variable component was the URL backwards moc.elgoog, to create the password U$erN4m3*moc.elgoog they are far, far beyond typical password security. You, Sir, with due respect, are correct, but are a few steps past practical or easy to remember.
For example, if you take a fixed secret string, append the site name, SHA256 the whole mess, and then derive a password from the hash, that's reasonably secure and only requires you to memorize one secret. The downside is that you need to perform SHA256 whenever you want the password for a particular site.
But if you take a fixed password and merely concatenate something derived from the site name to get the site-specific password, that's not secure. You're counting on the attacker not figuring out your "something derived from" and that's security by obscurity. (Unless your algorithm involves mixing in some hard-to-guess secret, but then you're back at my suggestion above with a bit of extra stuff tacked on.)