This is my worst nightmare and I wonder what the order of operations is in terms of downloading and unlocking a vault. This sounds like you need the master password to download and unlock the vault, so that’s a tiny bit of extra protection I guess (not much).
I wonder if password managers should be designed around, and encourage the use of, an undocumented PIN that’s appended to every stored password. You could use the same PIN for everything and if someone got your vault decrypted there would at least be a chance they didn’t get the secondary PIN too.
Can't use the same PIN as a hacker would just add myhackurl.com/login to your vault and see what the PIN came across as. I think you'd also run into issues with password length as a lot of sites still have a restriction. I like the idea though and maybe a different implementation could work.
I mean a PIN that's not stored in the vault or auto-filled. It would be something extra that you add manually after the password manager fills in the password
So the password manager would put in 'password' and I'd manually type '1234' to make it 'password1234'.
That would not have stopped the vulnerability 'LastPass bug leaks credentials from previous site' (see Zdnet article posted elsewhere) though that's not a common vulnerability in software.
I wonder if password managers should be designed around, and encourage the use of, an undocumented PIN that’s appended to every stored password. You could use the same PIN for everything and if someone got your vault decrypted there would at least be a chance they didn’t get the secondary PIN too.