The most important aspect of a password manager is its master password. Your master password is what protects your vault so it needs to be strong.
What makes for a strong master password is often very confusing, and far too many people get it wrong.
We have taught people to make passwords that are hard for us to remember but easy for computers to crack. Forget what you know about making passwords, and let’s talk about what makes for a strong master password.
What Makes For A Strong Master Password?
The most important factor for any password is that it is unique.
The second most important factor is length.
You need both uniqueness and length when it comes to making a master password for password managers.
So your master password must be long (15 or more characters) and something you never used before and will only use for this password manager.
How To Make A Strong Master Password
To create a long and unique master password is super simple.
Come up with a sentence that doesn’t make sense.
This is easy and fun to do with a random word generator.
Example: Lemonade makes me sneeze 42 ferrets?
This sentence doesn’t make any sense and has never been said before – it’s perfect! The more crazy or funny the sentence, the better as it’s easier to remember.
The great thing about using a sentence for your master password is that it’s naturally complex. The sentence contains an uppercase letter, lowercase letters, a number, and special characters (the space is a special character). You get all this complexity without it being hard to remember!
Not only is the password easy to remember, but it’s also easy to type, especially on mobile devices. It also makes it easy to write down, which we’ll cover why this is important soon.
How To Make The Master Password Even Stronger?
The master password Lemonade makes me sneeze 42 ferrets? is already quite strong; it has 117 bits of entropy. Anything over 60 is considered strong.
But if you want to go the extra mile, you can make it even stronger by misspelling a word.
It can be as simple as misspelling “sneeze”…
Lemonade makes me snneeze 42 ferrets?
It doesn’t need to be a letter but can also be a special character…
Lemonade makes me sn?eeze 42 ferrets?
I place a “?” in the word “sneeze” to give us “sn?eeze” which just so happens to not be a word. By making one of the words a non-word, we have defeated dictionary attacks.
The original master password of Lemonade makes me sneeze 42 ferrets? was already quite strong but simply misspelling one of the words made it so that an attacker using a dictionary list won’t be able to guess our password. This has made guessing our master password exponentially harder, and it was already hard to impossible to begin with.
If you choose to go this extra step, it’s super important you write down your master password and keep it somewhere safe!
Don’t Forget To Write Down Your Master Password!
It’s important you write down your master password and keep it somewhere safe.
If you forget your master password, you’ll be locked out of your password manager forever. Your master password is used to encrypt your password manager vault, so if you forget it, you can’t decrypt it.
Note: Resetting your master password is NOT the same as changing your master password. All password managers allow you to change your master password, but they don’t allow you to reset it if you forget it.
So please write down your master password and put it somewhere safe!!!
If you have 2FA on your password manager, don’t forget to write down your backup codes too! Store them with your master password, so you don’t lose them.
Keep A Copy Of Your Master Password In Your Vault!
Also, put your master password in your password manager.
I can’t tell you how many times I’ve seen people forget their master password but still have access on their phone because of FaceID or the Fingerprint reader. They can’t export the vault because they don’t know the master password, but if they kept a copy of their master password in their password manager, they could have gotten in.
You don’t even need to make it obvious. Store your master password under another account name like Home Depot. Since it’s a sentence, you could even hide it in a note along with other sentences.
Or don’t overthink it and store it like any other item in your vault.
The reality is that you’re more likely to forget your master password but still have access to your vault from another device, and having a copy of your master password in the vault can save your butt.
Should You Make All Your Passwords This Way?
No, there is no need to make all your passwords this way. This way of making passwords is more for the master password.
For your other passwords, you can use the random password generator in your password manager.
We do the master password this way because you have to manually enter it and write it down. This way of making a password is less error-prone and easier for people to understand while also being secure.
Need A Password Manager?
Here is our picks for password managers.
1. Bitwarden - Best free and overall option.
2. 1Password - Best paid option.
3. Dashlane* - Best for new users as it holds your hands more.
4. Roboform* - Featured packed and been around the longest plus a free option. The only one with a bookmark manager which I've found useful lately.
*May receive a commission.