Blog
Recent
bg
Security Tips

What Is a Master Password?

Shireen StephensonOctober 08, 2024

Did you know that 4 million people in the world use “password” as the code word for their accounts? 

Weak passwords are a cybersecurity risk. In 2016, 21 million users on the Alibaba-owned Taobao platform had their accounts breached because of easily guessed code words. 

Civilians aren’t the only ones vulnerable to such brute-force attacks. In 2018, hackers gained access to the email accounts of Northern Irish parliamentary officials, due to poor password practices. 

In 2024, password security is critical to preventing such breaches. Below, we explore the powerful role it plays in protecting your business accounts. 

What Is a Master Password?

Why Is a Strong Master Password Important? 

Role in password management 

The password management market has seen unprecedented growth across the world, due to increasing security threats. Estimated at USD $1.88 billion in 2024, it’s expected to reach USD $6.35 billion by 2029. 

The master password plays an important role in password security because it’s the key that encrypts and decrypts password vaults. 

Essentially, the master password is salted and hashed multiple times through a key derivation function to generate an encryption key. This process occurs locally on your device.  

A strong master password combined with the key derivation function produces a stronger encryption key. It’s the only password you need to encrypt and decrypt your vault. At LastPass, our Zero Knowledge approach means we have no knowledge of your master password. This means we can never decrypt your vault and access its contents. 

The importance of a master password 

Many people ask us, “Should I have a master password?” 

The short answer is yes. 

Your master password is mandatory to achieve the goals of the key derivation function --deriving the encryption key that secures your password vault. 

How a master password keeps your data safe 

You aren’t alone if you’re wondering, “How does a master password protect my online accounts?” 

In a nutshell, it’s like a lock that encrypts your vault of secrets. To derive your encryption key at LastPass, we run your master password and a unique salt (random value) through the PBKDF2-HMAC-SHA256 key derivation function with 600,000 iterations. 

The derived result is an AES-CBC-256 symmetric key. It’s the only key you need to encrypt and decrypt your vault. 

How to Create a Strong Master Password 

Tips for creating a strong master password 

Here’s another important question we’re often asked: How do I create a strong master password? 

One way is to use a secure password generator. At LastPass, our autosave feature prompts you to save a newly generated password every time you create an account on a website. 

Best practices for choosing a secure master password 

In 2024, the best practices for choosing a secure master password are to align with these directives by: 

NIST (National Institute of Standards and Technology): 

  • Focus on length rather than complexity. 
  • Passwords shouldn’t be changed periodically or arbitrarily. A change should be required only if there’s evidence of a compromise. 

CISA (Cybersecurity and Infrastructure Security Agency): 

  • Minimum password length should be 16 characters. 
  • Make passwords random with a passphrase or string of mixed-case letters, numbers and symbols. 
  • Use a password manager for secure generation and storage of credentials. 
  • Create unique passphrases for each account. 

CIS (Center for Internet Security): 

  • Minimum password length should be 14 characters. 
  • Avoid sequential characters. 
  • Passwords must contain lower and uppercase characters, numbers 0 through 9, and non-alphanumeric characters. 
  • Avoid contextual words such as usernames and their derivatives. 

What Makes a Strong Master Password 

Character length 

So, how long should your master password be? 

A strong master password should be at least 12 characters long; include a mix of letters, special characters, and numbers; and meet the necessary strength requirements. 

Here’s why: Strong master passwords have higher entropy, which makes it computationally expensive for hackers to crack. This means it takes them significantly more time, processing power, and energy costs to discover your master password.  

Complexity 

You’ll want to avoid easily guessed sequential patterns like “123456,” “qwerty123,” or “123456789.” 

A good master password involves a combination of uppercase and lowercase letters, numbers, and special characters.  

It’s also best to avoid using leet speak to meet password strength requirements. This is the practice of replacing letters with graphically similar numbers or symbols, like l00t (“loot”) or n00b (“noob” or newbie). 

Leet speak was popularized before the Internet became widely accessible, back when tech enthusiasts mingled on bulletin board systems (BBS) -- similar to our Reddit forums today. 

The BBS community hosted a vibrant hacker culture, with users forming their own elite groups of computer techies. These users were called “leets” (slang for “elites”). Leet speak later became popular among gamers, with the most revered members called HaXXors or H4XXors. 

You’ll want to avoid leet speak, however, and here’s why: While leet speak makes passwords significantly more complex, hackers have become privy to their use and have developed specialized programs to crack them. 

No personal identifiers 

You’ll also want to refrain from using these personal identifiers: 

  • Names of relatives, friends, and pets 
  • Phone numbers, addresses, and locations you regularly visit 
  • Birthdates, anniversaries, graduations, and favorite holidays 
  • Nicknames or phrases associated with you 

Do not reuse passwords 

If you generally reuse your passwords, you aren’t alone: 44% of your professional peers also engage in the same practice. 

However, 80% of breaches are caused by reused login credentials. 

For your security, we recommend that you avoid reusing your master password.  

Enable MFA authentication as an extra layer of security 

You may have heard that multi-factor authentication (MFA) is a critical, added defense against traditional brute force attacks.  

However, hackers are now leveraging push bombing or MFA prompt bombing to bypass MFA protections. In this type of attack, your mobile device may be bombarded with 100+ prompts to reset your password.  

The attackers hope that, by overwhelming you with an avalanche of requests, you’ll simply tap “Allow” to dismiss the invasive prompts. In many cases, the prompts “lock up” your phone, forcing you to act to maintain your phone’s functionality. 

However, all hope is not lost. Passwordless FIDO2 authentication incorporates factors like biometrics, contextual behavior, location attributes, or passkeys to provide reinforced immunity against these MFA-based attacks. 

Remembering Your Master Password 

Techniques for memorization 

One great way to memorize your password is to increase your cognitive abilities. Research shows that the effort made in learning new skills can improve working memory allocation

And in turn, enhanced memory allocation can lead to increased neuroplasticity and greater recall capacity.  

If you’re looking for memory-enhancing activities, these five activities will get you up to speed (the first three are the easiest to fit into a busy schedule): 

  • Reading 1-5 pages from a non-fiction book daily  
  • Using spaced repetition, where you spend anywhere from 10 to 20 minutes each day or every other day reviewing and reciting your master password 
  • Playing online memory games for 10-15 minutes daily 
  • Learning a musical instrument 
  • Learning a new language 

While learning a new skill is time and effort intensive, studies show that active engagement in learning a musical instrument or new language can promote greater brain plasticity than passive activities like listening to music. 

Using mnemonic devices to recall your master password 

A mnemonic device is a fancy way of saying “memorization tool.” 

These mnemonic devices can prompt greater recall. They include: 

1) Creating a playful or even outlandish sentence, using the first letter of each word, and adding special characters and numbers, like I love 35 blue cheese * and * peppermint sauce patties on 83 lamb kebabs! (Il35bc*a*pspo83lk!) 

2) Using a passphrase or sentence that appeals to your personality. 

For example, if you enjoy summer romance novels, use a memorable line from your favorite novel as a passphrase. 

Not a fan of romance novels? Try autobiographies, action thrillers, historical fiction, or mystery novels. You can even adapt phrases from your favorite songs, movies, or documentaries. 

A note of caution: Phrases from well-known literary or musical works are more vulnerable to brute force attacks.  

Random word passphrases (although harder to remember) offer greater protections. Consider implementing a hybrid approach. Add random words, special characters, numbers, and symbols to your quotes. 

3) Creating a Memory or Mind Palace, where you combine recall and visual abilities to recite your password or passphrase effortlessly. 

Below is a very basic example you can adapt:  

  • Choose a passphrase. Here's an improvised one from the book The Making of a King: King Charles III and the Modern Monarchy (Robert Hardman): “King Charles says trust and visibility are the main components of good leadership.” 
  • Select a location such as your home.  
  • Determine the loci (or locations in your home) that you’ll use for your memory palace.  

TV in the living room: Picture a crown from the opening credits of the Netflix series The Crown. This symbolizes King Charles. 

Tap in the kitchen: Each time you turn on the tap, you “trust” that water will flow from it.  

Oven in the kitchen: This is where you prepare your meals. It’s “visible” every time you enter the kitchen.  

Dry erase board on the pantry door (listing domestic chores assigned to family members): This list represents what “leadership” looks like in your home. 

Tip #1: Each location should help you remember key words in your passphrase.  

Tip #2: Add symbols and numbers to make your passphrase more complex.  

Tip #3: Make your passphrase longer. 

Tips for securely storing your master password 

Here are four tips for securely storing your master password

  • Never write it down on paper or store it in plain text. 
  • If you must store it in plaintext, use a safe or safe deposit box. 

But what if you lose your secret code word or passphrase? At LastPass, we make security easy with these recovery options. If you’re ready to enjoy greater peace of mind, sign up for a free, no-obligation trial today