length of master password for maximum security

Gary's Avatar


25 Jan, 2019 10:11 AM

What is the length of maximum security master password ?

  1. Support Staff 1 Posted by Maarten Billemo... on 25 Jan, 2019 01:38 PM

    Maarten Billemont's Avatar

    A password of type Maximum Security is 20 characters long.

  2. 2 Posted by Gary on 25 Jan, 2019 07:48 PM

    Gary's Avatar

    I was not referring to the generated password, but to the Master Key which the user defines, is there an advantage in security to make up a long Master Key which contains also numbers and special characters ?

  3. Support Staff 3 Posted by Maarten Billemo... on 25 Jan, 2019 08:23 PM

    Maarten Billemont's Avatar

    The larger the entropy in your master password, the better the security of the whole, yes.

    Adding "special characters" is generally not a good way of maximizing entropy. The most reliable way for maximizing entropy is just making your master password longer. This is why a good way of making a really strong master password is to use a phrase instead of a word. If you make a little sentence, even one that makes no sense, and it'll be much easier to remember as well as being extremely high in entropy. Examples:

    • banana coloured duckling
    • seventeen red ravens flying high
    • ...
  4. 4 Posted by Antoniio on 11 Sep, 2019 08:55 AM

    Antoniio's Avatar

    But if somebody has the app (which they can), somebody has my name (isn't hard to get) and the site's address, can't they, with an app using dictionarys, hack my password?

  5. Support Staff 5 Posted by Maarten Billemo... on 11 Sep, 2019 12:57 PM

    Maarten Billemont's Avatar

    The app/algorithm, your name and your site's address are all public information. Their role is not to protect your identity from imposters.

    That role is assumed by your master password. Consequently, you should choose a master password that cannot be easily guessed (as is always the case when choosing passwords).

    With respect to dictionary attacks or brute-force attacks, the algorithm defends against these by making the process of deriving a password take a long time (not long enough for it to be a hindrance to create a password, but long enough for it to be a hindrance to create a few million password guesses per second).

    Note that even if you limit your master password to only use the 10k most common words in the English language, a 3-word master password would have a search space of 1,000,000,000,000 attacker guesses. Due to the limiting factors in the Master Password algorithm, my i7 (8GB RAM) can attack this space at a rate of ~7.5 guesses / second, meaning it would take around 4,358 years of continuously dedicated powered computation to find your master password. A four-word sentence, 43 million years.

    You can use the mpw-bench and timetocrack tools in the repo to play with these numbers.

  6. Maarten Billemont closed this discussion on 11 Sep, 2019 01:02 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac


07 Apr, 2020 01:19 PM
06 Apr, 2020 12:14 PM
05 Apr, 2020 11:59 PM
25 Mar, 2020 03:58 PM
17 Mar, 2020 02:10 PM
17 Mar, 2020 01:59 PM