What happens when I need to change my password (e.g. on a website)?

Marcos's Avatar


12 Aug, 2018 12:45 AM


I love the concept behind the MasterPassword App: recalculate the same password from the same master password and username/sitename.

But what happens when I need to change my password on a website? For example when a website gets hacked, passwords are compromised and all users need to change their passwords.

Let's use twitter as example:
Master Password: 12345
Username/Sitename: [email protected]

In order to change the website password, I have to change the username/sitename in the MasterPassword App. Because if everything stays the same, then the password is the same, too.

So this would be my new data (added a "1" to the username/sitename, for example):
Master Password: 12345
Username/Sitename: me1[email protected]

And this would be my new data after another password change (added a "2" to the username/sitename, for example):
Master Password: 12345
Username/Sitename: [email protected]

This way I would get a new password for the twitter website each time.

But here's the problem: I have a lot of website logins and I have to change passwords there on a regular basis. Because of this I would have a lot of different usernames/sitenames to remember and this means that I have to write them down or save them somewhere in an app. Doesn't this undermine the concept of your MasterPassword App? How to solve this problem?


  1. Support Staff 1 Posted by Maarten Billemo... on 13 Aug, 2018 03:54 PM

    Maarten Billemont's Avatar

    This is where the "counter" comes in. Every site has a counter value, which starts at 1 and can be incremented by you. You don't need to include this number in your site name, just look for the counter toggle in your Master Password client and increment it to get a new password or rewind it back to 1 to get the original password.

  2. 2 Posted by Marcos on 14 Aug, 2018 10:50 AM

    Marcos's Avatar

    Thanks for that explanation.

    But this brings another problem: When a user has, let's say, 20 internet accounts, he probably cannot remember which account is set to which counter value. It's hard to remember even with 5 accounts. It's also hard to remember every username, especially if the user has multiple accounts on the same website or uses different usernames accross diferent websites. So again, some sort of syncing the MasterPassword database or carrying it on a usb drive is required. Sure, if a user has only two accounts this would not be a problem. But hey, who owns only two accounts?

    This, to me, defeats the whole concept behind the MasterPassword app. Because users have to carry the database with them at all times. If the user looses the database, he cannot login anymore, because he probably won't remember the counter value and maybe the exact spelling of the username. Also, if a hacker/thief gets access to the database and master password and can log into it, he can (re-)generate all the user's passwords. This is the same problem all traditional password managers have, too.

    So after all this, where's really the difference to a traditional password manager with a regular username/password database?

  3. Support Staff 3 Posted by Maarten Billemo... on 14 Aug, 2018 01:34 PM

    Maarten Billemont's Avatar

    The username can be generated just like the password, if you like. That obviates the need to store it in some database.

    With regards to the counter, in theory you are correct but in practice this is an issue that can be overcome. Since Master Password remembers your counter value for you in the app, it really only becomes a problem when you lose your phone / computer and get a new one, or when you need to use a site on a different computer than the one you set the counter on.

    When you get into this situation, it suffices to use the generated password to log in with the site. If the login fails, just up the counter one and try again. After a few tries, you'll find the correct counter value and log in. The app will remember it for you. This is a bit of hassle, but it really is a "recovery" procedure only. You don't do it on a daily basis, only when recovering your sites from nothing. And it means you don't need to remember the counter, therefore don't need to keep a database. You can do everything without syncing or storing databases of sites.

    Also remember that a Master Password database is not an encrypted file. It is less risky for a Master Password database to fall into the hands of an attacker, because there are no secrets in it, with arguable exception to the key ID, but this is a sha256 of a 64-byte master key, which is beyond several times the age of the universe in time scales to try to crack.

  4. 4 Posted by George on 12 Nov, 2018 03:54 PM

    George's Avatar

    What if a site doesn't allow you to change your username (i.e. it uses an email address for the username)? Would that mean I now have to change my master password, thereby requiring me to change my credentials to every site I use with this app?

  5. Support Staff 5 Posted by Maarten Billemo... on 12 Nov, 2018 03:59 PM

    Maarten Billemont's Avatar

    Hi George,

    I'm not certain I fully understand. What is the issue exactly that makes you feel a master password change might be necessary?

  6. 6 Posted by George on 12 Nov, 2018 04:10 PM

    George's Avatar

    I believe it was a bit of confusion on my part, due to the OP's wording. I read this thread a few more times and it finally made sense. My apologies. But, very happy to see such rapid replies!

  7. Support Staff 7 Posted by Maarten Billemo... on 12 Nov, 2018 04:11 PM

    Maarten Billemont's Avatar

    Glad it's cleared up!

  8. 8 Posted by Steve on 31 Jan, 2019 11:21 PM

    Steve's Avatar

    what about sites that require a password change on a regular basis AND only allow a limited number of login attempts before locking down the account? Incrementing the counter will only work if you can guess where the counter is currently set airly closely...you might only get three chances. Unless I'm missing something?

  9. 9 Posted by Mario on 04 Mar, 2019 08:00 PM

    Mario's Avatar

    I have an account that require a new password every month. So I set the counter like this: yymm, e. g. 1901 for January 2019, 1902 for February 2019 and so on. You can use the counter with your own system and for your needs. So it is not so hard to find the right password with one or two tries on a other or new device.

  10. Avonlea closed this discussion on 19 Jun, 2019 06:06 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac