How It Works

SaltThePass is a password generator that will help you generate unique, secure passwords for all of the websites you visit based on a single Master Password that you remember.

Please read our Help pages to learn how you can best use this site.

About

SaltThePass helps you generate passwords for all of the websites you visit. Unlike traditional password managers, SaltThePass does not actually store, save or manage any passwords for you. Instead, SaltThePass is a repeatable algorithm that you can use to generate unique passwords for all of your websites. Instead of storing each website's password in a password manager or writing it down on a piece of paper, you can look it up (re-generate it) from anywhere you have internet access.

The problem users face today is how to efficiently yet securely manage all of their passwords for all of the websites they visit. To simplify things, many people simply re-use one password on multiple websites. Unfortunately, this means that if a hacker gains access to a password on one of their websites, all of their accounts could be vulnerable, since many people also use the same email address or login name on all of their websites. Recently, this has become an alarming problem due to several high-profile password breaches on websites such as LinkedIn, Yahoo, Evernote and many others.

SaltThePass helps you avoid password re-use over multiple websites by having you come up with a Master Password that is known only to you (and you never disclose it to anyone or use it anywhere else). When a password for a new website is needed, such as the first time you visit foo.com, SaltThePass combines the your Master Password with the website's name (foo.com), and inputs this into a one-way cryptographic hash function, the output of which can be used as a password for the website (the Salted Password). This algorithm is deterministic, so the same Salted Password is generated every time. And since the website name is used as an input to the algorithm, the Salted Password is different for each website.

The benefit of this is that you just have a single Master Password to remember. Since you never disclose it to anyone else or use it for any reason except for on the SaltThePass website to generate a Salted Password, it cannot be stolen from you even if any of the websites you generated a password for has a security breach.

SaltThePass was created by Nic Jansma.

Data Security

SaltThePass never transmits, stores, or monitors your secure data (or any form of it), which includes your:

  • Master Password
  • Domain Names
  • Domain Phrase
  • Salted Passwords

Except in one circumstance: If you enable Domain Name Rules, SaltThePass will send the first letter (and only the first letter) of the Domain Name to the SaltThePass server for the purpose of downloading the subset of Domain Name Rules that start with that letter. For example, if you enable Domain Name Rules and you enter foo.com as the domain name, SaltThePass will fetch the rules for websites starting with "f". This HTTP request will look like this:

http://saltthepass.com/rules/f

You can verify and confirm all of this by reviewing the website's JavaScript and HTML code, and by monitoring the HTTP requests coming from the website after you load it. The only HTTP request, if you enable Domain Name Rules, should be the above one.

Settings and Cookies

If you tell it to, SaltThePass can remember your preferences from visit to visit. The full list of preferences is:

These preferences are stored in HTML5 local storage if your browser supports it. If not, a single cookie (called settings) is set.

You must click on Set As Default for these settings to be saved. Settings are not saved by default.

Access to SaltThePass is only available over SSL for your security.

Note: SaltThePass cannot clear your clipboard after you copy your Salted Password to it. Please make sure to do so, otherwise, a malicious program might sniff it.

Gotchas

There are some things to be aware of if you're going to use SaltThePass to help you manage passwords for all of the websites you visit.

Password Restrictions

Many websites have restrictions on the password you can use. For example, some websites require you to enter a password between 6 and 12 characters. Other websites require that you only use numbers and letters, while others require that you include at least one dash or underbar.

Since the SaltThePass algorithm uses the output of a hash to generate the Salted Password, it may not conform entirely to the website's password requirements.

One way to deal with this is to mentally note these requirements and adjust the password you use to conform to them. For example, you could use only the first 8 characters of the Salted Password if the website restricts your password to 8 letters. Or, if the website requires a dash ('-') in your password, and the Salted Password does not have one, you could add a dash to the end of the Salted Password.

Unfortunately, this is error-prone, as websites generally only show their password requirements when you are creating an account or changing the password, not when you're logging in. For example, if you don't remember the requirements while logging in, you might not remember to add a dash to the end of the Salted Password.

SaltThePass can help avoid this problem if you use Domain Name Rules. Domain Name Rules are a community-supported database of password restrictions for popular websites. If the Domain Name you enter is in the database, SaltThePass will attempt to automatically modify the Salted Password to conform to the rules. See the Domain Name Rules section for details.

Login Names

SaltThePass does not have an input field for the login name you chose for the website (and thus it cannot remind you later what that login name is when you're trying to login). Thankfully, many websites let you use your email address as your login name. If not, you may have to keep a separate database (i.e. a password manager) or try to remember them on your own.

Password Changes

At some point you may need to change a password on one of your websites. For example, after a security breach, many websites reset all of their user's passwords. The three inputs to the Salted Password are your Master Password, the Domain Name, and the Domain Phrase. The Domain Phrase is optional, and can be used to help with this situation.

You can use the Domain Phrase to modify your Salted Password after the Master Password and Domain Name have been entered, since those fields do not change per website. For example, if your password needs to be changed, you could enter "2" into the Domain Phase because it's the second password you needed to enter for this website.

If you're using a password manager, you could note that you're on the "second password" for foo.com within its database, and enter "2" into the Domain Phrase field to re-generate your second password.

Multiple Passwords

You may need multiple passwords for a single domain.

If you maintain multiple login names for foo.com, you could share the same Salted Password for all of the login names. If you don't want to do this, you could set the Domain Phrase field to the login name. For example, if you maintained both "bar" and "baz" users on foo.com, you could set the Domain Phrase to "bar" when generating that account's Salted Password.

Use with Password Managers

SaltThePass can be used in conjunction with traditional password managers, such as:

For example, you can save your login name and the Salted Password that SaltThePass generated. The benefit of this approach is that you can use the traditional password manager's features (such as auto-filling web forms), while having the SaltThePass.com website as a backup in case you don't have access to your password manager.

The traditional password manager can also store login details that cannot be generated on the SaltThePass website, such as your login name and whether or not you've had a password change.

Algorithm

The SaltThePass algorithm is pretty simple. Concatenate the Master Password, the Domain Name, and the Domain Phrase (optional). Send this through a hashing algorithm (SHA-3 is default, others are available), base64 the result, and then finally trim to the desired output length. In pseudo code:

Salted Password = Trim(Base64(Hash(Master Password + Domain Name + Domain Phrase)))

Notes:

  1. For base64, we use the base64url variation of RFC 4648 , which replaces the last two characters of plus "+" and forward-slash "/" with minus "-" and underscore "_" to produce Salted Passwords that are more likely to pass the password requirements of sites that limit the characters that can be used in a password.

The algorithm SaltThePass uses is available open-source at github.com/nicjansma/saltthepass.js

Terms

Master Password

Your Master Password is a password that you keep safe and only use on SaltThePass. Ideally, you should never disclose it to anyone else, or even write it down. SaltThePass uses your Master Password in conjunction with the Domain Name and Domain Phrase (optional) to generate the Salted Password.

Your Master Password should only be used on SaltThePass to generate Salted Passwords. SaltThePass does not put any restrictions on what the password can be -- it can be as short or long as you want, with any combination of characters. Any character that can be input into a textbox is valid. Ideally, your Master Password should be as long as you can possibly remember. Password phrases are useful for remembering long passwords.

The key is to never use your Master Password for any reason except on SaltThePass.com. If you use your Master Password to log in to other websites, and they get compromised, they might try to use it on SaltThePass to generate all of your other passwords.

Domain Name

For simplicity, the Domain Name you use should match the website you're generating a password for. SaltThePass uses your Master Password in combination with the Domain Name and Domain Phrase (optional) to generate your Salted Password.

SaltThePass does not normalize the Domain Name when generating the Salted Password. For example, SaltThePass does not lower-case all of the letters, nor strip sub-domains from it. This means that you need to be consistent with how you enter domains. If you enter "facebook.com" when you create your password, and later try to use "www.facebook.com", you will get a different Salted Password. Similarly, you should either always include the protocol ("http://") or never use it.

If Domain Name Rules are enabled, SaltThePass uses your Domain Name to help you deal with password restrictions for that website.

Domain Phrase

The Domain Phrase is an optional field that can be used to differentiate multiple passwords on the same website.

For examples, see Password Changes or Multiple Passwords for a Single Domain.

Salted Password

The Salted Password is the output of your Master Password combined with the Domain Name and Domain Phrase (optional) of the website. See the algorithm section for exact details on how it is generated.

Nothing is stopping you from taking the Salted Password and always mentally applying an additional transformation on it, which only you know. For example, you could take the Salted Password and always add a "1" to the end of it. Or, you could swap the first and last characters. While these are simple examples, they can add an additional layer of security to protect you against attackers that know you use SaltThePass. Even if they somehow got your Master Password, they would also have to know the mental algorithm you used on the generated Salted Password to get your final modified Salted Password.

Domain Name Rules

Domain Name Rules help you customize your Salted Password to ensure it works for the target website. For example, some websites require that you input between 6 to 12 characters. Or, that you must include a dash ('-') or underscore ('_') in the password. Or, that you can't include numbers.

Domain Name Rules will automatically rewrite your password (in a consistent manner) to ensure the Salted Password works with your website.

Domain Name Rules are based on the Domain Name you enter. This means that if you enter "bar.foo.com" as the Domain Name, but we only have "foo.com" in the password database, the rules will not be applied.

If you enable Domain Name Rules, SaltThePass will download a community-supported database of rules and store it in your browser cache. Once you enter a Domain Name, it will search for it in the database. If found, it will ensure your Salted Password satisfies the website's requirements.

The Domain Name Rules database is split into multiple databases based on the domain's first letter. When you enter a Domain Name, SaltThePass fetches the database for that domain's first letter. The database is compressed and optimized, so it should not take a lot of storage. SaltThePass downloads these partial databases to your browser's cache, then searches for the full domain match from your cache, so the full Domain Names you enter are never disclosed to the SaltThePass.com server or to anyone else (access to the site is SSL encrypted as well).

Domain Name Rules are not enabled by default.

Normalize Domain Name

If enabled, the Normalize Domain Name setting takes the Domain Name and applies the following algorithm before generating the password:

  • Lowercase the entire Domain Name
  • If a URL, keep only the domain part of the URL (getting rid of the scheme, port and path)

For example, the following URLs would be normalized as:

  • http://foo.com is normalized to foo.com
  • http://foo.com/bar is normalized to foo.com
  • HTTP://FOO.COM is normalized to foo.com

Non-URLs are not affected.

Normalize Domain Name is disabled by default. You can enable Normalize Domain Name in the settings.

Hashing Algorithm

SaltThePass uses a cryptographic hash function as part of the algorithm that generates your Salted Password. There are several hash functions you can choose from. By default, SHA-3 (512) is used, but you can choose from any in the list below. Each hash function will provide different output, so if you ever change the hash function you use, you will get a different Salted Password.

The available hash functions are listed below along with the maximum password length they can generate:

SaltThePass uses the open-source CryptoJS JavaScript cryptographic library for MD5, SHA-1, SHA-2, SHA-3, RIPEMD-160 hashing and Base64 encoding.

The algorithm SaltThePass uses is available open-source at github.com/nicjansma/saltthepass.js

FAQ

1. What is the difference between SaltThePass and a traditional password manager, such as KeePass or LastPass?

SaltThePass is different from traditional password managers in that it never stores, saves or keeps your logins or passwords. Instead, SaltThePass gives you an algorithm you can use to repeatedly generate passwords for multiple websites.

One benefit of SaltThePass over a traditional password manager is that you can use it to generate your passwords even if you don't have access to your password manager. As long as you have internet access, you can generate your passwords.

An additional benefit is that you don't need to synchronize your passwords. If you add a password to your traditional password manager on your desktop machine, it might not automatically get synchronized to your laptop. Since SaltThePass is an algorithm, you can always find your passwords as long as you know you Master Password and the Domain Name .

A final benefit is that SaltThePass never stores your passwords. Since traditional password managers store your password on your disk or at the program's data center, there is the possibility that a hacker could gain access to them due to a security breach or a technical fault.

One downside of the SaltThePass.com website over a traditional password manager is that you have to have an internet connection to be able to visit SaltThePass.com so you can generate your passwords. However, a mobile app that doesn't require internet access is available for phones and tablets.

SaltThePass can also be used in conjunction with a traditional password manager for added flexibility.

2. What would happen if SaltThePass disappears?

SaltThePass is provided to you, for free, by Nic Jansma. I have no intention of ever shutting the website down, as I use it myself daily. However, should the site disappear from the internet someday, you would still be able to use the same algorithm that SaltThePass uses to generate your passwords, as it is fully described and open-source.

You should be able to use the mobile applications or command-line saltthepass interface indefinitely

3. How can I make my password even more secure?

  • Make sure your Master Password is as long as you can possibly remember.
  • The default SHA-3 (512) hashing algorithm, which was chosen as the winner of the NIST hash function competition, is a good choice. However, you could choose to use one of the other hashing algorithms if you don't want to keep the default choice. If a hacker knows that you use SaltThePass, it will be more costly for them to try to reverse-engineer your Master Password if they don't know which hashing algorithm you use.
  • You could always use the output of the Salted Password and apply your own "mental algorithm" to it. For example, you could prepend every password with "foo" or swap the first and last characters. This would make it harder for a hacker to reverse-engineer your Master Password.

4. What if I don't have internet access?

A mobile version of SaltThePass that won't require internet access is available.

If you have access to a computer, you can use the command-line saltthepass interface if pre-installed

5. What if you don't have the correct Domain Name Rules for my domain?

If there is a domain name that you're creating a password for that we don't have the correct Domain Name Rules for, please click on the Suggest button that appears when there is No Match. A form will popup that you can use to suggest a domain.

Contact

SaltThePass was created by Nic Jansma. Feel free to contact him.

Mobile

Note:saltthepass.com is a Progressive Web App and can be used offline. You just need to visit this website once for it to be available offline.

The SaltThePass mobile app is available for iOS and Android devices. It works on both phones and tablets. The app has all of the features of the website and does not require any internet connectivity.

It is free and available in the following app stores:

Available for iPad, iPhone and Android devices

Command-Line

The saltthepass NPM package contains a command-line (CLI) interface. You just need NodeJS installed to use it.

npm install -g saltthepass
> saltthepass
Options:
  --hash, -h      Name of the hash, e.g. md5
          [choices: "md5", "sha1", "sha2", "sha3", "ripemd160"] [default: "md5"]
  --password, -p  Master Password                                     [required]
  --domain, -d    Domain Name                                         [required]
  --phrase, -r    Domain phrase
  --help          Show help                                            [boolean]
  --version       Show version number                                  [boolean]

> saltthepass -h sha3 -p password -d domain -r phrase
_PwlhSzK8_Q1M73_woHVXi-f_-hQJ_ht8_SCx6KvOdKiMSaqmV4Dhagf-toiMIqsvW04gJkGWU9eGAuyDQtvzw

Passwords

Please see Help → Data Security for details about how your Master Password, Domain Name, Domain Phrase and Salted Password are used.

Cookies

SaltThePass will only use cookies if you tell it to remember your settings and if your browser does not support HTML5 Local Storage. Please see Help → Settings and Cookies for more details.

Google Analytics may set some cookies (starting with __ut). See below for details.

Google Analytics

Google Analytics is a web analytics tool that helps website owners understand how visitors engage their website. Visitors to this website who have JavaScript enabled are anonymously tracked using Google Analytics. We use Google Analytics to help us understand our visitors better, to see what pages they visit, and to look for trends and changes in our website's popularity. No personally identifying information is tracked by Google Analytics.

Google Analytics uses "cookies", which are text files stored on your computer, to collect standard Internet log information and visitor behavior information in an anonymous format. The information generated by the cookie about your use of our website (including IP address) is transmitted to Google.

We will never (and will not allow any third party to) use statistical analytics tools to track or to collect any Personally Identifiable Information (PII) of visitors to our site. Google will not associate your IP address with any other data held by Google. Neither we nor Google will link, or seek to link, an IP address with the identity of a computer user. We will not associate any data gathered from this site with any Personally Identifiable Information from any source, unless you explicitly submit that information via a fill-in form on our website.

All of our activity falls within the bounds of the Google Analytics Terms of Service.

You can opt out of Google's advertising tracking cookie if you prefer.

Changes

If our privacy practices change at any time, we will update this privacy policy to reflect the changes.

Questions?

Any questions regarding any of these policies may be sent to Nic Jansma.