On a most basic level, I understand that password managers like LastPass or 1Password use the user’s password to encrypt their vault. What other approaches are used to protect the vault? Do they use a key-derivation function to create a token that is used as the encryption key instead?