That isn’t how password managers typically work. Your password vault is encrypted with a much longer key stored on your device. The master key is only used to decrypt the actual decryption key which is long and isn’t stored on their servers, and the master key is useless otherwise. This is why you need to approve on your existing device when enrolling a new one, or enter a very long “recovery” key — that’s how the actual decryption key gets to the new device. Even knowing your master password doesn’t enable the attacker to access your vault without extra steps, like using social engineering to get you to reveal your recovery key or approve a new login.
anonynown t1_j1pbz0d wrote
Reply to comment by krkrkrkk24 in LPT: Got a Steam gift card for Christmas? Hold on to it after you put the code in. If your account gets hacked, you can use the old code to recover your account. by Worst_Support
> which can easily be brute forced if weak
That isn’t how password managers typically work. Your password vault is encrypted with a much longer key stored on your device. The master key is only used to decrypt the actual decryption key which is long and isn’t stored on their servers, and the master key is useless otherwise. This is why you need to approve on your existing device when enrolling a new one, or enter a very long “recovery” key — that’s how the actual decryption key gets to the new device. Even knowing your master password doesn’t enable the attacker to access your vault without extra steps, like using social engineering to get you to reveal your recovery key or approve a new login.