{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiee7jpdnjwdklo6gliocv4rvljiofg3yjrgjbngfea66sikecsrhi",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mlhdnliqgjl2"
  },
  "path": "/t/master-password-backup/37745#post_11",
  "publishedAt": "2026-05-09T21:57:38.000Z",
  "site": "https://discuss.privacyguides.net",
  "tags": [
    "wrapping"
  ],
  "textContent": "ignoramous:\n\n> The problem with any scheme that requires you to import the master key is… it is no longer a _private_ secret. For instance, when you “copy” the key, it is in the clipboard of whatever OS you’re using, and there’s no shortage of apps that monitor the clipboard. Take extreme care with secrets, and _never_ export them from which ever silicon they’re generated on without “wrapping” them. In the wake of ubiquitous adoption of computationally strong & fast cryptographic constructions, the focus has shifted to compromising keys instead.\n\nAt least on Android, it shows a notification if some app copies the clipboard.\n\nlyricism:\n\n> I strongly advise against writing down the master password itself. You would be turning a “something you know” factor into a “something you have” factor by doing that, which on its own is weaker than a properly random “something you know” factor and means you are unlikely to ever really be able to protect your password manager with MFA since most second factors are already “something you have”.\n\nSo your advice is to just hope to never forget it?\n\nignoramous:\n\n> Passwords aren’t usually “properly random”.\n\nWhat do you mean?",
  "title": "Master Password Backup"
}