Master Password

Your master password is the key to everything in Budgero — literally. It's the input from which your encryption keys are derived, and it never leaves your device. That design is what makes Budgero zero-knowledge, and it comes with one serious responsibility on your side.

What the master password actually does

When you set your master password, Budgero runs it through PBKDF2-HMAC-SHA256 with 600,000 iterations on your device to derive a key-encryption key. That key wraps a randomly generated data key, and the data key encrypts your budget with AES-256-GCM before anything is synced.

Two consequences follow:

1. The password itself is never transmitted. Not at signup, not at login, not ever. The server stores only ciphertext and wrapped keys it cannot open.
2. Your account password and master password are different things. The account password (or your SSO login) proves who you are to the service. The master password decrypts your data. The first can be reset and you lose nothing. The second can be reset too — but nobody, including us, can recover the data it protected.

The full architecture — what the server stores, what it can see — is covered in the Security model.

Forgotten password = lost data. Plan for it.

If you forget your master password, you can reset it and keep using Budgero — but the reset permanently deletes all of your encrypted data, because without the old password there is no way to decrypt it. Not for you, not for support, not for anyone. This isn't a policy we could relax for a sympathetic case; it's arithmetic. If support could recover your data, support could also read it — and Budgero is built precisely so that no one can.

So treat the master password with the same seriousness as the key to a safe:

• Store it in a password manager. This is the single best practice. 1Password, Bitwarden, KeePass — any of them.
• Or write it down and store it physically — at home, with your documents. The realistic threat to your budget is forgetting, not burglars with cryptanalysis skills.
• Tell your partner where it is if you share the budget — see Sharing budgets for how each member's own master password fits in.

And keep regular exports as a belt-and-braces fallback: an exported CSV bundle is plaintext on your machine, outside the encryption envelope entirely.

Choosing a strong passphrase

Length beats complexity. A four-to-five word passphrase — correct horse battery staple style — is both stronger and more memorable than Tr0ub4dor&3:

• Pick 4–5 random words (random matters; song lyrics and famous quotes are guessable).
• Add a small personal twist — a separator, a number — if you like.
• Aim for something you can type on a phone keyboard without rage.

The 600,000 PBKDF2 iterations make brute-forcing each guess expensive, but iteration counts protect good passwords — they only slow down the cracking of bad ones. budget123 falls regardless.

Session unlock: convenience vs. exposure

By default you'd be typing the master password every time the app loads, so Budgero offers session caching: after unlocking once, the key can stay available on that device for a period you choose — from 1 to 30 days.

Tune it to the device:

• Personal phone or laptop with a passcode/biometrics: longer sessions are reasonable — the device lock is your first wall.
• Shared or work machines: short sessions, or none. Anyone with access to an unlocked session has access to an unlocked budget.

Locking the app or logging out clears the cached key; from then on, the data on that device is ciphertext until the password is entered again — which is exactly the property you want if a device is lost or stolen.

Changing the master password

Two operations exist, and the difference between them is everything:

• Change — available from Settings if you know your current master password. Your data is preserved and re-secured under the new password. Use this for routine rotation or if you suspect the password leaked.
• Reset — for when the password is forgotten. You regain the ability to use Budgero with a fresh master password, but all previously encrypted data is wiped. If you kept exports, you can re-import them into the fresh start; otherwise the history is gone.

The takeaway writes itself: store the password in a password manager, and let "Change" be the only one of these two you ever use.