One password to protect them all
The master password is the only password you need to remember. It unlocks your vault — all other passwords are generated and remembered by Škrinjar. Choose it wisely.
Geslar cannot reset your master password. This is a security feature, not a limitation. Your data is encrypted locally — no one (including Geslar) can access it without your master password.
What makes a good master password
Passphrase (recommended)
4 random words, easy to remember, hard to guess. You can generate one at geslar.app.
Long and unique
At least 12 characters. Never reuse a password you've used elsewhere. The master password must be completely unique.
Not guessable
No names, dates, or common phrases. "ILoveCroatia2024!" is not a good master password — it follows a predictable pattern.
Use the Geslar generator. Open geslar.app, select "Phrases" and generate a passphrase of 4+ words. This is the ideal master password — long, random, and easier to remember than traditional passwords.
How your password protects the vault
Škrinjar doesn't store your master password anywhere. Instead, it uses PBKDF2-SHA256 with 600,000 iterations to derive an encryption key from your password. This process:
- Takes your master password.
- Adds a unique random salt (128 bits).
- Runs 600,000 iterations of SHA-256 — deliberately slow to make brute-force attacks impractical.
- The result is a 256-bit master key that unlocks your vault.
Even if an attacker gets your encrypted vault file, they cannot decrypt it without going through all 600,000 iterations for every password guess.
Changing the master password
- Open Škrinjar → Settings → Security.
- Click "Change master password".
- Enter your current master password.
- Enter and confirm the new master password.
- Škrinjar will re-encrypt the entire vault with the new key.
Old backups remain encrypted with the old password. After changing your master password, create a new backup.
Safety tips
Write it down
Write the master password on paper and store it in a safe place (safe, locked drawer). Two copies, two locations.
Never share it
The master password should never be sent via email, chat or any digital channel. If someone asks for it — it's a scam.
Don't save it in the browser
Don't let Chrome or Firefox save your master password. The browser's built-in password manager is less secure than Škrinjar.