[martinced]

As long as people shall keep thinking that the very concept of a master password you enter on your computer ain't totally broken from a security point of view I won't be surprised by all the security exploits out there.

It's the very mindset of people working in this field which is totally broken.

If someone installs a keylogger on your computer (eg thanks to, say, a 0-day Java applet vulnerability) and gets your master password, it's much much worse than if the same keylogger gets installed and manages to steal only some of your passwords.

For example I connect about once a year to MoneyBookers (where I have money). I connect rarely to the "admin" account of our Google Apps for Business/Domain (because things are correctly set up and just working nicely for our use cases). etc.

I a keylogger is installed on my system, there's a chance an anti-virus or even the user is going to notify, at one point, that something spooky is going on. And between the time the keylogger (say by re-installing the OS) got installed and its removal, I may very well never have connected to MoneyBookers, Google Apps for Bussiness's admin account and all the other sites which I very rarely connect to.

So although the security breach is terrible it is not anywhere near as bad as if my master password was sniffed by a keylogger and the attacker had access to all my passwords.

Note that a 0-day exploit and a keylogger aren't science-fiction: these are the kind of exploits happening on a daily basis and affecting a lot of people.

How can anyone possibly that a master password can ever be secure?

It cannot. It is the anti-thesis of security.

It is trading security for conveniency.

That trend in our industry and the fact that devs don't see what's deeply wrong with that scheme is frightening.

I have nightmares about what's coming in the future because, obviously, we're living in a world where nobody cares about security anymore.

Btw I'm the kind of person who boots a live Linux CD to connect to my online bank account and who did set 2 form factor auth wherever possible. So I'm unlikely to take fanboism and blind faith to the "master password" cult seriously.

Explain me how a master password isn't trading security for conveniency and I might listen.

[toyg]

Explain me how a master password isn't trading security for conveniency

Entering any password is trading security for conveniency. After all, the most secure server is the one that won't allow anybody to log on, or even better, a shut-down machine without a network cable!

Security is always a trade-off, and if you can't understand that, then maybe your mindset is as broken as anyone's.

[zokier]

The point of password managers and master passwords is not ultimate security (such goal would be futile). Instead the point is to bring major security improvement to the masses. Eg to the masses who are currently using a single weak password across many websites.

Sometimes you need to trade some security for convenience, or you will lose all security.

edit: In addition, to combat keyloggers (and other malware) you need either HSM or one-time passwords. In both cases you usually need support at the server-side. As such, combating keyloggers is really infeasible via password policies.

[bagosm]

Well your whole point can be addressed easily. Here is how:

There is no immediate access to all passwords at once. Even when editing/deleting stored accounts, you can only do so by either providing the current one, or by load control.

Normal use, wouldn't need more than a few passwords at any given moment and if there is a request for more, this can be an alert/lock that requires an SMS or any other 2nd means of authentication.

The only real concern is that attack vectors to a single account (eg a gmail account) are broader that way - you can also go through the master password thingy. So, to begin with, if there is an account that is super sensitive you don't delegate it to a master account for authorization, and everything is dandy.

[zzzeek]

so why not use a master password with 2 factor auth ? then the password is useless to a keylogger.