Vermillion
Supreme [H]ardness
- Joined
- Apr 5, 2007
- Messages
- 4,417
Whether consciously or not I think it's a coping mechanism. Wouldn't be a pleasant feeling having vaults obtained by those eager to gain access to accounts, particularly since URLs weren't encrypted, so they'd be likely prioritized according to high value sites.
Someone on another site cited stats that 69-85% of hashed passwords in past (general) leaks have been cracked via brute force/rainbow tables/etc. Not a very encouraging figure for the strength of password the average user might use for the master password.
One could always change every password pre-emptively but should a leaked vault be compromised it'd still likely contain sensitive info that otherwise wouldn't be desirable to out there.
This is an extremely big deal and the people who are putting their head in the sand are foolish. Even though I expect a fair number of the master passwords to be brute forced, let's assume they aren't and ignore that part of the problem. Just the amount of data that was unencrypted but included with the vaults is scary. How many sensitive and internal URLs for businesses are now exposed? How many of those internal URLs are considered "safe" and may have less protections than something public facing? Now the bad guys have a desire to breach said businesses because of the soft gooey insides.
Stuff like this is why I self-host a Bitwarden instance which is not public facing in any way. My passwords and everything surrounding them are only safe with one person: me.