Your master password is the single key to your entire vault. Getting it right — strong enough to resist attack, memorable enough to never forget — is the most important password decision you will make.
In the context of a password manager, your master password occupies a unique and critical role. It is the only key that can decrypt your vault — without it, your encrypted database of credentials is completely unreadable. If you forget it, there is no recovery option with zero-knowledge managers; the data is permanently inaccessible. If an attacker obtains it, they have access to every account in your vault simultaneously.
This asymmetric importance means your master password deserves far more careful attention than any other credential you manage. It should be the strongest password you have ever created, should not be used anywhere else under any circumstances, and should be protected against forgetting as carefully as against theft. The master password is simultaneously the last line of defence for your entire digital life and the one credential where forgetting it has permanent catastrophic consequences.
The threat model for a master password is somewhat different from regular account passwords. The immediate risks are: shoulder surfing when entering it, keyloggers on a compromised device, and brute-force attacks if the encrypted vault file is ever stolen and taken offline for cracking. These risks shape the design requirements: the master password must be long enough that offline cracking is infeasible (even against a stolen vault file), entered in ways that minimise shoulder-surfing risk, and typed on devices with reasonable confidence in their security.
A Diceware passphrase is the recommended format for a master password. Four to six truly random common words — "correct-horse-battery-staple" — provides sufficient entropy for the offline cracking threat model while being genuinely memorisable by most people. The Diceware method, using physical dice to select words from a standardised list, guarantees true randomness and eliminates the patterns that arise from human attempts to invent "random" phrases. The EFF's updated Diceware word list uses shorter, more common English words, making the resulting passphrases easier to memorise.
Your master password should be at least 20 characters. Four five-character words with separators typically achieves this. Six words provides approximately 77 bits of entropy — effectively uncrackable with current technology even if the vault file were stolen and subjected to offline brute force. At five words, you are at approximately 64 bits — still very strong, equivalent to a truly random 11-character password using the full ASCII character set. Do not let perfect be the enemy of good: four strong random words is substantially better than any password a human would invent.
Once created, the master password memorisation process is critical. Type it immediately twenty or thirty times in sequence to begin encoding it in muscle memory. Then use it as your normal vault unlock for a week, which typically cements it reliably. Do not rely on the biometric unlock exclusively during this memorisation period — biometric keeps you from practising the passphrase, and you may be in a situation where only the passphrase works. After a week of daily use, the muscle memory is typically robust enough to maintain with normal daily unlocking.
Despite the goal of memorising your master password, a physical backup is an essential safety net for several scenarios: a long illness or hospitalisation where you have not accessed the vault for weeks; recovery from a severe head injury; or simply the gradual memory fade that comes with not using it during an extended period away from technology. The backup should never be digital — no cloud notes, no email drafts, no encrypted files on your device — because any digital storage creates an attack surface that the master password should not be exposed to.
The appropriate physical backup format is a handwritten note on paper stored in a location that is physically secure but accessible to you (and in emergencies, to trusted contacts). Appropriate locations include: a fireproof home safe — particularly important for protecting against Hong Kong's occasional typhoon and flood events; a bank safety deposit box (appropriate for the most sensitive credentials); or a sealed, tamper-evident envelope in the custody of a trusted family member or solicitor as part of estate planning. The backup should also include any emergency access codes or 2FA backup codes for the manager account.
If you share a household or have dependents, consider who else needs to be able to access your vault in an emergency. 1Password and Bitwarden both offer emergency access features that allow designated trusted contacts to request vault access, with a configurable waiting period during which you can deny the request. This is distinct from the physical backup and addresses the scenario where you are incapacitated but your trusted contact does not have the physical backup. Both mechanisms together provide comprehensive continuity coverage.
Because your master password is entered more frequently than any other password — typically at least once per device unlock or browser session — it faces more exposure opportunities than a typical account password. Good practices for day-to-day master password protection include: enabling biometric unlock so you are typing the passphrase less frequently in public, using auto-lock settings that lock the vault after a configurable idle period, and being aware of shoulder-surfing risk when entering it in public spaces.
Device security directly impacts master password security. If the device you use to access your vault is compromised by malware — including keyloggers — your master password can be captured as you type it, regardless of how strong it is. Keep your operating system and all applications updated, avoid installing software from untrusted sources, and use the built-in security features of your platform (Gatekeeper on macOS, Play Protect on Android). On devices you do not fully control — work computers managed by your employer's IT team, or public computers — do not enter your personal vault master password.
Changing your master password should be done infrequently but deliberately: when you have any reason to believe it may have been compromised (shoulder-surfed, device malware suspected), when making major life changes that affect trust boundaries (relationship changes, leaving a job), or after the physical backup has been potentially viewed by an unintended party. Routine rotation of the master password is not necessary and introduces the risk of forgetting the new one; change it only when there is a specific reason to do so.
