Geslar logo
Geslar
4 min read

Master password — how to make one you won't forget

Your master password is the single key to all the others. It must be strong, but also memorable to you. Here's how.

Why a master password isn't an ordinary password
A master password in a password manager (like Geslar Vault) differs from every other password in two important ways:
  • It unlocks everything else — if someone breaks it, they see all your passwords at once
  • It can't be "reset" — in zero-knowledge systems, the server doesn't know it. If you forget, you lose vault access
That's why a master password must satisfy two seemingly contradictory criteria: brutally strong (resistant to attacks) and memorable to you (so you'll remember it in five years, without a sticky note).
What NOT to do
Don't use something already used elsewhere
If your gmail password leaked in some breach, and you use a variation as master, you lose everything at once.
Don't use personal data
Pet's name, birth date, child's name, wedding year, your favorite team — an attacker finds all of that on your Facebook in 2 minutes.
Don't use ordinary dictionary words
"secure1234" is broken in a second by rainbow tables. Same goes for "newyork2024", "pa55w0rd", and all the classics.
Don't write it anywhere
Sticky note on monitor, .txt file on desktop, photo in gallery. An attacker finds all of that if they get to your device.
Approach 1: Passphrase of 5+ random words
The best combination of security and memorability for most people. Five English words joined by dashes will give you ~65 bits of entropy — more than any "strong" 12-character password.
How:
  1. Open the Geslar generator
  2. Pick the "Phrases" tab
  3. Set 5-6 words, English dictionary
  4. Click "Generate" multiple times until you get a combination you can visualize
Example output: Tick-Firefighter-Orange-Chimney-Trumpeter

Memory trick: invent a mini-story that ties all the words together. "The tick was afraid of the firefighter who ate an orange while climbing the chimney where the trumpeter played for him." After a few repetitions it becomes second nature.
Approach 2: Hybrid phrase (sentence + numbers)
If pure words aren't enough for you, add a number that means something to you but isn't publicly known. Not a birthday — e.g. number of steps from the entrance to your apartment, days at your first job, your great-grandfather's phone number.
Example: Tick-Firefighter-Orange-Chimney-Trumpeter-47

Or as a sentence only you know: JaneMovedToApt47-2019

Check strength through the Geslar check — it shows you the estimated cracking time.
Approach 3: Diceware (the classic for the paranoid)
Diceware is a method cryptographers developed in 1995. You roll a die 5 times, get a number like 24163, and look up that word in the Diceware list. Five words (25 rolls) = a unique phrase that's mathematically proven secure.
The Geslar generator does the same thing as Diceware, just faster. If you want the "physical" feeling of security — grab a die, the list, and make it yourself. Time: 10 minutes.
Test before you confirm it
Before confirming the new master password inside Vault, run this test:
  1. Write it on paper (only temporarily)
  2. Put the paper in a drawer and don't look for 10 minutes
  3. Try to recall and type it
  4. Check the original on paper
  5. If you got it wrong — discard, generate new, repeat the test
  6. If you got it right — tomorrow morning, before coffee, try again without the paper
  7. If it works tomorrow too — destroy the paper and confirm in Vault
Backup plan — what if you forget anyway?
A recovery kit in Vault is not the same thing as a password reset. It's an encrypted backup you can store in a safe place and use only as a last resort.
Safe physical location
Bank safe, parents' house, fireproof drawer. Not in the same space as your device.
Split between 2 trusted people
Half the phrase to your mother, the other half to your brother. Neither has enough alone. A classic for the paranoid.
Lawyer as trustee
For important digital assets (crypto, business). Lawyer keeps the recovery kit in a safe, hands it to the heir under rules you set.
When and how to change the master password
Change your master password only if:
  • You suspect someone is specifically watching you while you type it
  • After a serious incident (malware discovered on device)
  • Your life situation changed (divorce, end of a shared device)
Don't change it just "preventively" every 3 months — that's old NIST advice they themselves retracted. The effect was that people use predictable variations ("Password1", "Password2"), which is worse.
Ready for the first step?
Generate a master password through the Geslar generator (Phrases tab, 5-6 words), then install Geslar Vault and set it as the master at first sign-in.

Every other password from that moment on is generated by Vault — you only remember this one.
Related articles
Zero-knowledge architecture
What zero-knowledge architecture means for your passwords — and why Geslar cannot see your data even if it wanted to.
Email hacked — what to do (7-step checklist)
Step-by-step guide to recover a hacked email account. The first 24 hours are critical.
Import passwords from Chrome to Geslar
Step-by-step guide to importing your passwords from Chrome into Geslar. Move to a secure local vault in 2 minutes.
Author
Daniel Legin
Daniel Legin builds Geslar — a free password generator and manager made in Croatia.
More about Geslar →