There are many types of targeted attacks on passwords that don't come close to including state-level actors. Divorces. Corporate Espionage. Any one of the people on Judge Judy who posted information online about their co-workers.
As far as I can tell, we're talking here about reversing a cryptographic hash and sifting the one true master password out from the much more numerous hash collisions. Do you really expect that level of effort to be common in a divorce?
I _know_ that level of effort has already been expended in divorces. Targeted attacks do not need to be common. The point is that there are many types of targeted attacks.
That's assuming that the master password is really strong. Otherwise you could bruteforce it by testing millions of passwords ("password", "secret", short ones and so on). I assume most people will choose somewhat weak master passwords.
With this scheme ANY site where you register can attempt to brute-force your master password offline. I fail to see how it's a good scheme.
You're right. If you choose a weak password, nothing can save you. This holds in any case, so this is not specifically an argument to this use. Let's do some math to see if your argument about bruteforcing holds stake (spoiler: it doesn't).
Let's say you're master password only uses letters, numbers, and special characters. Just counting keys on my keyboard, there are 94 such characters. You should pick a random sequence as master password (very important).
Let's say you use the Antminer S9 (which can compute 1 gigahash per joule). For ease of analysis, let's say you can recognize the master password instantly. Also, say we're paying $0.2 per kwh. Then we can define the average cost c of finding the master password as a function of the master password length l:
c(l) = 94^l/(1.8*10^10)
c(5) is about 40 cents, c(6) about 40 dollars
c(8) is more than 300k, c(12) = 26e12
In comparison, the estimated amount of money in the world (in 2009) is 52e9 dollars. By the way, this is if you use a single SHA256 hash. You can make the hash arbitrarily expensive by iterating (computing h(h(h(master_pass)))).
The one and only argument against using a master password that is used to derive passwords is the single point of failure. If someone catches you typing your master password on video, you're pretty much fucked. But I guess this is the same for password managers.
There are many types of targeted attacks on passwords that don't come close to including state-level actors. Divorces. Corporate Espionage. Any one of the people on Judge Judy who posted information online about their co-workers.