[firen777]

The way I look at it is, password vault is a single point of failure with a very VERY tiny attack surface that attacker will need to directly target you with a sniper rifle to actually hit you (assuming you are not using things like Lastpass. I personally use Keepass and synchronize the local vault across devices using Syncthing). Suffice to say, unless your last name is Snowden, it should not be a concern to you.

Comparing to the common way of "managing" password (i.e. reusing one password everywhere), it is still a single point of failure. The difference is the attack surface balloons up in proportion to the number of website you sign up to. And just like a balloon, all it need is one poke, one website storing your password in plaintext to blow it all up.

[lxgr]

> Suffice to say, unless your last name is Snowden, it should not be a concern to you.

I wouldn't be so sure about that. People store banking/payment credentials in them, so there is a large incentive to mount a scalable attack against an even moderately popular password manager. Crypto wallets are a popular target too for the same reason (although the risk is even more immediate there).

[gruez]

How are you going to "mount a scalable attack" against a local-only password manager?

[lxgr]

Malware targeting unlocked local password managers would be one option.

[gruez]

In that case aren't you already hosed because the same malware can steal all your login sessions?

[dvngnt_]

no because I'm not logged into all of my accounts at once but if they can open the PW database they can