What is a Master Password?
A master password is a single password that unlocks access to multiple accounts and applications. The term "master password" is typically used in the context of password managers.
Here's how it works:
- You create a single, strong master password.
- The password manager stores all your other passwords for different websites and apps in an encrypted format.
- You only need to remember the master password to access and use any of the other stored passwords.
This way, you can use unique and complex passwords for all your accounts without having to memorize them all.
For example, TeamPassword stores your credentials and then logs you into your accounts using one of our browser extensions (Chrome, Firefox, Safari)—similar to saving passwords in Chrome and other browsers.
Once you are logged into TeamPassword using your master password, the password manager does the rest. You never have to remember your credentials.
Table of Contents
How to Create a Secure Master Password
The simplest way to create a strong password is to use a password generator. Use 16+ random upper and lowercase letters, numbers, and special characters, and never reuse the password elsewhere.
However, you need to memorize your master password. For this purpose, create a passphrase. Use a sequence of words that creates a funny and memorable image, or use words related to the application it'll be used for.
Good passphrase:
- frog-yellowish-stranger-Timestamp
Even though this lacks a variety of character types, it clocks in at 33 characters which makes it an incredibly high-entropy password. Plus, it does have dash symbols and one uppercase letter. Mix in some more numbers and symbols for better security.
Increasing the length and complexity provides an exponential increase in security.
To calculate entropy, we use the formula:
where:
- is the entropy in bits,
- is the length of the password,
- is the number of possible symbols for each character in the password (character set size).
For example:
- If a password consists only of lowercase letters (26 characters), .
- If a password includes lowercase and uppercase letters (52 characters), .
- If a password includes lowercase, uppercase letters, and digits (62 characters), .
- If a password includes lowercase, uppercase letters, digits, and special characters (let's assume 32 special characters), .
The effects of password length (X-axis) and complexity (four colored lines) on Entropy in bits (Y-axis)
Bad passphrase:
- the-windmills-of-your-mind
Stay away from song lyrics, famous quotes, and phrases that make sense.
If you'd like an in-depth explanation, check out our article dedicated to How to Make a Strong Password.
What is the Master Password Algorithm?
Maarten Billemont designed the Master Password algorithm in 2012 as an alternative for traditional password management tools. Instead of storing passwords, the Password Manager algorithm recreates users' credentials each time they log in.
The idea behind Master Password is that if you don't store credentials, then criminals can't steal your passwords if they hack your network or device.
For Master Password to be effective, you must turn off device and browser password-saving features, so your credentials are never stored anywhere.
It's important to note that Master Password is currently undergoing an overhaul and will be switching to a revised version (Spectre), which is currently in beta testing.
In 2021, Maarten announced a beta for the next evolution of Master Password, called Spectre.
How Does the Master Password Algorithm Work?
The Master Password algorithm works a little like a calculator. You enter a series of parameters (including your name, master password, and site/app you're logging into), and Master Password calculates your password.
The Master Password app also takes a counter, which starts at 1 by default. The counter allows you to change your password. Every time you change a password, the counter increments by 1.
For example, you create a password for Instagram; the initial counter is 1 when you reset your Instagram password, the counter changes to 2.
You copy/paste the password into the password field for the login form, and you're done! The process works the same for creating passwords and logging into accounts.
The only parameter you need to memorize to calculate a password is your master password. Everyone should know their name, and the account is easy to remember because it appears in the address bar or app header.
Master Password Algorithm Example
Here is an example for creating or logging into a Facebook account for John Doe using the Master Password algorithm.
- Name: John Doe
- Master password: secret password phase
- Account: facebook.com
- Counter: 1
You enter these three parameters, and the Master Password app produces a password: tX0!tX7~qZ3!vO. Every time you enter those same parameters, Master Password will create the exact same password.
John Doe x secret password phrase x facebook.com x 1 = tX0!tX7~qZ3!vO
Rather than storing your password, Master Password calculates a result based on the parameters you enter. The master password always stays the same; only the name and account parameters change.
If you need to change your password, you increment the counter, and Master Password creates a new unique password.
Password change example for the same Facebook account:
- Name: John Doe
- Master password: secret password phase
- Account: facebook.com
- Counter: 2
John Doe x secret password phrase x facebook.com x 2 = hS7}oD3:pO8^uI
For future logins, you have to remember your counter is 2 and no longer 1. The counter is the Master Password's biggest flaw! It can be difficult for people who have many accounts to remember what counter you're on for each one.
For example, your Twitter account might be on 4, Facebook on 7, Instagram on 1, and LinkedIn on 3. Keeping track of your counters could get overwhelming and confusing.
A user asked this question on Master Password's community, and the answer was: "To recover a lost non-default counter, just increment the counter and try the password on the site until you succeed."
The problem with this solution is that most websites and applications block your account after a certain number of failed attempts to prevent brute force attacks.
What Apps Apply the Master Password Algorithm?
Maarten Billemont has made the Master Password algorithm free under the GPLv3 license. Meaning, anyone can run, study, share and modify the code. So, there are possibly many individuals and businesses using the technology privately.
Master Password is no longer updated. Spectre is the new version, and is open-source like its predecessor.
Pros and Cons of Master Password Algorithm & Who is it For?
Pros of Master Password algorithm:
- There is zero chance of criminals stealing account credentials from your device, including if your device is lost or stolen
- You only need one master password
- The code is free to use so that anyone can develop a Master Password app
- You create unique passwords for every account
Cons of Master Password algorithm:
- The Master Password only works for personal use. No way to share credentials with coworkers
- Recalling passwords is slow—you have to open Master Password separately, enter the parameters, and then copy/paste the password.
- Changing passwords means you have to change your counter. If you have lots of accounts (which most people do), you have to remember the counter for each one. If your accounts are all on a different counter, things can get very confusing. The only solution is to reset your password, resulting in another counter increment to remember!
- If someone manages to steal your master password—through a spear-phishing attack, scam, or other means, they can download Master Password and calculate your passwords.
With these pros and cons in mind, using Master Password-based apps makes sense for personal use or companies that don't share the same credentials.
Even then, Master Password's counter flaw can create issues that could lead to time wasted figuring out which counter you're on or resetting passwords.
TeamPassword: A Better Password Management Solution
TeamPassword is a robust password management solution for teams to share credentials securely. Passwords are hashed, salted, and encrypted locally on your computer and then transmitted via an encrypted connection to the TeamPassword server.
This password storage method means you can never preview passwords (prevents unauthorized sharing), and not even TeamPassword can retrieve your credentials.
TeamPassword is a secure hosting provider with multiple security accreditations and uses industry standard AES 256-bit encryption technology.
Secure and Easy Credential Sharing
Unlike Master Password, TeamPassword lets you share credentials with employees, freelancers, and clients.
Here's how easy it is to share passwords in TeamPassword:
- Create a TeamPassword account for your business—we offer a 14-day free trial ;)
- Add your passwords to TeamPassword—we recommend resetting your passwords when moving to TeamPassword using our built-in secure password generator.
- Provide each team member with a TeamPassword login
- Create groups for your various accounts and add only the team members who need access—for example, a "Social Media Group" will have all your social media accounts, and only the social media or marketing team will have access
- Revoke access for any team member with a few clicks
If you need to change a password, simply use the built-in password generator, and TeamPassword automatically updates the new credentials for all users. No need to inform anyone or share the new password.
Features to Prevent Breaches
Each team member can protect their TeamPassword account with two-factor authentication (2FA)—we use Google Authenticator and Authy available on iOS and Android.
With 2FA, even if attackers steal a team member's TeamPassword credentials, they can't log in without the second authentication step.
In the unlikely event that someone does breach your TeamPassword account, attackers have no way to preview or export your company's stored credentials.
Keeping Track of TeamPassword Activity
Another feature Master Password/Spectre lacks is activity tracking and email notifications—crucial for reacting fast to suspicious activity!
TeamPassword's activity log keeps track of every action, including logins, sharing, password resets, new team members, and more. As an admin account, you can also set up email notifications for TeamPassword activity to get instant alerts.
More Master Password Alternatives
At TeamPassword, we're confident that we have the most secure and user-friendly password manager, so we don't mind sharing some of our competitors.
- 1Password - An effective password management solution. Too complex for some use cases, expensive, and limited customer support.
- LastPass - If you're not tech-savvy, LastPass can be difficult to learn. Additionally, LastPass suffered a series of concerning breaches. Security experts do not recommend them.
- DashLane is one of the most popular password managers for personal and family use and one of the most expensive.
TeamPassword has no limits on the number of passwords or accounts you can store!
Try TeamPassword for Free
The only master password you need is for your TeamPassword account!
Test our Groups and Sharing feature with your team members to experience the convenience of secure password sharing with TeamPassword. Sign up for a 14-day free trial today!