[kingosticks]

You are assuming Joe would use a "common" password to encrypt their highly sensitive password vault. Joe only has to remember one password since moving to a password manager. Even my mother uses a decent password for that. I'm not saying your situation isn't feasible but Joe has failed to use the product properly.

I think i saw that some of these managers have integrations with https://haveibeenpwned.com/ and that could extend to the vault password too. Maybe it already does.

[maibus2]

Yes. Given how mass data leaks have shown just how bad people are at choosing passwords - I think it's a very safe assumption that a large proportion of Last Pass users have weak, easily guessable master passwords.

The ironic thing here is randomly generated passwords produced by a password manager are highly likely to be more secure than the password that protects the password vault itself.

[bwoodruff]

> Yes. Given how mass data leaks have shown just how bad people are at choosing passwords - I think it's a very safe assumption that a large proportion of Last Pass users have weak, easily guessable master passwords.

Indeed. Which is in part why we developed the Secret Key. Even if someone chooses a relatively weak Master Password and all of the data were stolen from our servers cracking even just a single password of a single user via brute force would be implausible. The effort to reward ratio is very high (perhaps insurmountably so) on the effort side.

Full disclosure: I work for 1Password.