How can an attacker obtain the Master Key without needing the user's login password?

The attacker can dump the lsass process memory using tools like procdump or directly extract the Master Key online with mimikatz (via `sekurlsa::dpapi`). Once the Master Key is obtained, it can be used offline to decrypt the DPAPI blob containing the saved passwords. This method bypasses the need to crack the user's password or decrypt the Master Key file directly.