Thanks @bw-admin
(Once again, disclaimer that I’m not a security expert by any means)
Reading through that, though, it doesn’t seem to match up with what I’m requesting.
The blog talks about having multiple levels of encryption on the server, not the client. (Obviously a good thing, don’t get me wrong, just not what my request was)
Adding more walls to the castle is great, but the war against would-be hackers is always an arms race. Obviously, password manager providers are going to be prime targets for the best of the best cyber-thieves.
If someone were to get in and export vaults, the only thing that stands between the hacker and user’s data is the password. And while good passwords are always important, I’m ultimately human and memorizing a truly random 75 character password is something that’s not really feasible. (Nor is inputting a password like that practical).
I could use a yubikey to simply type in an outrageously long password as a macro for me, but then I’m shifting my security from something I know to something I have, which has tradeoffs.
By using a hardware device as a secret key, I can instead use a more reasonable password while maintaining a much higher resiliency against brute force attacks.