Master Password Best Practices
Your master password is the single secret that protects every credential, note, card, and identity stored in SyVault. Choosing a strong one -- and understanding what happens if you lose it -- is essential.
Length Over Complexity
A long password dramatically outperforms a short, complex one. A 20-character passphrase made of common English words has more entropy than an 8-character password with symbols. The math is straightforward: each additional character multiplies the brute-force search space exponentially.
Recommended approach: Generate a passphrase of 5 or more random words separated by hyphens or spaces:
lantern-copper-jigsaw-marble-forest
This is easy to type, easy to remember after a few uses, and extremely difficult to crack. At 5 words from a 7,776-word Diceware list, the entropy is approximately 64 bits -- well above what Argon2id's memory-hardness makes practical to attack.
Use the SyVault Password Generator (in any client, under Tools > Generate Password) and switch to Passphrase mode. It uses a cryptographically random word selection from the EFF large wordlist.
Rules to Follow
- Never reuse your master password anywhere else. It must be unique to SyVault.
- Do not use personal information -- names, birthdays, pet names, addresses.
- Do not share it with anyone, including SyVault support staff. We will never ask for it.
- Write it down once on paper and store that paper in a physically secure place (a safe, a locked drawer) until you have it memorized. Then destroy the paper.
What Happens If You Forget It
SyVault is a zero-knowledge system. Your master password is never transmitted to our servers. We do not store it, hash it server-side, or retain any mechanism to recover it. There is no "Forgot Password" link, no support ticket, no backdoor, and no override.
If you lose your master password and have no other recovery path:
- Your vault is permanently inaccessible. The encrypted data remains on the server, but without the master password to derive the Master Key, it cannot be decrypted.
- Account reset is possible (deleting all encrypted data and starting fresh), but all existing vault contents are lost.
Recovery Options to Set Up Now
SyVault provides two mechanisms to prepare for the worst:
Emergency Access
Designate a trusted contact (another SyVault user) who can request access to your vault after a waiting period that you define (1 to 30 days). If you do not reject the request within that window, the trusted contact gains read-only or full access (your choice).
Set this up under Settings > Security > Emergency Access.
Recovery Key
During account creation, SyVault offers to generate a Recovery Key -- a 256-bit random key encoded as a human-readable string. This key is an independent encryption of your Account Key. Store it printed on paper, on an encrypted USB drive, or in a bank safe deposit box.
If you forget your master password but have your Recovery Key, you can regain access and set a new master password.
The Recovery Key is only shown once at account creation (or when you regenerate it in Settings). If you skip this step and lose your master password, your data is gone.
Changing Your Master Password
Navigate to Settings > Security > Change Master Password. You will need your current master password. SyVault re-derives a new Master Key via Argon2id with a fresh salt, re-wraps your Account Key, and uploads the new wrapped key. All downstream keys (Vault Keys, record DEKs) remain unchanged because they are encrypted under the Account Key, not directly under the Master Key.