Did you know that 4 million people in the world use “password” as the code word for their accounts?
Weak passwords are a cybersecurity risk. In 2016, 21 million users on the Alibaba-owned Taobao platform had their accounts breached because of easily guessed code words.
Civilians aren’t the only ones vulnerable to such brute-force attacks. In 2018, hackers gained access to the email accounts of Northern Irish parliamentary officials, due to poor password practices.
In 2024, password security is critical to preventing such breaches. Below, we explore the powerful role it plays in protecting your business accounts.
Why Is a Master Password Important?
Role in password management
A master password is a single password used to access your password vault. Ideally, it should be zero-knowledge encrypted for superior data security and privacy.
In this way, your data remains unreadable to attackers, even if they successfully execute a server-side attack.
Ultimately, the role of a master password is to protect the contents of your vault. At LastPass, your special code word or master phrase is never shared with us and can’t be recovered with traditional reset methods.
Benefits of using a master password
Many people ask us, “Should I have a master password?”
The short answer is yes.
By using one, you eliminate password fatigue, the burden of remembering multiple, complex passwords.
And by unlocking your vault with your master password, you also enable autofill functionality. This powerful feature protects you against phishing sites. Here’s how: LastPass won’t fill in your credentials if the phishing website’s URL doesn’t match the stored URL in your vault.
How a master password keeps your data safe
You aren’t alone if you’re wondering, “How does a master password protect my online accounts?”
In a nutshell, it’s like a lock that encrypts your vault of secrets. To derive your encryption key at LastPass, we run your master password and a unique salt (random value) through PBKDF2, using HMAC-SHA256 as the underlying function, for 600,000 iterations.
The 256-bit derived key is then used as the key for AES-GCM-256 encryption. Ultimately, your AES-GCM-256 key is a symmetric key, which means it’s the only key you need to encrypt and decrypt your vault contents.
It’s also highly secure, making brute force attacks computationally impractical for hackers.
How to Create a Strong Master Password
Importance of a strong code word or passphrase
A master password is the only password you need to access the contents of your vault.
Thus, a strong one is critical for preventing unauthorized access to your vault.
Tips for creating a strong master password
Here’s another important question we’re often asked: How do I create a strong master password?
One way is to use a secure password generator. At LastPass, our autosave feature prompts you to save a newly generated password every time you create an account on a website.
Best practices for choosing a secure master password
In 2024, the best practices for choosing a secure master password are to align with these directives by:
NIST (National Institute of Standards and Technology):
- Focus on length rather than complexity.
- Use two-factor authentication or multi-factor authentication.
- Consider rate-limiting or lockouts after multiple login attempts.
- Passwords should be salted and hashed.
- Choose a password manager with zero knowledge architecture.
- Passwords shouldn’t be changed periodically or arbitrarily. A change should be required only if there’s evidence of a compromise.
- Newly created passwords should be monitored or compared against a list of credentials known to be commonly used or previously compromised.
CISA (Cybersecurity and Infrastructure Security Agency):
- Minimum password length should be 16 characters.
- Make passwords random with a passphrase or string of mixed-case letters, numbers and symbols.
- Use a password manager for secure generation and storage of credentials.
- Create unique code words or passphrases for each account.
CIS (Center for Internet Security):
- Minimum password length should be 14 characters.
- Avoid sequential characters.
- Passwords must contain lower and uppercase characters, numbers 0 through 9, and non-alphanumeric characters.
- Avoid contextual words such as usernames and their derivatives.
- The maximum password age must be between 30 and 90 days.
- A minimum age is recommended to limit password reuse.
- Use of MFA is recommended for added security.
What Makes a Strong Master Password
Character length
So, how long should your master password be?
The ideal minimum length is at least 16 characters. NIST currently recommends 8 characters (or more) and has emphasized length as the key to greater security against credential-based attacks.
Here’s why: longer passwords make it computationally expensive for hackers to crack. This means it takes them significantly more time, processing power, and energy costs to decipher them.
According to penetration testers at Hive Systems, it takes 46 million years to crack a 16-character password with uppercase and lowercase characters.
And a 16-character one with upper and lowercase characters, numbers, and symbols? That’ll take 5 billion years.
Complexity
You’ll want to avoid easily guessed sequential patterns like “123456,” “qwerty123,” or “123456789.”
A good master password involves a combination of uppercase and lowercase letters, numbers, and special characters.
It’s also best to avoid using leet speak to meet password strength requirements. This is the practice of replacing letters with graphically similar numbers or symbols, like l00t (“loot”) or n00b (“noob” or newbie).
Leet speak was popularized before the Internet became widely accessible, back when tech enthusiasts mingled on bulletin board systems (BBS) -- similar to our Reddit forums today.
The BBS community hosted a vibrant hacker culture, with users forming their own elite groups of computer nerds. These users were called “leets” (slang for “elites”). Leet speak later became popular among gamers, with the most revered members called HaXXors or H4XXors.
You’ll want to avoid leet speak, however, and here’s why: While leet speak makes passwords significantly more complex, hackers have become privy to their use and have developed specialized programs to crack them.
No personal identifiers
You’ll also want to refrain from using these personal identifiers:
- Names of relatives, friends, and pets
- Phone numbers, addresses, and locations you regularly visit
- Birthdates, anniversaries, graduations, and favorite holidays
- Nicknames or phrases associated with you
Do not reuse passwords
If you generally reuse your passwords, you aren’t alone: 44% of your professional peers also engage in the same practice.
However, 80% of breaches are caused by reused login credentials.
For your security, we recommend that you avoid reusing your master password.
Enable MFA authentication
You may have heard that multi-factor authentication (MFA) is a critical, added defense against traditional brute force attacks.
However, hackers are now leveraging push bombing or MFA prompt bombing to bypass MFA protections. In this type of attack, your mobile device may be bombarded with 100+ prompts to reset your password.
The attackers hope that, by overwhelming you with an avalanche of requests, you’ll simply tap “Allow” to dismiss the invasive prompts. In many cases, the prompts “lock up” your phone, forcing you to act to maintain your phone’s functionality.
However, all hope is not lost. Passwordless FIDO2 authentication incorporates factors like biometrics, contextual behavior, location attributes, or passkeys to provide reinforced immunity against these MFA-based attacks.
Use character strings
In C programming, a character string is a set of characters that end with a null character (‘\0’). An example is char c [6] = {‘M’, ‘a’, ‘n’, ‘g’, ‘o’, ‘\0’}
In the context of creating strong passwords, character strings allow for complex and unpredictable sequences that promote data security.
Remembering Your Master Password
Techniques for memorization
One great way to memorize your password is to increase your cognitive abilities. Research shows that the effort made in learning new skills can improve working memory allocation.
And in turn, enhanced memory allocation can lead to increased neuroplasticity and greater recall capacity.
If you’re looking for memory-enhancing activities, these five activities will get you up to speed (the first three are the easiest to fit into a busy schedule):
- Reading 1-5 pages from a non-fiction book daily
- Using spaced repetition, where you spend anywhere from 10 to 20 minutes each day or every other day reviewing and reciting your master password
- Playing online memory games for 10-15 minutes daily
- Learning a musical instrument
- Learning a new language
While learning a new skill is time and effort intensive, studies show that active engagement in learning a musical instrument or new language can promote greater brain plasticity than passive activities like listening to music.
Using mnemonic devices to recall your master password
A mnemonic device is a fancy way of saying “memorization tool.”
These mnemonic devices can prompt greater recall. They include:
1) Creating a playful or even outlandish sentence, using the first letter of each word, and adding special characters and numbers, like I love 35 blue cheese * and * peppermint sauce patties on 83 lamb kebabs! (Il35bc*a*pspo83lk!)
2) Using a passphrase or sentence that appeals to your personality.
For example, if you enjoy summer romance novels, use a memorable line from your favorite novel as a passphrase.
Not a fan of romance novels? Try autobiographies, action thrillers, historical fiction, or mystery novels. You can even adapt phrases from your favorite songs, movies, or documentaries.
A note of caution: Phrases from well-known literary or musical works are more vulnerable to brute force attacks.
Random word passphrases (although harder to remember) offer greater protections. Consider implementing a hybrid approach. Add random words, special characters, numbers, and symbols to your quotes.
3) Creating a Memory or Mind Palace, where you combine recall and visual abilities to recite your password or passphrase effortlessly.
Below is a very basic example you can adapt:
- Choose a passphrase. Here's an improvised one from the book The Making of a King: King Charles III and the Modern Monarchy (Robert Hardman): “King Charles says trust and visibility are the main components of good leadership.”
- Select a location such as your home.
- Determine the loci (or locations in your home) that you’ll use for your memory palace.
TV in the living room: Picture a crown from the opening credits of the Netflix series The Crown. This symbolizes King Charles.
Tap in the kitchen: Each time you turn on the tap, you “trust” that water will flow from it.
Oven in the kitchen: This is where you prepare your meals. It’s “visible” every time you enter the kitchen.
Dry erase board on the pantry door (listing domestic chores assigned to family members): This list represents what “leadership” looks like in your home.
Tip #1: Each location should help you remember key words in your passphrase.
Tip #2: Add symbols and numbers to make your passphrase more complex.
Tip #3: Make your passphrase longer.
Tips for securely storing your master password
Here are four tips for securely storing your master password:
- Never write it down on paper or store it in plain text.
- If you must store it in plaintext, use a safe or safe deposit box.
- Save it in your OneDrive Personal Vault.
- Store it in encrypted folders on your desktop or laptop.
But what if you lose your secret code word or passphrase? At LastPass, we make security easy with these recovery options. If you’re ready to enjoy greater peace of mind, sign up for a free, no-obligation trial today.
