Viewing a single comment thread. View all comments

anonynown t1_j1pbz0d wrote

> which can easily be brute forced if weak

That isn’t how password managers typically work. Your password vault is encrypted with a much longer key stored on your device. The master key is only used to decrypt the actual decryption key which is long and isn’t stored on their servers, and the master key is useless otherwise. This is why you need to approve on your existing device when enrolling a new one, or enter a very long “recovery” key — that’s how the actual decryption key gets to the new device. Even knowing your master password doesn’t enable the attacker to access your vault without extra steps, like using social engineering to get you to reveal your recovery key or approve a new login.

1