I’ve been reading about password managers recently out of personal interest, however since I don’t have any experience in the area of information security, I found myself confused about two aspects after watching the following Computerphile video.
Let’s say I download and set up one of the commercially available password managers on my device A. I understand that what the server (i.e. the ‘vault’) stores is only encrypted information that is useless if intercepted. To decypher this information, one needs some kind of a ‘vault key’ generated from my master password by hashing it. I can verify my identity with the server by using the authentification key, then download my vault and decypher it to recover the actual passwords on device A.
Now, if I try to do the same on device B, in order to authenticate myself again, presumably I need to replicate the same hashing procedure to tell the server it’s me again who’s trying to access the data. If that’s true, then the information about how to hash my master password correctly has to be somehow transferred from A to B? Does that not leave the possibility that someone can intercept that information when it’s being synchronised across devices and therefore pose a security threat? Or does it simply not matter as long as the attacker doesn’t know my master password, since then they won’t be able to reproduce my vault key or authentification key anyway, even knowing the right hashing procedure?
Can the authentification key be intercepted when it’s trying to access the encrypted data on the server? Then, the attacker would be able to access and download all this data. Again, is that not a concern because, as the video mentions, there is no way to replicate the vault key from the authentification key, so the data cannot be decrypted? Why is that impossible?
Please point out any mistakes in my reasoning. I would be grateful if you could recommend some resources about how password managers deal with security issues like that in greater detail – the information readily available on their websites is quite basic and I don’t really know where to look for something in-depth.