Testing my master password - Questions

The warnings on that page are a bit misleading, in my opinion. The most important warning is the following notice, which is not even labeled as a “Warning” (only a “Note”):

The main warning, however, is a bit alarmist:

Using a PIN can weaken the level of encryption that protects your application’s local vault database.

Basically, your locally cached vault data are encrypted using the 256-bit account encryption key, no matter what you do. The vault cache also includes a protected copy of the account encryption key (where “protected” means that the key itself has been encrypted, using a key that is derived from your master password); therefore, someone who gets access to your vault cache will not be able to do anything with it unless they are able to guess your master password (which can be used to produce the key that unlocks the main account encryption key, allowing the encrypted vault data to be deciphered).

If you set up a PIN, then a second protected copy of the account key is produced, this time encrypting the key using a key derived from your PIN. This PIN is stored in the volatile memory of your device (until you close the browser or app).

If you disable the option to “Lock with master password on restart”, then the PIN-protected key is also saved in the local vault cache that is stored on the hard drive.

1 Like