length of master password for maximum security
What is the length of maximum security master password ?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Maarten Billemo... on 25 Jan, 2019 01:38 PM
A password of type Maximum Security is 20 characters long.
2 Posted by Gary on 25 Jan, 2019 07:48 PM
I was not referring to the generated password, but to the Master Key which the user defines, is there an advantage in security to make up a long Master Key which contains also numbers and special characters ?
Support Staff 3 Posted by Maarten Billemo... on 25 Jan, 2019 08:23 PM
The larger the entropy in your master password, the better the security of the whole, yes.
Adding "special characters" is generally not a good way of maximizing entropy. The most reliable way for maximizing entropy is just making your master password longer. This is why a good way of making a really strong master password is to use a phrase instead of a word. If you make a little sentence, even one that makes no sense, and it'll be much easier to remember as well as being extremely high in entropy. Examples:
4 Posted by Antoniio on 11 Sep, 2019 08:55 AM
But if somebody has the app (which they can), somebody has my name (isn't hard to get) and the site's address, can't they, with an app using dictionarys, hack my password?
Support Staff 5 Posted by Maarten Billemo... on 11 Sep, 2019 12:57 PM
The app/algorithm, your name and your site's address are all public information. Their role is not to protect your identity from imposters.
That role is assumed by your master password. Consequently, you should choose a master password that cannot be easily guessed (as is always the case when choosing passwords).
With respect to dictionary attacks or brute-force attacks, the algorithm defends against these by making the process of deriving a password take a long time (not long enough for it to be a hindrance to create a password, but long enough for it to be a hindrance to create a few million password guesses per second).
Note that even if you limit your master password to only use the 10k most common words in the English language, a 3-word master password would have a search space of 1,000,000,000,000 attacker guesses. Due to the limiting factors in the Master Password algorithm, my i7 (8GB RAM) can attack this space at a rate of ~7.5 guesses / second, meaning it would take around 4,358 years of continuously dedicated powered computation to find your master password. A four-word sentence, 43 million years.
You can use the
mpw-bench
andtimetocrack
tools in the repo to play with these numbers.Maarten Billemont closed this discussion on 11 Sep, 2019 01:02 PM.