Since the topic of salting your passwords was such a huge hit, I figured I should go into more detail on how to do it.
How To Salt Your Passwords In Your Password Manager
When signing up for an account, use your password manager to generate a random password as shown below.
Before you press the sign up button, add your salt to the end of the password as shown below.
My salt is “bacon.”
When you store the password in your password manager leave out the salt as shown below.
If you want you can add a reminder in the notes field to remind you that you use a salt for that password.
When you go to log in to the website, have the password manager autofill the password it has and then add the salt before pressing the login button.
If for some reason your password manager is breached the real password is not exposed.
Video How To:
What Salt Can You Use?
You can pick a random word, a phrase, or a PIN number.
I recommend a PIN as it blends in well with randomly generated passwords. Example: Qwddjt68uKF2934 or Qwddjt68uKFPY57.
Make sure to be consistent, use only one salt and at the same location at the end.
What Passwords Should You Salt?
Please do -not- salt all your passwords!
Only salt the most important passwords like the ones for your email or banking accounts.
Salting all accounts will make your life harder then it needs to be.
Why Salt Your Passwords?
I’ve found people have a hard time trusting password managers. They have a fear of the “all your eggs in one basket,” which is actually a good thing as explained here.
The real goal is to keep people from reusing passwords or using super weak ones. The only way I’ve found to do this is with a password manager, but this created new problems of trust. I feel the act of salting your password solves the issue of trust with password managers that many people have.
With the salting method, there is no excuse not to use a password manager.
Salting vs. 2FA
Salting is not meant to replace 2FA, but it does things that 2FA can’t.
Salting is meant to protect your password manager vault from being completely compromised.
One way your password manager could be compromised is through phishing as this video shows.
As you can see, the victim had 2FA on their password manager but it did not save them from getting their vault items stolen. If they had salted the important passwords the attacker would not have the whole password and thus the victim would have been better protected.
Another way salting protects your passwords is from the evil maid attack. If you have a roommate or someone that sneaks up to your open vault they would not have the full password and thus you’re better protected.
Salting is also nice when a password manager doesn’t have the re-prompt for the master password on select vault items. Instead of waiting for your password manager to give you this feature you can have it now with salting.
All 2FA, except for U2F, can’t protect you from phishing attacks. The best thing for protecting you from phishing attacks is your password manager. A password manager will not fill in the password unless the URL is correct. This is why I push people towards password managers more than 2FA and to protect their password manager I show them salting.
I find people understand salting better than teaching them TOTP 2FA, Push 2FA, or even U2F. Salting is also a relief to many as they have a fear of “keeping all their eggs in one basket”, without salting many would not use a password manager and that is not what we want. We want to better secure people and scaring them away is not how we do it.
FAQ – Questions I Get About Salting Passwords
What If I Forget My Salt?
I suggest you write down your salt and master password to your password manager and keep that somewhere safe. I go over why it’s crucial to write down your master password.
If you have someone you trust you can write down your salt and master password and seal that in an envelope and give it to the person you trust. A safe deposit box works too.
Can I Use The Websites Name For The Salt?
I would suggest you don’t because that is easy to figure out.
Does Salting Protect Against Clipboard Snooping?
Yes, salting could protect you against apps that snoop or look at your clipboard.
When Apple released its latest iOS update they made a change that alerted the user when an app looked at your clipboard. Since so many people copy and paste passwords on mobile this is a huge concern.
The great thing about salting passwords is that when you copy it from the password manager, you’re only copying what the password manager has. Since the password lacks the salt any app that snoops on your clipboard won’t know the full password.
To give you an example… say you’re logging into an app on your phone. So you copy the password but accidentally jump into the wrong app, and that app reads your clipboard and now has your password.
Or another example is you copied your password and logged in, then you move on to something else but your password manager did not clear the clipboard like it should, and your password remains, and any app you open after can now read the clipboard and get your password.
Since the password is salted they would not have the whole password thus protecting you.
Is Salting Secure?
One push back I get is if someone has gotten in your vault wouldn’t they also know your salt?
No, unless you left the salt in your password manager, there is no way the attacker knows your salt. The attacker doesn’t know what they don’t know. All the attacker knows is that you must have changed that password and that is why it doesn’t work.
Security is about layers and salting is just another layer. You’ll never have a perfect system but the more friction points you give to the attacker the better.
One of the great side effects of only salting the important passwords is that the unsalted ones act as honeypots. So if your vault is compromised the attacker will move on to the passwords that do work. Many websites send you a email letting you know of new devices logging in. So if you start to see a bunch of emails from different websites in your vault saying new devices are logging in then you know your password manager has been breached and it’s time to start changing the passwords and your master password.
What If My Salted Password Ends Up In A Breach?
I only recommend you salt the important passwords, this is your email and banking accounts. Those accounts becoming breached are very slim. Trust me, Google and most banks are doing hashing and protecting you better than the forum you only visited twice.
But there is still the possiblity.
The good news is that it doesn’t matter much as your passwords are still unique and randomly generated by the password manager. So knowing that you use “kr8DDFA8PxdYbacon” doesn’t help the attacker when the other password is “x7SKzeUHip7vbacon”.
If you want you can make your salt look random. For example, “XBnXXAXueq3Pdjo4”, “djo4” is my salt and it blends in better than a word. You could even do your initials and a number, so mine would be “tf57”. Easy to remember and it doesn’t stand out. A lot of people use a PIN number which doesn’t stand out either.
I would not stress about it, use whatever salt you want. You’re already doing better than most by using a password manager and salting.
Is Salting The Correct Term?
I’ve been getting this one from a few people. Is it proper to call this salting?
Yes and no.
Salting seems to be what most people call it so that is what I use. I do like the idea of calling it “password splitting” as that better describes what we’re doing and would be easier to understand.
Need A Password Manager?
Here is our picks for password managers.
1. Bitwarden - Best free and overall option.
2. 1Password - Best paid option.
3. Dashlane* - Best for new users as it holds your hands more.
4. Roboform* - Featured packed and been around the longest plus a free option. The only one with a bookmark manager which I've found useful lately.
*May receive a commission.