Salt The Pass
About
SaltThePass helps you generate passwords for all of the websites you visit. Unlike traditional password managers, SaltThePass does not actually store, save or manage any passwords for you. Instead, SaltThePass is a repeatable algorithm that you can use to generate unique passwords for all of your websites. Instead of storing each website’s password in a password manager or writing it down on a piece of paper, you can look it up (re-generate it) from anywhere you have internet access.
The problem users face today is how to efficiently yet securely manage all of their passwords for all of the websites they visit. To simplify things, many people simply re-use one password on multiple websites. Unfortunately, this means that if a hacker gains access to a password on one of their websites, all of their accounts could be vulnerable, since many people also use the same email address or login name on all of their websites. Recently, this has become an alarming problem due to several high-profile password breaches on websites such as LinkedIn, Yahoo, Evernote and many others.
SaltThePass helps you avoid password re-use over multiple websites by having you come up with a Master Password that is known only to you (and you never disclose it to anyone or use it anywhere else). When a password for a new website is needed, such as the first time you visit foo.com, SaltThePass combines the your Master Password with the website’s name (foo.com), and inputs this into a one-way cryptographic hash function, the output of which can be used as a password for the website (the Salted Password). This algorithm is deterministic, so the same Salted Passwordis generated every time. And since the website name is used as an input to the algorithm, the Salted Password is different for each website.
The benefit of this is that you just have a single Master Password to remember. Since you never disclose it to anyone else or use it for any reason except for on the SaltThePass website to generate a Salted Password, it cannot be stolen from you even if any of the websites you generated a password for has a security breach.
SaltThePass was created by Nic Jansma.
Data Security
SaltThePass never transmits, stores, or monitors your secure data (or any form of it), which includes your:
* Master Password
* Domain Names
* Domain Phrase
* Salted Passwords
Except in one circumstance: If you enable Domain Name Rules, SaltThePass will send the first letter (and only the first letter) of the Domain Name to the SaltThePass server for the purpose of downloading the subset of Domain Name Rules that start with that letter. For example, if you enable Domain Name Rules and you enter foo.com as the domain name, SaltThePass will fetch the rules for websites starting with “f”. This HTTP request will look like this:
/rules/f
You can verify and confirm all of this by reviewing the website’s JavaScript and HTML code, and by monitoring the HTTP requests coming from the website after you load it. The only HTTP request, if you enable Domain Name Rules, should be the above one.
Settings and Cookies
If you tell it to, SaltThePass can remember your preferences from visit to visit. The full list of preferences is:
These preferences are stored in HTML5 local storage if your browser supports it. If not, a single cookie (called settings) is set.
You must click on Set As Default for these settings to be saved. Settings are not saved by default.
Access to SaltThePass is only available over SSL for your security.
Note: SaltThePass cannot clear your clipboard after you copy your Salted Password to it. Please make sure to do so, otherwise, a malicious program might sniff it.
Gotchas
There are some things to be aware of if you’re going to use SaltThePass to help you manage passwords for all of the websites you visit.
Password Restrictions
Many websites have restrictions on the password you can use. For example, some websites require you to enter a password between 6 and 12 characters. Other websites require that you only use numbers and letters, while others require that you include at least one dash or underbar.
Since the SaltThePass algorithm uses the output of a hash to generate the Salted Password, it may not conform entirely to the website’s password requirements.
One way to deal with this is to mentally note these requirements and adjust the password you use to conform to them. For example, you could use only the first 8 characters of the Salted Password if the website restricts your password to 8 letters. Or, if the website requires a dash (‘-‘) in your password, and the Salted Password does not have one, you could add a dash to the end of the Salted Password.
Unfortunately, this is error-prone, as websites generally only show their password requirements when you are creating an account or changing the password, not when you’re logging in. For example, if you don’t remember the requirements while logging in, you might not remember to add a dash to the end of the Salted Password.
SaltThePass can help avoid this problem if you use Domain Name Rules. Domain Name Rules are a community-supported database of password restrictions for popular websites. If the Domain Name you enter is in the database, SaltThePass will attempt to automatically modify the Salted Password to conform to the rules. See the Domain Name Rules section for details.
Login Names
SaltThePass does not have an input field for the login name you chose for the website (and thus it cannot remind you later what that login name is when you’re trying to login). Thankfully, many websites let you use your email address as your login name. If not, you may have to keep a separate database (i.e. a password manager) or try to remember them on your own.
Password Changes
At some point you may need to change a password on one of your websites. For example, after a security breach, many websites reset all of their user’s passwords. The three inputs to the Salted Password are your Master Password, the Domain Name, and the Domain Phrase. The Domain Phrase is optional, and can be used to help with this situation.
You can use the Domain Phrase to modify your Salted Password after the Master Password and Domain Name have been entered, since those fields do not change per website. For example, if your password needs to be changed, you could enter “2” into the Domain Phase because it’s the second password you needed to enter for this website.
If you’re using a password manager, you could note that you’re on the “second password” for foo.com within its database, and enter “2” into the Domain Phrase field to re-generate your second password.
Multiple Passwords
You may need multiple passwords for a single domain.
If you maintain multiple login names for foo.com, you could share the same Salted Password for all of the login names. If you don’t want to do this, you could set the Domain Phrasefield to the login name. For example, if you maintained both “bar” and “baz” users on foo.com, you could set the Domain Phrase to “bar” when generating that account’s Salted Password.
Use with Password Managers
SaltThePass can be used in conjunction with traditional password managers, such as:
For example, you can save your login name and the Salted Password that SaltThePass generated. The benefit of this approach is that you can use the traditional password manager’s features (such as auto-filling web forms), while having the SaltThePass.com website as a backup in case you don’t have access to your password manager.
The traditional password manager can also store login details that cannot be generated on the SaltThePass website, such as your login name and whether or not you’ve had a password change.
Algorithm
The SaltThePass algorithm is pretty simple. Concatenate the Master Password, the Domain Name, and the Domain Phrase (optional). Send this through a hashing algorithm (SHA-3 is default, others are available), base64 the result, and then finally trim to the desired output length. In pseudo code:
Salted Password = Trim(Base64(Hash(Master Password + Domain Name + Domain Phrase)))
Notes:
1. For base64, we use the base64url variation of RFC 4648, which replaces the last two characters of plus “+” and forward-slash “/” with minus “-” and underscore “_” to produce Salted Passwords that are more likely to pass the password requirements of sites that limit the characters that can be used in a password.
The algorithm SaltThePass uses is available open-source at github.com/nicjansma/saltthepass.js
Terms
Master Password
Your Master Password is a password that you keep safe and only use on SaltThePass. Ideally, you should never disclose it to anyone else, or even write it down. SaltThePass uses your Master Password in conjunction with the Domain Nameand Domain Phrase (optional) to generate the Salted Password.
Your Master Password should only be used on SaltThePass to generate Salted Passwords. SaltThePass does not put any restrictions on what the password can be — it can be as short or long as you want, with any combination of characters. Any character that can be input into a textbox is valid. Ideally, your Master Password should be as long as you can possibly remember. Password phrases are useful for remembering long passwords.
The key is to never use your Master Password for any reason except on SaltThePass.com. If you use your Master Password to log in to other websites, and they get compromised, they might try to use it on SaltThePass to generate all of your other passwords.
Domain Name
For simplicity, the Domain Name you use should match the website you’re generating a password for. SaltThePass uses your Master Password in combination with the Domain Name and Domain Phrase(optional) to generate your Salted Password.
SaltThePass does not normalize the Domain Name when generating the Salted Password. For example, SaltThePass does not lower-case all of the letters, nor strip sub-domains from it. This means that you need to be consistent with how you enter domains. If you enter “facebook.com” when you create your password, and later try to use “”, you will get a different Salted Password. Similarly, you should either always include the protocol (“http://”) or never use it.
If Domain Name Rules are enabled, SaltThePass uses your Domain Name to help you deal with password restrictions for that website.
Domain Phrase
The Domain Phrase is an optional field that can be used to differentiate multiple passwords on the same website.
For examples, see Password Changes or Multiple Passwords for a Single Domain.
Salted Password
The Salted Password is the output of your Master Password combined with the Domain Name and Domain Phrase (optional) of the website. See the algorithm section for exact details on how it is generated.
Nothing is stopping you from taking the Salted Password and always mentally applying an additional transformation on it, which only you know. For example, you could take the Salted Password and always add a “1” to the end of it. Or, you could swap the first and last characters. While these are simple examples, they can add an additional layer of security to protect you against attackers that know you use SaltThePass. Even if they somehow got your Master Password, they would also have to know the mental algorithm you used on the generated Salted Password to get your final modified Salted Password.
Domain Name Rules
Domain Name Rules help you customize your Salted Password to ensure it works for the target website. For example, some websites require that you input between 6 to 12 characters. Or, that you must include a dash (‘-‘) or underscore (‘_’) in the password. Or, that you can’t include numbers.
Domain Name Rules will automatically rewrite your password (in a consistent manner) to ensure the Salted Password works with your website.
Domain Name Rules are based on the Domain Name you enter. This means that if you enter “bar.foo.com” as the Domain Name, but we only have “foo.com” in the password database, the rules will not be applied.
If you enable Domain Name Rules, SaltThePass will download a community-supported database of rules and store it in your browser cache. Once you enter a Domain Name, it will search for it in the database. If found, it will ensure your Salted Password satisfies the website’s requirements.
The Domain Name Rules database is split into multiple databases based on the domain’s first letter. When you enter a Domain Name, SaltThePass fetches the database for that domain’s first letter. The database is compressed and optimized, so it should not take a lot of storage. SaltThePass downloads these partial databases to your browser’s cache, then searches for the full domain match from your cache, so the full Domain Names you enter are never disclosed to the SaltThePass.com server or to anyone else (access to the site is SSL encrypted as well).
Domain Name Rules are not enabled by default.
Normalize Domain Name
If enabled, the Normalize Domain Name setting takes the Domain Name and applies the following algorithm before generating the password:
* Lowercase the entire Domain Name
* If a URL, keep only the domain part of the URL (getting rid of the scheme, port and path)
For example, the following URLs would be normalized as:
* is normalized to foo.com
* /bar is normalized to foo.com
* HTTP://FOO.COM is normalized to foo.com
Non-URLs are not affected.
Normalize Domain Name is disabled by default. You can enable Normalize Domain Name in the settings.
Hashing Algorithm
SaltThePass uses a cryptographic hash function as part of the algorithm that generates your Salted Password. There are several hash functions you can choose from. By default, SHA-3 (512) is used, but you can choose from any in the list below. Each hash function will provide different output, so if you ever change the hash function you use, you will get a different Salted Password.
The available hash functions are listed below along with the maximum password length they can generate:
SaltThePass uses the open-source CryptoJSJavaScript cryptographic library for MD5, SHA-1, SHA-2, SHA-3, RIPEMD-160 hashing and Base64 encoding.
The algorithm SaltThePass uses is available open-source at github.com/nicjansma/saltthepass.js
FAQ
1. What is the difference between SaltThePass and a traditional password manager, such as KeePass or LastPass?
SaltThePass is different from traditional password managers in that it never stores, saves or keeps your logins or passwords. Instead, SaltThePass gives you an algorithm you can use to repeatedly generate passwords for multiple websites.
One benefit of SaltThePass over a traditional password manager is that you can use it to generate your passwords even if you don’t have access to your password manager. As long as you have internet access, you can generate your passwords.
An additional benefit is that you don’t need to synchronize your passwords. If you add a password to your traditional password manager on your desktop machine, it might not automatically get synchronized to your laptop. Since SaltThePass is an algorithm, you can always find your passwords as long as you know you Master Password and the Domain Name.
A final benefit is that SaltThePass never stores your passwords. Since traditional password managers store your password on your disk or at the program’s data center, there is the possibility that a hacker could gain access to them due to a security breach or a technical fault.
One downside of the SaltThePass.com website over a traditional password manager is that you have to have an internet connection to be able to visit SaltThePass.com so you can generate your passwords. However, a mobile app that doesn’t require internet access is available for phones and tablets.
SaltThePass can also be used in conjunction with a traditional password manager for added flexibility.
2. What would happen if SaltThePass disappears?
SaltThePass is provided to you, for free, by Nic Jansma. I have no intention of ever shutting the website down, as I use it myself daily. However, should the site disappear from the internet someday, you would still be able to use the same algorithm that SaltThePass uses to generate your passwords, as it is fully described and open-source.
You should be able to use the mobile applications or command-line saltthepass interface indefinitely
3. How can I make my password even more secure?
* Make sure your Master Password is as long as you can possibly remember.
* The default SHA-3 (512) hashing algorithm, which was chosen as the winner of the NIST hash function competition, is a good choice. However, you could choose to use one of the other hashing algorithms if you don’t want to keep the default choice. If a hacker knows that you use SaltThePass, it will be more costly for them to try to reverse-engineer your Master Password if they don’t know which hashing algorithm you use.
* You could always use the output of the Salted Password and apply your own “mental algorithm” to it. For example, you could prepend every password with “foo” or swap the first and last characters. This would make it harder for a hacker to reverse-engineer your Master Password.
4. What if I don’t have internet access?
A mobile version of SaltThePass that won’t require internet access is available.
If you have access to a computer, you can use the command-line saltthepass interface if pre-installed
5. What if you don’t have the correct Domain Name Rules for my domain?
If there is a domain name that you’re creating a password for that we don’t have the correct Domain Name Rules for, please click on the Suggest button that appears when there is No Match. A form will popup that you can use to suggest a domain.
Contact
SaltThePass was created by Nic Jansma. Feel free to contact him.