How to Create a Secure Master Password

Updated 2/7/2019

One of the greatest benefits of using LastPass is that it remembers all of your passwords for you, so you can generate strong, unique passwords without the hassle of recalling or typing them. Because you are storing all of your sensitive data in LastPass, though, creating a master password that is rock-solid while still being memorable is even more important.

We recommend a simple strategy for creating a long, non-dictionary-based, difficult-to-crack master password: use passphrases.

What is a passphrase?

A passphrase is typically a sequence of words or text strung together to create a password for logging in to an account. The difference between a passphrase and a password is that a passphrase is typically longer and uses whole words or variations of whole words to create nonsensical sentences or phrases that are easy for you to remember, but hard for someone else to guess or crack. 

How to create your strong passphrase:

The key to creating a strong passphrase is to pick a string of words that’s easy for you to remember but is not just a famous movie or literary quote, song lyric, piece of personal information, or a single word straight from the dictionary. The best passphrases will also include a mix of capitalization, punctuation, and numbers.

Given those parameters, let’s look at an example, choosing words at random that don’t really have a relation to each other but that hold meaning for you:


That’s a 27-character nonsensical phrase that will still be easy to remember. Now if we really want to increase the strength of the phrase, we can then add a better mix of character types:

So now, we have a 28-character master password, with lowercase, uppercase, a number, and some symbols.
Of course the longer and more complicated you make the passphrase the more carefully you’ll need to type, and the harder you may have to work at memorizing the master password at first. Even using “volkswagensummeryellowtulip” is far better than using “password” or one of the other common passwords or single dictionary words.
XKCD‘s now famous comic about password entropy drives the point home:

Ready to update your master password with your new passphrase? You can do so by opening your LastPass Vault and clicking the “settings” menu option on the left, then submitting your changes. You can also try our password generator toolWhat are your strategies for creating a strong master password?


  • Anonymous says:

    I think this approach is pathetic. Try this for size: $%_6CaRbOn12_@# go and check its strength, check how long it takes to break it, do all the checks you can find. My Master Password uses similar construction, the tests say it is virtually unbreakable in less than 14 x 10^ 12 years.

  • Anonymous says:

    It may seem like a lot of work, but typing in a whole sentence (with spaces and punctuation) just might be easiest on the person. If you make the sentence memorable to you, even a fairly short sentence will have enough characters and variance to make cracking it nigh impossible. For example: “My favorite meal is green eggs and ham, yum!” That’s 44 characters!

  • I’m very pleased about lastpass, it’s working for me and make my work to be easier. Thank you!
    jocuri manichiura

  • Anonymous says:

    Sigh. So after I spend a whole day using Last Pass random generator for all my stuff I read Last Pass blog telling me random passwords suck. Oh well, where’s my dictionary.

    • Anonymous says:

      Random passwords are fine if they’re (1) truly random, (2) long enough, and (3) not reused.

      Unfortunately, those passwords are hard to remember, so most people (1) use a pattern (as in the cartoon above) (2) keep the passwords short and (3) reuse them for multiple websites.

      The power of the dictionary-word approach is that it increases the number of possible passwords (there are thousands of common English words) while also making the password easy for humans to memorize.

      But a password made of randomly selected* words is still easier to guess, meaning less secure, than a password of the same length made of randomly selected characters.

      *The words have to be chosen at random, you can’t just pick your favorites. Diceware is a good way to choose random words.

      Using LastPass or another password manager frees you from the usual constraints because it lets you use a long and random (and therefore secure) password for each site without needing to memorize them.

    • Yes, the 4-word pass phrase isn’t better than the (truly) random passwords stored in your LastPass database. The article is giving one possible suggestion for how to make a good master password

  • Best Password of my Computer Is “incorrect”…. Even When i Forget the Password it reminds me as

    “The Username and Password is Incorrect”

    Hence i can easily login & nobody can crack my password

  • Anonymous says:

    I’ve used as a good source for random multi-word phrases in several languages.