Yes. It also means that there is no “backup database” that an attacker could steal. At worst, an attacker who breaks into Microsoft’s backup servers would acquire a transaction record containing the old master password hash and the old protected key (at this point, it is not clear that they would even have access to the email address that is used as a salt in the hashing process). Even if they were able to brute-force the (old) master password and extract your account encryption key, the attacker would have to successfully breach a different server (or one of your local devices) to acquire a copy of your encrypted vault before they could access your secrets.
1 Like