Since the topic of salting your passwords was such a huge hit, I figured I should go into more detail on how to do it.
How To Salt Your Passwords In Your Password Manager
When signing up for an account, use your password manager to generate a random password as shown below.
Before you press the sign up button, add your salt to the end of the password as shown below.
My salt is “bacon.”
When you store the password in your password manager leave out the salt as shown below.
If you want you can add a reminder in the notes field to remind you that you use a salt for that password.
When you go to log in to the website, have the password manager autofill the password it has and then add the salt before pressing the login button.
If for some reason your password manager is breached the real password is not exposed.
Video How To:
What Salt Can You Use?
A salt can be anything you want it to be or at any place you want.
You can pick a random word, a phrase, or even a password you used before.
You can also put the salt at the end, beginning or anywhere in the password you want.
Whatever you do, make sure to be consistent or else you’re overcomplicating things for yourself.
What Passwords Should You Salt?
Please do -not- salt all your passwords!
Only salt the most important passwords like the ones for your email or banking accounts.
Salting all accounts will make your life harder then it needs to be.
Why Salt Your Passwords?
I’ve found people have a hard time trusting password managers. They have a fear of the “all your eggs in one basket,” which is actually a good thing as explained here.
The real goal is to keep people from reusing passwords or using super weak ones. The only way I’ve found to do this is with a password manager, but this created new problems of trust. I feel the act of salting your password solves the issue of trust with password managers that many people have.
With the salting method, there is no excuse not to use a password manager.
FAQ – Questions I Get About Salting Passwords
What If I Forget My Salt?
I suggest you write down your salt and master password to your password manager and keep that somewhere safe. I go over why it’s crucial to write down your master password.
You can also make your salt a “security question.” So in the notes section of the login instead of merely saying “salt” you can ask yourself a question only you would know the answer to. Something like “What’s the name of your least favorite movie” and the answer can be the salt.
Another way to help you remember the salt is to upload a note in your password manager that contains the salt word. Make the salt the first word, so you don’t forget it or find other ways to make it stand out to you.
You could get overly complicated and indicate the salt by the word number it is in the note and place that number in the notes of the password. Placing a 3 in the notes of the login will indicate the salt is the third word in the one note that only you know about. I would not go to this extreme; it’s better to keep it simple.
Can I Use The Websites Name For The Salt?
I would suggest you don’t because that is easy to figure out. Stick to a random word or really anything else.
Is Salting The Correct Term?
I’ve been getting this one from a few people. Is it proper to call this salting? Yes and no. When you salt a password on a server you’re taking the password and adding something to the end of it. This is exactly the same thing when you salt a password in a password manager. The salt is the thing you’re adding to the password so saying you’re salting your passwords in your password manager is correct.
The sticking point for some is that a salt is often unique for every password and stored near the password on a server. We can also do the same thing for our password manager. I described above (What if I forget my salt?) that you can upload a note and the salt can be any word in that note. You discreetly slip the location of that word in the notes section of that account to let you know what word to add when logging in. This is 100% salting the password and calling it salting is correct. Since this is overkill for most people it’s not the kind of salting I recommend.
A more proper name would maybe be “Peppering” passwords in a password manager. A pepper is a salt but meant to be a secret. So if you’re keeping the salt a secret it’s technically a pepper but to the average person, it doesn’t matter. We’re just splitting hairs over the smallest of things and it can confuse people more than just keeping it simple and calling it a salt.
At the end of the day calling it salting is fine. Just like real life, you can have multiple kinds of salts. You can have server salting of passwords and personal salting of passwords in a password manager. The goal is not what we call it but to help people get over their fears of password managers. If salting is what sticks as we’ve seen many use it in the past then that is what it’s called. Plus, calling it paprikaing or cinnamoning doesn’t roll off the tongue.