[jotaen]

> Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.

I don’t think this comparison is accurate. With a vault-based password manager, an attacker would need the master password AND the vault. The vault is usually protected separately, either because it’s a file that’s non-public (e.g. Keepass), or because it’s a web service that’s rate-limited or otherwise monitored (e.g. 1Password Cloud).

[staticassertion]

The vault is almost always protected by the master password. That single password is what's used both to retrieve the vault and to decrypt it.

The only difference is going to be if the remote vault requires a separate auth factor. And that's a legitimate thing to consider. But I think (but I haven't thought much about it tbh) if you have a secure master password then the situations where this matters are limited.

[jotaen]

> That single password is what's used both to retrieve the vault and to decrypt it.

Not sure how you mean that: if I used Keepass for example, which uses a file vault, and I told you that my master password was `p4ssw0rd`, how would that give you access to my vault and hence to any of my passwords?

[staticassertion]

Sorry, I had assumed you were referring to systems where the vault is distributed.