How to choose a master password for LastPass

I used to use an alphanumeric string with some punctuation spelling out a certain quotation. I believe that quotation itself became more common on the internet than it used to be, so I’ve changed my LastPass master password to something else.

The new password is about 16 letters/numbers, no special characters. LastPass calls it only 53% strong. But it’s got to be memorable and has to be taught to one other person; I don’t want to go nuts with the gibberish. The 53% strong password commemorates an event and a personal quotation, using initials and a few numerals.

Here is the question:
Since LastPass has no length restriction, would I be better off spelling out all the words in full? Or should I memorize the addition and placement of a few special characters, add punctuation and capitalize some of the initials?

Wish I just could use Correct Horse Battery Staple but I heard that one’s taken.

Thank you. (Mods, I hope this can stand in GQ, if only because the forum is more rigorous than IMHO. But since I am laying out a situation that is specific to my personal needs, maybe it’s better off there.)

The biggest thing is that you have never, ever, EVER used that password with any other service at any time now or in the past. And that you never, ever, ever will use that password with any other service, and neither will the one person you share it with.

Most attacks today happen because:

  1. Hackers compromise any website you use with a username/password. Could be any website with crappy security.
  2. They use that compromise to download the list of (hopefully hashed) passwords. They get your username/password/email from that list, either by cracking it (if properly hashed and you picked an easy password); or the website never hashed your password in the first place
  3. They use that email/username/password set to try to log in to more important things to you. Your email, your bank accounts, your social media accounts, and certainly password safe websites like lastpass

Picking a “stronger” password makes it resistant to the cracking step in #2 IF the website hacked actually hashed the password. But if you never, ever, ever reuse passwords the strength of your password is all but irrelevant - you’ll reset your password on the comprimised website and they won’t be able to use it anywhere else.

Edit to add, so my advice is that it doesn’t matter too much, 16 characters long is plenty as long as it isn’t something you used before or a variant of that.

OK, good to know. I’d never use the master password or anything like it for anything else. Individual websites use unguessable passwords generated and recorded by LastPass.

If they tell me that my good strong password is too short, then I just repeat it. Works like a charm. I could be wrong but I don’t think it’s any more vulnerable. An attacker would have no way to guess the password is made out of a repeated string, or if so, which elements are repeated.

I actually used a couple really strong obsolete passwords I used to have smooshed together (they had to be really strong because the password requirements for that place were really stringent). It’s crazy long and very random, but since I had each individual password memorized I can enter it.

It’s funny, because even if I wanted to I couldn’t tell someone the password. I have entering it committed almost entirely to muscle memory, if I’m not on a physical (meaning: not phone) qwerty keyboard I have a hell of a time remembering it.

Why not an easy-to-remember phrase like “Better to be a duck than a rabbit” ?

See, this is what I’m unclear on in my light research. I keep reading if you choose words, you need to pick them truly randomly. If they form an English sentence, is that too easily hacked? I’d like to compose a sentence about a true event, not a sentence that’s ever been uttered word-for-word before by anybody. THAT, I could remember easily, but the words certainly aren’t random.

I’m trying to discover if that would be prudent for everyday use as ONE single master password, not repeated anywhere ever.

You are greatly overthinking this. Criminals that break into accounts don’t get them by trying random sentences or even long words - they steal them from some place where the passwords are barely protected at all or they use social hacks to get you or someone else to just tell them what it is. Yes, it is possible to hash or even guess the most common passwords but nobody is going to dedicate the computing power needed to break even a simple sentence password by brute force or fancy algorithms unless they have a very compelling reason to.

Hackers don’t care about getting into your accounts specifically. What they depend on is that, out of a large enough population, a significant percentage of people will either continually reuse the same password(s) all over the place, their passwords will be on easily searchable lists of the top 100 most common passwords or they will be a single word from the dictionary. Those are the types of accounts that they target and it is surprisingly successful if you even do it manually. Stay away from those (which it sounds like you have done) and you have eliminated almost all of the threat already.

Dictionary attacks are fairly rare in the real world even for single word passwords because they are resource intensive unless someone really wants to get into your accounts badly and for specific reasons (we are talking things like the NSA suspecting you of being a terrorist here).

Simple but unique sentence passwords are not vulnerable to almost any practical attack. For example, ‘monkey’ and variations on it is one of the most common passwords in use for some reason so you shouldn’t use it. However, something like ‘brown_monkeys_are_funny’ is almost unhackable in any practical sense as is any other simple sentence or word string that isn’t a common saying.

It is great to be concerned about password security but you don’t need to go overboard. Your biggest security threat is that you have to give it to another person for some reason and they will most likely write it down in plain view if it is too hard to remember.

It is taken, but the principle behind it is sound. You’re better off going with password of over 25 letters than a shorter password with clever gibberish. Of course, a 36 letter password with clever gibberish is even better - but life is full of trade-offs. Pick the longest password that you and your other person can reliably remember. Try something like noun-fruit-adverb-car_model. Only not that, you know. That’s the idea.

I use an ex-girlfriend’s past address from when I knew her. She doesn’t live there now. It’s one of those suburban foo-foo horsey-set addresses and with the house number comes to about 28 characters. The first letters of the words are capitalized but there are no special characters.

Last Pass gives it a 100 percent score, which frankly surprised me.

The 53% strong is a gibberish and very simplistic metric on its own so you don’t need to change your password style based on that alone. I work as a professional in a highly secure IT environment. All they are doing with those metrics is adding up arbitrary style points for things like special characters and capitalization. That has little bearing on actual security.

Metrics like you are referring to don’t literally mean what they claim. All they are attempting to do is to prevent end users from using stupid passwords that are easily hacked because a surprising percentage of them will not only use ones that are crackable, they are easily guessable.

I don’t agree with the idea that you need to have a number, an upper case letter or a special character in your password to make sure it is secure. That is just an ignorant management attempt that goes overboard to make sure that everyone doesn’t use ‘password’ or ‘1234’ as their own password. Passwords like “Boy_loves_fruit_on_a_stick” work just as well even mathematically because no one can build a computer that can crack that unless quantum computers become more of a reality.

Software engineer here, just saying that Shagnasty’s advice is sound. A 16-character password is almost certainly good as long as it has at least one upper/lower/digit and isn’t something obvious like your name or a really common phrase like “To Be Or Not To Be” (and even that isn’t too bad).

I agree with Shagnasty’s point that password strength metrics are of little value. Determining the strength of passwords is a hard problem, and you won’t do it with a simple algorithm. I sometimes amuse myself by putting things like A-password or aA!!! into strength checkers just to see them purr with approval at how strong the password is, because, hey, they’ve got upper-case characters and special characters and everything. Then you put in developersshouldstudyinformationtheory, and it gets a low score because no upper-case…

This is what I thought, thanks.


The attacker has a way to guess: a word list and a GPU that lets him/her test a billion password guesses per second.

Therefore, most of the pooh-poohing above is dangerously uninformed.

You need about 12 pretty random characters to be safe against that kind of attack. A word is worth not much more than about two characters, so you’d need six words if you want to make a password out of common words spelled correctly. (And d0n’t th1nk teh haxx0rz c@n’t gu3ss ur wierd spelling.)

You misspelled “spel1ing”. No break-in for you! :smiley:

A billion password guesses per second isn’t going to cut it for any reasonably long sentence. The hacker would be dead before any contemporary hardware found the answer using brute force methods even if you use normal words in all lower case (that is assuming that they don’t know the general pattern beforehand which they won’t unless you tell them; you could make it anything and it doesn’t have to look like your keyboard barfed all over your screen to be secure). As I said above, brute force and even dictionary attacks are very rare and almost never used blindly on random accounts. Someone would have to really want to get into a specific account and dedicate the time to employ those methods. Brute force attacks won’t work on a reasonably long password without other strong clues because the number of possible combinations quickly becomes time prohibitive as the password length grows even for supercomputers.

Here is a decent discussion of this concept over at Stack Exchange. One expert notes:

"In general, password attacks try passwords in this order:

commonly used passwords
simple dictionary-based passwords (lowercase letters only),
more complex dictionary-based passwords (mixed case, sprinkle in numbers and punctuation according to some common patterns)
exhaustive search of the entire keyspace starting with short passwords and progressing to long ones
If you can withstand the first 3 types and you have a reasonably long password, you’re pretty much home free because an exhaustive search of a this size of keyspace is infeasible. Most attacks stop after types 1, only concerted attacks even attempt types 3, and types 4 is desperation."

Another expert in the same discussion notes:

"A sentence is stronger because it is longer. Granted, English text is highly redundant Approximately 1 bit of entropy/character, most attackers will fail to take advantage of that entropy. I have been out of pentesting for about five years now, but at the time when I last did any pentesting, attack tools assumed that the password was more similar to a word than a sentence. Password length to entropy is not a linear function for reasons that Henning Klevjer has explained fairly well, and the attack tools take advantage of those limitations. (IIRC, the issues that Klevjer raises can result in a 100fold increase in password cracking speed).

Based on those assumption, the sentence as a passphrase is particularly strong. As others have pointed out, researchers have attacked passphrases, but I’m not aware of any published information that real world attackers have done so."

The first thing you should do is ditch LastPass:

Then use the advice from this thread to set the master password for a better service.

I recommend KeePass + DropBox/Google Drive.