tag:help.masterpassword.app,2014-09-03:/help/discussions/problems/595-length-of-master-password-for-maximum-securityMaster Password: Discussion 2019-09-11T13:02:48Ztag:help.masterpassword.app,2014-09-03:Comment/468712582019-01-25T13:38:15Z2019-01-25T13:38:15Zlength of master password for maximum security<div><p>A password of type Maximum Security is 20 characters long.</p></div>Maarten Billemonttag:help.masterpassword.app,2014-09-03:Comment/468712582019-01-25T19:48:28Z2019-01-25T19:48:30Zlength of master password for maximum security<div><p>I was not referring to the generated password, but to the Master Key which the user defines, is there an advantage in security to make up a long Master Key which contains also numbers and special characters ?</p></div>Garytag:help.masterpassword.app,2014-09-03:Comment/468712582019-01-25T20:23:59Z2019-01-25T20:24:10Zlength of master password for maximum security<div><p>The larger the entropy in your master password, the better the security of the whole, yes.</p>
<p>Adding "special characters" is generally not a good way of maximizing entropy. The most reliable way for maximizing entropy is just making your master password longer. This is why a good way of making a really strong master password is to use a phrase instead of a word. If you make a little sentence, even one that makes no sense, and it'll be much easier to remember as well as being extremely high in entropy. Examples:</p>
<ul>
<li>banana coloured duckling</li>
<li>seventeen red ravens flying high</li>
<li>...</li>
</ul></div>Maarten Billemonttag:help.masterpassword.app,2014-09-03:Comment/468712582019-09-11T08:55:55Z2019-09-11T08:55:56Zlength of master password for maximum security<div><p>But if somebody has the app (which they can), somebody has my name (isn't hard to get) and the site's address, can't they, with an app using dictionarys, hack my password?</p></div>Antoniiotag:help.masterpassword.app,2014-09-03:Comment/468712582019-09-11T12:57:20Z2019-09-11T13:02:16Zlength of master password for maximum security<div><p>The app/algorithm, your name and your site's address are all public information. Their role is not to protect your identity from imposters.</p>
<p>That role is assumed by your master password. Consequently, you should choose a master password that cannot be easily guessed (as is always the case when choosing passwords).</p>
<p>With respect to dictionary attacks or brute-force attacks, the algorithm defends against these by making the process of deriving a password take a long time (not long enough for it to be a hindrance to create a password, but long enough for it to be a hindrance to create a few million password guesses per second).</p>
<p>Note that even if you limit your master password to only use the 10k most common words in the English language, a 3-word master password would have a search space of 1,000,000,000,000 attacker guesses. Due to the limiting factors in the Master Password algorithm, my i7 (8GB RAM) can attack this space at a rate of ~7.5 guesses / second, meaning it would take around 4,358 years of continuously dedicated powered computation to find your master password. A four-word sentence, 43 million years.</p>
<p>You can use the <code>mpw-bench</code> and <code>timetocrack</code> tools in the repo to play with these numbers.</p></div>Maarten Billemont