Master password best practices — the one password that protects all the others

The master password of a zero-knowledge password manager is the one credential that cannot be stored in the vault — you have to remember it. It is also, by design, the one credential that the provider cannot reset or recover if you lose it. This creates a situation where the standard security advice ('use a long random password') creates its own risk: a sufficiently complex random password that you haven't memorised is a vault you can lock yourself out of permanently.

The risk on the other side is equally real. The master password, when combined with a stolen vault backup, is the only thing standing between an attacker and every credential you own. The 2022 LastPass breach demonstrated this concretely: users whose master passwords were weak or whose accounts had low PBKDF2 iteration counts were exposed to offline brute-force attacks on stolen vault data.

The design requirement for a master password is unusual: it needs to be simultaneously strong enough to resist offline brute-force, memorable enough that you can reproduce it reliably without writing it down in a place that could be accessed, and never reused on any other service.

The most common assumption is that a complex password — mixing uppercase, lowercase, numbers, and symbols — is inherently strong. Character complexity adds entropy, but length adds more. A 20-character passphrase made from four or five random unrelated words is both more resistant to brute-force than a 10-character complex password and considerably easier to memorise and reproduce accurately. Password managers themselves consistently recommend passphrases for the master password rather than complex short strings.

A second assumption is that writing down the master password is always bad security practice. In a zero-knowledge architecture, the greater risk for most users is forgetting the master password and permanently losing vault access. A passphrase written on paper and stored physically securely — in a safe, with a solicitor, or in a sealed envelope with a trusted family member — is a legitimate recovery option. The threat model matters: the risk of your home being burgled for your password notebook is usually lower than the risk of permanent vault loss.

A third assumption is that changing the master password regularly improves security. For a zero-knowledge vault, this provides minimal benefit if the password is already strong. The KDF iteration count, not the rotation schedule, determines brute-force resistance for stolen vault data. Frequent rotation creates a memorisation burden without proportionate security benefit. Change it if you believe it has been compromised, or if you are migrating from a vault with low iteration counts.

A strong master password has four properties: length (minimum 16 characters, ideally more), uniqueness (never used on any other service), memorability (something you can reliably reproduce without looking it up), and resistance to pattern guessing (not your name, a date, a word with letter substitutions, or any phrase that could be associated with you). A passphrase of five or six truly random words satisfies all four requirements for most users better than a complex shorter string.

The memorisation approach matters. Writing a passphrase on paper and storing it physically is legitimate. Storing it in a second, independent password manager is legitimate. Having a trusted emergency contact who holds the passphrase in a sealed envelope is legitimate. What is not effective: storing it in the same vault it protects, in browser-saved passwords, or in a notes app on an unlocked phone.

Biometric unlock on mobile — fingerprint or Face ID — reduces the frequency with which you need to enter the master password, making it more practical to choose a longer, less memorisable phrase. The vault still requires the master password for first unlock after restart; biometric handles subsequent unlocks. This is a reasonable usability trade-off that doesn't weaken the security model for offline brute-force scenarios.

This guide addresses the master password in the context of zero-knowledge cloud password managers. Self-hosted deployments and offline managers (KeePass and its derivatives) have different recovery models. For self-hosted Bitwarden, the server operator has additional recovery options that do not exist in cloud deployments.

Biometric unlock mechanisms introduce their own considerations — jurisdiction-specific legal questions about compelled biometric authentication differ from compelled password disclosure in some legal frameworks. For users for whom this distinction matters, the decision to enable biometric unlock carries legal dimensions beyond this guide's scope.