The "master" password is used to encrypt and decrypt data stored by the secure storage. The master passwords are specific to providers: each provider has a separate master password.
The life of a master password begins when a password provider is asked for it for a first time. Depending on the provider, it will either generate a master password behind the scenes, or will ask you for some input. The same master password is then used for all subsequent use of this password provider.
Picture 1. Lifecycle of a master password.
Once the master password is obtained from the password provider, it is cached in memory until the application is closed or the password cache is cleared using the Secure Storage preference page.
The master password can be changed using the Secure Storage preference page. Depending on the provider, the password change operation might require some input from you or might happen completely behind the scenes.
In case the master password is lost, it can be recovered if password recovery questions and answers were specified. The password recovery allows working around both human and machine problems. For instance, if a UI prompt was used to enter a password and the user forgot the password. If an operating system integration module was used, the operating system might have been re-installed or an entry deleted in the system keyring that was used for the master password.
How secure storage works
Secure storage preference page
Secure storage runtime options