Table of Contents
Your master password is the single most important credential you will ever create. It protects every other password, secure note, credit card number, and sensitive document stored in your vault. Get it right, and your vault is essentially impenetrable. Get it wrong, and the strongest encryption in the world cannot save you. This guide, part of our Password Manager Guides & Tutorials series, teaches you how to create a master password that is both genuinely strong and reliably memorable.
What Makes a Master Password Different
A master password is not like other passwords. With regular account passwords, your password manager generates random strings of 20+ characters and remembers them for you. You never need to type them or recall them from memory. Your master password is the exception – it must live in your head.
This creates a tension between security and memorability. A random string like x7#Kp2$mQ9!wL4&n is strong but nearly impossible to remember. Your dog’s name followed by your birthday is easy to remember but trivially guessable. The solution lies in understanding what actually makes a password strong.
The Math Behind Password Strength
Password strength is measured in bits of entropy – essentially, how many guesses an attacker would need to crack it. Each bit of entropy doubles the number of possible guesses.
- 40 bits of entropy: Crackable in minutes with modern hardware
- 60 bits of entropy: Takes years with dedicated hardware
- 80 bits of entropy: Effectively uncrackable with current technology
- 100+ bits of entropy: Safe against foreseeable future advances
The key insight is that entropy comes from randomness, not complexity. A 12-character password mixing uppercase, lowercase, numbers, and symbols has about 72 bits of entropy – if every character is truly random. But humans are terrible at being random. We pick dictionary words, substitute letters predictably (@ for a, 3 for e), and follow patterns that attackers know well.
The Passphrase Method: Your Best Option
The most effective technique for creating a strong, memorable master password is the passphrase method: string together several randomly selected words.
How It Works
- Get a list of common English words (the EFF diceware list contains 7,776 words)
- Randomly select 5-7 words from the list
- String them together as your passphrase
For example: marble kitchen voltage planet anchor tulip
This passphrase has approximately 77 bits of entropy (with 6 words from a 7,776-word list). That is stronger than most “complex” passwords people create and far easier to remember.
Why Random Selection Matters
The randomness is critical. If you pick words that form a logical sentence (“my dog loves running outside daily”), the entropy drops dramatically because attackers can use language patterns to narrow their guesses. The words must be randomly chosen – ideally using dice rolls, a random number generator, or your password manager’s built-in generator.
Making It Memorable
Once you have your random words, create a mental image or story that connects them. The more vivid and absurd, the better. “A marble kitchen on a planet with voltage anchors growing tulips” is nonsensical but memorable because it is visual and unusual.
Practice typing your passphrase several times. Most people find that after 5-10 repetitions over a day or two, the passphrase becomes automatic – your fingers remember the sequence even when your conscious mind hesitates.
Step-by-Step: Creating Your Master Password
Option A: Using PanicVault’s Generator
- Open PanicVault on your iPhone, iPad, or Mac
- Navigate to the password generator
- Switch from “Random Characters” to “Passphrase” mode
- Set the word count to 5-7
- Generate several passphrases until you find one you can visualize
- Practice typing it before committing to it
Option B: Using Dice (Maximum Randomness)
This method guarantees true randomness because physical dice cannot be biased by software.
- Download the EFF Large Wordlist (search “EFF diceware word list”)
- Roll five dice for each word you need (each combination of five dice maps to one word)
- Look up each result in the word list
- String the words together
- Practice until it is memorized
Option C: The Three-Word-Plus Method
If a 5-7 word passphrase feels too long, use 3 genuinely random words plus a memorable modifier:
- Randomly select 3 words:
harvest prism copper - Add a number or symbol that is meaningful to you but not guessable:
harvest-prism-copper-42 - This gives you roughly 50-60 bits of entropy from the words plus some from the modifier
This is less secure than a 6-word passphrase but far better than a typical human-chosen password.
What to Avoid
Common Passwords and Patterns
These are the first things attackers try:
- Dictionary words on their own (“sunshine”, “password”, “football”)
- Keyboard patterns (“qwerty”, “1qaz2wsx”)
- Sequential numbers or letters (“123456”, “abcdef”)
- Common substitutions (“p@ssw0rd”, “l3tme1n”)
Personal Information
Attackers often research their targets. Avoid:
- Names of family members, pets, or significant others
- Birthdates, anniversaries, addresses
- Phone numbers, license plates
- Favorite sports teams, musicians, or movies
- Anything someone could find on your social media profiles
Previously Used Passwords
If you have used a password anywhere else, it may already be in a breach database. Never reuse a compromised credential as your master password. Check haveibeenpwned.com if you want to verify.
Sentences and Quotes
“ToBeOrNotToBe” feels clever but is easily guessable because it follows known text. Song lyrics, movie quotes, Bible verses, and famous sayings are all in attacker dictionaries.
Testing Your Master Password
Length Check
Your master password should be at least 16 characters long. Passphrases of 5+ words typically exceed this easily. If yours is shorter, add another word.
Uniqueness Check
Your master password must not be used anywhere else. Period. This is the one credential that protects all others. If an attacker obtains it from a breach at some other service, they own your entire vault.
Memorability Check
Can you type your master password correctly three times in a row without looking at a reference? If not, practice more before relying on it. There is no password reset for your master password in local password managers like PanicVault and KeePass – if you forget it, your data is gone.
Shoulder-Surfing Check
Can you type your master password quickly enough that a casual observer could not read it over your shoulder? Passphrases are slightly more vulnerable here than random character strings because words are recognizable. If this concerns you, practice typing quickly or ensure you unlock your vault in private. On Apple devices, Face ID and Touch ID handle most daily unlocks, so you only type your master password occasionally.
After You Create Your Master Password
Write It Down – Temporarily
This is controversial advice, but it is practical. When you first create your master password, write it on a piece of paper and keep it in a physically secure location (a safe, a locked drawer – not under your keyboard or on a sticky note on your monitor). This is your backup while you are still memorizing it.
Once you have typed your master password enough times that it is completely automatic (usually a week or two), destroy the paper. Some people keep the paper permanently in a home safe as part of their emergency access plan.
Practice Daily
For the first two weeks, deliberately type your master password rather than using biometric unlock. This reinforces the muscle memory. After two weeks, you can switch to Face ID or Touch ID for daily use, but make a point of typing it from memory at least once a week so you do not forget it.
Consider a Key File (Advanced)
For maximum security, some KeePass-compatible managers including PanicVault support key files – a second factor stored as a file on your device. With a key file enabled, an attacker needs both your master password and the specific key file to unlock your vault. This is the password equivalent of a deadbolt and a combination lock on the same door.
The tradeoff is that you must manage the key file carefully. If you lose it and do not have a backup, you lose access to your vault just as surely as if you forgot your master password. See our guide on KeePass key files for details.
Changing Your Master Password
You should change your master password if:
- You suspect someone may have observed you typing it
- You accidentally shared it (even partially)
- You used it somewhere else (never do this, but if you did, change it immediately)
- You wrote it down and the paper was lost or potentially compromised
You do not need to change your master password on a regular schedule. A strong passphrase that has not been compromised remains strong indefinitely. Frequent changes lead to weaker passwords because people simplify to accommodate the churn.
How to Change It
In PanicVault:
- Open your database
- Navigate to database settings
- Select “Change Master Password”
- Enter your current master password
- Enter and confirm your new master password
- The database will be re-encrypted with the new key
Make sure to update any backups of your database after changing your master password. Old backups will still require the old password.
FAQ
What if I forget my master password?
If you are using a local password manager like PanicVault or KeePassXC, there is no recovery option. The encryption is designed so that no one – not even the app developer – can access your data without the master password. This is a feature, not a bug, but it means you must take memorization seriously.
Cloud-based managers like 1Password and Bitwarden have limited recovery options (emergency kits, recovery codes), but these require advance setup.
Should I use a password manager to store my master password?
No. Your master password is the one password that must live only in your head (and optionally on a physical backup in a secure location). Storing it digitally creates a circular dependency.
Is a longer passphrase always better?
Up to a point. A 6-word passphrase from a 7,776-word list provides about 77 bits of entropy, which is excellent. An 8-word passphrase provides about 103 bits. Beyond 8 words, the additional security is theoretical – you are already safe against attacks that will not exist for decades. The practical limit is how many words you can reliably remember and type.
Can I add spaces between the words in my passphrase?
Yes. Spaces are just another character. “marble kitchen voltage” is marginally stronger than “marblekitchenvoltage” because it includes two space characters. More importantly, spaces make the passphrase easier to read and type. Some password managers’ master password fields do not accept spaces – if yours does not, use hyphens or no separator.
What about passphrases in other languages?
Passphrases work in any language. If you are a native speaker of a language other than English, using words from that language adds a small amount of additional security since most attacker dictionaries are English-heavy. The same rules apply: choose words randomly, not logically.
