Create strong, unique, and memorable passwords

Salt and Pepper Passwords

Salt and Pepper Passwords

Password management is a constant struggle.
Most folks just give up on managing passwords and end up using the same password for everything. The problem with that is that some passwords expire, requiring you to change them periodically. So your plan of one single password goes out the window. You end up with an array of different passwords all created at different times without any plan or methodology for all the various sites you visit and at some point it will happen. You will forget your password.

Now most websites have ways to recover your password by simply clicking a link, maybe verifying the name of your favorite pet, and responding to an email with a link to reset the password. So password recovery is fairly simple and common.

But my goal is to give you tips to create your own unique memorable password creation and management system so you’ll never forget a password again. It’s a method I call “Salt and Pepper Passwords“.

Creating strong passwords.
Complexity and length add to the cryptographic strength of any password. Now I won’t go into the math behind it, but the longer your password, and the more complex, the stronger the password. Length is fairly simple… more characters take longer to guess. And in general, complex passwords contain a blend of letters (A,a,B,b,C,c,…), numbers (1,2,3,…), and special characters (~,!,@,#,$,%,^,&,*,…).

What good is all this length and complexity if you can’t remember what you created? I mean Cx$t78#vbR9d6^pGW is a long complex password, but who can remember it? Let alone type it with any accuracy when all you see is •••••• on the screen.

Creating memorable passwords.
You may have heard about the Mnemonic device method of password creation. That’s the method where you think of a sentence “Mary had a little lamb whose fleece was white as snow!” and then create a password from it…

Mhallwfwwas!

Now that’s a long, and fairly strong password that is easy to remember… But imagine having to come up with a unique one of those for each site you log into.

My Salt and Pepper Password method is a simple way to help you to create long, strong, memorable, unique passwords for all your sites. It is loosely based on the ATM card idea. Your PIN number is only 4 characters, and they are all numbers, so how secure can it be? Well, the security is dual layer because it’s something you have (your ATM card) combined with something you know (your PIN). So my method uses the same principle.

Salt = $a1T
SALT
The part I call the salt is like your PIN. It should be short, easy to remember, meet the complexity rules, never be written down, and kept a secret… just like your ATM PIN. You are going to throw salt on all your passwords, it’s the “Something You Know” part of your password management system. For example, I’ll use $a1T as my salt. It uses an UPPERCASE (T), lowercase (a), number (1), and special character ($) so it meets the complexity rules. Now don’t use my salt. Come up with your own, and have fun with it, you’ll be typing it a lot from now on.

Pepper
PEPPER
The part I call the pepper is like your ATM card. It adds to the length of the password adding strength and is the “Something You Have” part of your password management system. The pepper will be tied to each site to keep it unique from your other passwords. You can even write it down and keep it in your wallet or purse. Because without the salt, it’s useless, just like your ATM card is useless without your PIN. How you choose the pepper is up to you. I’ll give you a few ideas, and follow up with a couple examples, but ultimately how you choose your pepper is up to you.

Pepper needs to relate to the site you are logging into. You can use word association (Amazon.com = jungle), part of the site name (Amazon.com = amaz), or whatever will help you to remember it (Amazon.com = books). Once you decide on how to choose your pepper use the same method on every site and you won’t have to write it down. But even if you keep a list of pepper in plain site you’re still okay.

SALT and PEPPER
Let me give a few examples to show the salt and pepper work together.

Ex: Amazon.com
So you’ve come up with your salt ($a1T) and are now on the Amazon site ready to change your password. You’ve chosen to use word association to create your pepper (jungle). Now it’s time to put your salt and pepper together and make a unique, strong, and memorable password. How you combine them is up to you, and by making up your own rule it adds even more security. Here’s a few combinations I came up with:

  • $a1Tjungle
  • jungle$a1T
  • jun$a1Tgle
  • $ajungle1T

For illustration purposes let’s say I choose the third option where I split my pepper after the third letter and insert the salt in between. In my wallet I could just keep a card that says “Amazon Jungle” and no one would know.

Okay, let’s do another one…

Ex: Monster.com
So now I’ve gone to Monster to update my password to use the new system. Using the same word association method for choosing my pepper I go with (godzilla). Add in my salt after the 3rd letter and… god$a1Tzilla …my strong, unique memorable password is born. I get out my wallet card and write down “Godzilla Monster” right below “Amazon Jungle”.

When your password expires or changes all you need to do is choose a new pepper and update your wallet card. Okay, let’s do one more…

Ex: iTunes
Now it’s time to get the iTunes password in line with the Salt and Pepper password system. The same salt goes on everything, so all we need is some pepper. But what word associates with iTunes? I came up with (mp3 music). I know. not very creative. So throw my salt in after the 3rd letter and we have mp3$a1Tmusic. Then I decide that since my pepper was pretty simple I wasn’t even going to add it to my wallet card.

So to sum up…
Something you know is your salt, put it on everything.
Something you have is your pepper, it is related to the site somehow.
Your method for combining Salt and Pepper can be whatever you want.
You method for choosing your Pepper can be whatever you want.
If you choose the methodology it will be easy for you to remember and difficult for others to guess

Never forget your password again.

If you do forget your password, all you need to do is reset your password by coming up with a new pepper, and then throw a little salt on it.

This is by no means an ultra high security password generation method. For that I’d recommend checking out GRC’s Perfect Passwords Generator. But if you are going to use passwords like that then I recommend using a password manager. I use LastPass to manage and keep track of my passwords. Because even with a good methodology for creating passwords, it’s really handy to have all your credentials securely stored in one place. With the Premium version you can use the app on mobile devices and integrate password management with your fingerprint reader.

I hope this helps,
Erik

Leave a Comment