How to Create a Secure Master Password

One of the greatest benefits of using LastPass is that it remembers all of your passwords for you, so you can generate strong, unique passwords without the hassle of recalling or typing them. Because you are storing all of your sensitive data in LastPass, though, creating a master password that is rock-solid while still being memorable is even more important.

We recommend a simple strategy for creating a long, non-dictionary-based, difficult-to-crack master password: use passphrases.

What is a passphrase?

A passphrase is typically a sequence of words or text strung together to create a password for logging in to an account. The difference between a passphrase and a password is that a passphrase is typically longer and uses whole words or variations of whole words to create nonsensical sentences or phrases that are easy for you to remember, but hard for someone else to guess or crack. 

How to create your strong passphrase:

The key to creating a strong passphrase is to pick a string of words that’s easy for you to remember but is not just a famous movie or literary quote, song lyric, piece of personal information, or a single word straight from the dictionary. The best passphrases will also include a mix of capitalization, punctuation, and numbers.

Given those parameters, let’s look at an example, choosing words at random that don’t really have a relation to each other but that hold meaning for you:

volkswagensummeryellowtulip

That’s a 27-character nonsensical phrase that will still be easy to remember. Now if we really want to increase the strength of the phrase, we can then add a better mix of character types:

V0lk$wagenSummerYellow!Tulip
So now, we have a 28-character master password, with lowercase, uppercase, a number, and some symbols.
Of course the longer and more complicated you make the passphrase the more carefully you’ll need to type, and the harder you may have to work at memorizing the master password at first. Even using “volkswagensummeryellowtulip” is far better than using “password” or one of the other common passwords or single dictionary words.
XKCD‘s now famous comic about password entropy drives the point home:
Ready to update your master password with your new passphrase? You can do so by opening your LastPass Vault and clicking the “settings” menu option on the left, then submitting your changes.What are your strategies for creating a strong master password?

47 Comments

  • Anonymous says:

    Making a master password is tricky, but if you add some memorable words in there, along with a few numbers and symbols, it won’t be so hard to remember or crack. I’ve found http://random.pw helps to create memorable and strong passwords.

  • Anonymous says:

    Lastpass has at least two different forms of two step authentication.

    Turn on.
    Stop worrying about your password.
    Profit.

    This will do more to protect you than all the rest of these “gimics” combined

  • Anonymous says:

    All this depends on how the password is stored. It works on Lastpass because Lastpass uses PBKDF2 with 1000 iterations (can be increased). A lot of systems just store passwords using MD5 or SHA1 or something similar. The offline guessing rate on even cheap hardware is going to be in the billions/sec and not 1000/sec. Under those conditions 44 bits of entropy isn’t sufficient.

    Diceware, which uses a pool of 7776 short English words, recommends a minimum of 6 random words for anything worth securing (~77.5 bits of entropy). In practice 6 random words aren’t that easy to remember, people won’t want to type anything that long and most people will skip the random part. A 12+ character mnemonic is an easier way to go.

  • James Young says:

    It doesn’t matter if you use dictionary words. All that matters is you use enough of them, and they’re truly random. You could even publish the word list you select from, and it would still be secure.

    If you pick four words (at random!) from the General Service List (2284 words), you have 11 bits of entropy per word. 44 bits of entropy in total if you select four at random. This is true even if the word list is known in advance.

    It’s also true that if you selected 27 random characters (the average length of a four word selection from the GSL) you would have 127 bits of entropy, making selecting four words MUCH MUCH worse than selecting 27 random characters, but the fact still remains that a dictionary cracker is going to have a comparatively tough time guessing your four words, while you’ll have a really easy time remembering it.

    If 44 bits of entropy isn’t enough for you, add an extra word for another 11 bits. Just don’t use phrases or related words. Select the words randomly.

  • Rob says:

    I make up a sentence for passwords too except I make the sentence out of some obscure fact (to someone else) about me. So…”I bought my first jet fighter in 1993, and it had a Pratt and Whitney engine” would become “Ibmfjfi1993,&ihaP&We”. Of course on top of that use two-factor identification.

    • Chris says:

      Rob, Typing the “seed” of your password instead of the password itself increases the entropy more than a hundred orders of magnitude from 3.62 x 10^39 to 2.05 x 10^150. This blog post is intended to illustrate that they’re identically easy to remember (you’re remembering the same phrase), but they’re not identically secure.

      As you type it, it would take 7.023002971 e+9 years to crack, as I’d type it, 3.450454396103403 e+70 years

    • Anonymous says:

      I’m not following you Chris. Are you saying that ibmfjfi1993…. is more secure or less secure than “I bought my first jet fighter in 1993…”?

    • Anonymous says:

      He’s saying “I bought my first jet figher in 1993…” is more secure, and no harder to remember (since that’s how you’re remembering the password anyway).