large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

How to create a strong, memorable master password

You’ve got a password manager, so you don’t need to remember most of your own passwords any more. But the ones you do memorise are all the more important. It needs to be easy to remember, but still random, with no personal links to you that could be discovered through a bit of shady research. Here’s how to create a good one using the Diceware generation system.

Kaspersky Password Manager

Kaspersky Password Manager

Your digital activities made simple

Keep your passwords and documents in a secure private vault – and access them with one click from all your devices.

  • Kaspersky
  • Yearly renewal
  • £10.49 per year
Buy now

You will need

A Diceware generator
(Or one six-sided die and a Diceware word list)

The Short Version

  1. Open a Diceware generator
  2. Select your passphrase length and roll the virtual dice
  3. Check out your results
  4. Set your passphrase
  1. Step
    1

    Open a Diceware generator

    We’re going to use the Diceware system, which generates random passphrases by rolling six-sided dice against a word list. You can do this with real dice and a downloadable word list, but we’re going to use Douglas Muth’s in-browser version. To start, go to https://diceware.dmuth.org/Report a phishing email in the UK

  2. Step
    2

    Select your passphrase length and roll the virtual dice

    You can choose to roll dice for anywhere from two to eight words. Six is the default option here – four or five are a little easier to remember and still provide solid security, but I wouldn’t go below that unless you’re working to a character limit. Click the Roll Dice! button and watch the animation.Diceware rolls in-browser

  3. Step
    3

    Check out your results

    A couple of seconds later, you’ll be presented with your works, a Pascal case single-word version without spaces, but with capitalised initial letters, and a reassuringly large number of potential passwords that could have been obtained via the same method.Diceware results

  4. Step
    4

    Set your passphrase

    Copy your passphrase over to where you need it. I suggest cutting and pasting it into the main entry box, then manually typing it into the confirmation box. This helps you make sure that the phrase is easy to type before you set it. I prefer to retain the spaces between words, in line with the original Diceware FAQ’s recommendations.Changing the master password in KeeWeb

Kaspersky Password Manager

Kaspersky Password Manager

Your digital activities made simple

Keep your passwords and documents in a secure private vault – and access them with one click from all your devices.

  • Kaspersky
  • Yearly renewal
  • £10.49 per year
Buy now

FAQs

Should I use this technique for everything?

No. For most online, mobile and desktop passwords, you should use a password manager to quickly generate and enter long, genuinely random strings of numbers, letters and special characters (mine are usually 14 – 22 characters).

Where should I use a memorable password?

This will obviously include your password manager’s master password. But you should also set a memorable password for anything you need to type regularly. This might include the password to your PC and any encrypted disks you might use. You should also think about passwords used on any platforms that don’t support your password manager – for example, if you’ve set all Nintendo eShop purchases on your Switch to require a password, you’ll want to make sure it’s memorable and easy to type with a controller.

What does a strong password look like?

A strong, modern password isn’t a word at all: it’s a passphrase, a string of words, with or without spaces, somewhere between 25 and 60 characters in length. That might sound daunting, but a five-word phrase – even a nonsense one – is a lot easier to remember than a 12-character string of random numbers, letters and special characters. Memorability is important when coming up with master passwords, as they’re often zero-knowledge, meaning there’s no way of recovering the data they secured if you forget them.

The archetypal example is “correct horse battery staple” from the xkcd webcomic Password Strength, which does a good job of explaining entropy and encourages the use of a Diceware style system. What makes your password strong is its entropy – how unpredictable it is. The more characters in a password, the higher its entropy… but only if those characters are actually in an unpredictable sequence.

What does a vulnerable password look like?

“Password” and “12345678” are both terrible, but “Shall I compare thee to a summer’s day?” and “This devastation left your cities to be burnt” look strong, but aren’t great either, as these quotations are vulnerable to probabilistic cracking, a hybrid dictionary attack that uses popular phrases to work out which words are likely to appear in sequence. For more passwords to avoid, check our any “most used passwords of the year” list.

Should I use special characters and numbers in my memorable passphrase?

Not if you can avoid it. Although numbers and special characters can increase entropy by making your password less predictable (unless you just substitute the number one for all the ‘i’s and call it a day), randomly generated passphrases are already so high entropy that it’s not worth making them harder to type and remember by adding unnecessary characters. However, many services still force you to use these – tack them onto the beginning or end if you need to.

Should I regularly change my passphrase?

If you’re using genuinely unique, random passwords for everything, then no. Although mandatory password changes are still popular in enterprise, these have been shown to encourage bad security practices such as reusing passwords and the guidelines that recommended them have been superseded. Change your password if the service they unlock gets breached, if you see suspicious activity on your account, or if you have reason to believe that someone else has had access to them.

Any tips for memorising my passphrase?

Although using popular song lyrics is a bad idea for creating a secure password, fitting a random phrase to music to memorise it is incredibly helpful. I often force my generated passphrases into the tune of a traditional or a cartoon theme song (Teenage Mutant Ninja Turtles, if you must know), following its syllable count without reproducing its lyrics.

More conventionally, repeatedly typing the phrase will both help you remember it – this is a good reason to have your password manager log you out regularly, in addition to the security benefits of doing so.

Finally, you always have the option of keeping a hard copy somewhere safe – most threat vectors are from online strangers, rather than people with physical access to your home. While security expert Bruce Schneier famously advocated storing these in your wallet, I prefer using a secure, concealed location, which is also part of my “in case of death or injury” plan.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.