[evfanknitram]

That's assuming that the master password is really strong. Otherwise you could bruteforce it by testing millions of passwords ("password", "secret", short ones and so on). I assume most people will choose somewhat weak master passwords.

With this scheme ANY site where you register can attempt to brute-force your master password offline. I fail to see how it's a good scheme.

[kutkloon7]

You're right. If you choose a weak password, nothing can save you. This holds in any case, so this is not specifically an argument to this use. Let's do some math to see if your argument about bruteforcing holds stake (spoiler: it doesn't).

Let's say you're master password only uses letters, numbers, and special characters. Just counting keys on my keyboard, there are 94 such characters. You should pick a random sequence as master password (very important).

Let's say you use the Antminer S9 (which can compute 1 gigahash per joule). For ease of analysis, let's say you can recognize the master password instantly. Also, say we're paying $0.2 per kwh. Then we can define the average cost c of finding the master password as a function of the master password length l: c(l) = 94^l/(1.8*10^10)

c(5) is about 40 cents, c(6) about 40 dollars c(8) is more than 300k, c(12) = 26e12

In comparison, the estimated amount of money in the world (in 2009) is 52e9 dollars. By the way, this is if you use a single SHA256 hash. You can make the hash arbitrarily expensive by iterating (computing h(h(h(master_pass)))).

The one and only argument against using a master password that is used to derive passwords is the single point of failure. If someone catches you typing your master password on video, you're pretty much fucked. But I guess this is the same for password managers.