Hackers rarely break through the front door. They find a vulnerability elsewhere in the code, your OS, other programs on your computer, the companies servers, the companies staff, and so on. You have to have full faith not just in the encryption algorithm, but its implementation, everything and everyone around it and everywhere it operates and interacts with. Any one of these could be a route in.
Even if it's only random-ish, password managers do key stretching (for example by hashing the password 600k times - bitwarden has a high default value and lets you increase it if you like) so that it has to take some computational effort to check if a single password is correct. That's why it take a few seconds to unlock your vault each time.
With these in place I think you're pretty safe for a long time. (Well, maybe until quantum computing breaks those cyphers?)
That's not true. A long sentence of your choosing is easy to memorise and plenty long enough to not be able to be guessed by a computer (brute force).
But this is why I use security keys like yubikeys. Doesn’t matter if an attacker knows my main password for any number of reasons, there’s fuckall they can do with it without my physical key.
And even if they get into my vault and extract passwords, for many websites (in particular the most important ones) they’d still need to use my security key, they can’t just use the passwords.
Attacks are still possible (with browser session fuckery?) but much harder that yet another breach where a website was storing passwords in plaintext
Note, it’s best to not select “remember me” for Bitwarden: https://bitwarden.com/help/twostep-faqs/#q-why-is-bitwarden-...
I like, no I think it's simply a hard requirement, that I can recover from nothing but the contents of my head. I can wake up naked in a foreign country and regain everything.
