How To Make A Master Password For Your Password Manager

I’ve noticed far too many people overthink making a master password or simply don’t know where to start.

This is why I’ve created this post; I will show you how to make a master password that is random, secure, and memorable.

How To Make A Master Password

  1. Go to the Password Manager Emergency Sheet Generator here: https://passwordbits.com/emergency-sheet.html
  2. Press the “Print This Page” button to print.
  3. Either use the example master password that is generated or modify it to your liking. Every time you reload the page or press the “Generate New Password” a new random example master password is created.
  4. Fill out the rest of the information on the sheet and keep it somewhere safe and secure in your home.

As you can see in the image below I made some changes to the master password to my liking, I replaced the “-” with “0”.

Note: Please fill in your information, don’t use my demo info in the picture above!!!

If you don’t have a printer then get paper and pen out and make your own hand-written copy.

To learn more about this password manager emergency sheet and filling out the other information, check this post here: https://passwordbits.com/password-manager-emergency-sheet/

Why Create A Master Password This Way?

I was going to make a master password generator but since it’s ideal that you write your master password down I decided an emergency sheet would be more useful.

So I made an emergency sheet that generates a random master password each time that you can use or modify to your liking.

People are also bad at making master passwords. They either go with something they used before, something weak, or they simply don’t know what to pick. The best master password is one you did not create.

The sheet also has spots for other information I consider important to write down. So with this sheet, we cover a lot of bases while also giving you a strong master password too.

The Best Master Password

The best kind of master password is one that you did not create.

Using a random passphrase generator with 4 or more words is ideal. I’ve determined that 4 or more words are ideal from the work that 1Password has done, I’ve also created a passphrase cracking calculator to demo it here.

While 4 lowercase words for a master password are fine, you don’t have to use it if you don’t want to. Just don’t make your own master password from scratch, you’re not good at being random.

If you feel the example master password is too hard or you simply don’t like it, then generate a new one or modify it to your liking. Here are some example modifications I’ve done.

Original: skillet-composer-xbox-gravitate

Modifications:

  1. skillet0composer0xbox0gravitate
  2. skillet901composer901xbox
  3. Skillet Composer Xbox Gravitate
  4. SkilCompXboxGrav1922
  5. skillet-xbox-gravitate7654

Special characters like “-” or even a space ” ” are a part of the master password and are allowed by most password managers.

I encourage modifications to the example master password as the more diversity we have the more secure everyone will be. Just make sure to write it down and keep it somewhere secure.

Is The Example Master Password Secure?

The example master password is randomly generated locally on your computer using the secure crypto.getRandomValues.

To prove that the example master password is only generated locally on your computer, keep the page open but disconnect from wifi. Once disconnected from wifi you’ll see it still generates example master passwords.

To build more confidence you can always make modifications to the master password as talked about in the last section.

Keep A Copy Of Your Master Password In Your Vault!

Also, put your master password in your password manager.

I can’t tell you how many times I’ve seen people forget their master password but still have access on their phone because of FaceID or the Fingerprint reader. They can’t export the vault because they don’t know the master password, but they could have gotten in if they had kept a copy of their master password in their password manager.

The reality is that you’re more likely to forget your master password but still have access to your vault from another device, and having a copy of your master password in the vault can save your butt.

Practice Remembering This Master Password

When you have picked 4 words and written them down, you’ll need to practice remembering them.

It’s just 4 words.

Remember them in the correct order with whatever modifications you made.

If it helps, you can come up with a story to you remember the 4 words. For example, if the passphrase is “bolo-declare-lear-hayfield” I would make up a sentence like “Mr. Bolo declares Lear Hayfield the winner.” The sentence is in the correct order, and you could write this down a few times to help you learn the phrase without it being too obvious.

Make sure to securely shred the papers you practice writing your master password on. Don’t shred the one emergency sheet with your master password, keep that one somewhere safe and secure in your home.

Important: Don’t use my examples for your master password, come up with your own.

Will You Need To Add Another Word In The Future?

As computers get faster and smarter, will you need to add another word in the future to keep up?

No.

As computers get faster, the more password managers slow down guessing.

To slow down guessing, password managers use KDF Iterations. To make one guess, the computer must solve the same math problem multiple times, and since one guess takes time and there are only so many seconds in the day an attacker can only make so many guesses in one day.

A slow enough KDF iteration makes guessing a password time-consuming and often not worth it especially if you know they used a randomly generated password.

Why Passphrases?

You want to make a master password this way because it’s far easier to remember…

  1. chick-daresay-among-trigram

Then it is to remember…

  1. [email protected]

Both are the same amount of characters, but one is not only easier to remember but easier to type on a smartphone screen too.

Also, from a pure brute-force guessing attack, the 1st one is more secure than the 2nd one even though the 2nd has special characters, uppercase, and numbers. Using a zxcvbn password strength calculator to calculate entropy (higher is better), the 4 random words gets 85.77bits while the 2nd one is only 49.57bits.

So not only is the 1st one easier to remember, but it’s also more secure than something you can come up with while throwing in all this junk to make it “look stronger.

Also, using the 4 random words has a “checksum.” So if you have lousy handwriting like me, your letters may get messy, but it’s easy enough to look up the correct spelling of a word.

The last reason why this master password is so great is that it’s nothing like the other passwords you’ve used. I’ve noticed when I tell people to make a new unique password, they make a new similar password instead. They go from using “Fluffy123” to now “Fluffy123?!”; it’s not unique if it’s similar. You need to avoid using the same or similar passwords especially when it comes to your master password.

What If I Can’t Remember This Master Password?

If you have trouble remembering this master password, then the solution is to practice.

Ensure you have the master password written down and kept in a secure spot in your home. Don’t be afraid to keep a copy in a secure location near your computer until you’ve learned it.

Then set your password manager to lock after 15 minutes. When it’s time to use the password manager after 15 minutes, you’ll need to unlock it by entering your master password.

Doing this repeatedly throughout the day or week will help you remember your master password.

Important: When you get to the point of knowing your master password and think you’ll never forget it, please still write it down and keep it somewhere safe in your home. Things happen, and you don’t want to be locked out forever.

Should All Your Passwords Be 4 Random Words?

These 4 random words are called passphrases and the random gibberish are called passwords.

If you think you’ll ever need to type in the password manually, you should use passphrases, and everything else can be a gibberish password.

Leave a Comment