How long should a password manager master password be?

A password manager master password must be memorised — making it the ideal use case for a passphrase. NIST SP 800-63B 2025 recommends a minimum of 15 characters; for a master password protecting all other credentials, significantly more is appropriate. A 5-word passphrase from a large wordlist provides approximately 64 bits of entropy and around 25–35 characters — the recommended minimum for a master password. Six words (77 bits) is appropriate for high-value users.

Should I write down my master password?

There is reasonable disagreement among security professionals on this. Writing it down on paper kept in a physically secure location (a safe, a locked drawer, or an Emergency Kit like 1Password provides) is safer than choosing a weak password you can remember, or forgetting a strong one and losing access. The risk model differs by user: for most people, storing a written backup in a home safe or sealed envelope with important documents is an appropriate balance. Never store it digitally or in plaintext on a device.

What should I do if I forget my master password?

This is the primary risk of password managers. Prevention is essential: memorise the passphrase thoroughly before relying on the manager, store a written backup in a physically secure location, and use your manager's emergency access or recovery kit feature. 1Password provides an Emergency Kit at setup. Bitwarden supports account recovery through a family or organisation plan. Without a backup, a forgotten master password typically means losing access to all stored credentials permanently.

Can I change my master password later?

Yes — all major password managers allow you to change the master password. After changing it, re-export or verify that the new password correctly decrypts your vault. Update any written backups. If you use biometric access (fingerprint, Face ID) as a convenience method, re-enrol after a master password change on affected devices.

Is biometric access to my password manager secure?

Biometric access (fingerprint, Face ID) is a convenience feature, not a replacement for the master password. Biometrics unlock locally stored session credentials — the master password itself is not transmitted and is still required in specific circumstances (new device, app reinstall, after device restart on some configurations). Enabling biometrics does not weaken the cryptographic protection of your vault, which is still secured by the master password.

How to Choose Your Password Manager Master Password

Every password stored in a password manager is protected by a single credential: the master password. If that master password is weak, guessable, or reused elsewhere, the security benefit of using a manager is severely diminished. If it is so complex that you forget it, you may permanently lose access to every stored credential. The master password is the one password that must simultaneously be very strong, completely memorisable, and unique — making it the ideal use case for a randomly generated passphrase.

Requirements for a Master Password

Requirement	Why	Passphrase advantage
Sufficient entropy	Resists brute-force attacks on the encrypted vault	5 words ≈ 64 bits — resistant to all current attacks
Fully memorisable	You must be able to enter it on any device, always	5 ordinary words are memorised in one sitting and retained long-term
Unique	Must not be used anywhere else	A randomly generated passphrase is almost certainly unique
Not personally guessable	Resists targeted guessing using known personal details	Random selection removes all personal associations

Generating and Memorising It

Use the Passphrase Maker to generate a 5-word passphrase. Use the 6-word preset if you are particularly security-conscious.
Write the passphrase on paper. Read it aloud several times.
Type it 10 times in a text editor (then delete the file — this is muscle memory practice only).
Test yourself after 30 minutes, 2 hours, and the next morning. If you cannot recall it, repeat the typing exercise.
Store the written copy in a physically secure location — a home safe, a sealed envelope with important documents, or using your manager's Emergency Kit feature.
When confident it is memorised and backed up, begin using it as your master password.

Emergency Access

Configure your password manager's emergency access or recovery feature immediately after setup. Bitwarden allows a trusted person to request access to your vault after a configurable waiting period. 1Password provides an Emergency Kit — a printable document containing your Secret Key — generated at account creation. Without these recovery mechanisms, a forgotten master password permanently locks you out of your vault. Configure them before you need them.

The one rule: Never use your master password as any other password. If it appears in any breach (which it won't, if it's genuinely random and used nowhere else), your entire vault remains protected. The uniqueness of the master password is as important as its strength.

password manager master password passphrase Bitwarden 1Password

For informational purposes only. Password security requirements vary by context — consult your organisation's security policy and current NCSC/NIST guidance for your specific environment.

← What Is Diceware and How Does It Work?Making Passwords Memorable Without Making Them W →