Peppering Your Passwords

You shouldn’t know any of your passwords. You should only know one password: the master password for your password vault. That is, you should be using a password manager to generate, store and auto-fill super-strong passwords. There are other “passwordless” technologies on the horizon, but for now, passwords (with two-factor authentication) are still the best solution we have.

But you may be wondering: is it really safe to store all my passwords in a cloud-based service? Isn’t that putting all my eggs in one basket? What if my password vault service is hacked? These are valid questions and it’s healthy to be a little paranoid when it comes to security. Personally, I believe the risks of using a cloud-synced password vault is relatively small and the security benefits are very high. It’s a tradeoff worth making. However, if you’re not convinced, then I have a few variations on this idea that might appeal to you.

Offline Password Vault

If you don’t trust a cloud-based password service to protect your vault, there are some offline password managers. This means that the password vault (the encrypted database of your secrets) only exists on your computer hard drive or your smartphone’s memory. It’s not synced to or stored in the cloud. The downside to this is that you will need to somehow manually synchronize your passwords between devices or only have your passwords on one device. In that case, I would probably make that one device your mobile phone – since you will probably always have it with you. But that means to use it on a computer, you’ll have to manually transcribe these crazy passwords by looking at your phone. If you want to go this route, check out KeepPassXC (Windows/Mac), KeePassDX (Android) or Strongbox (iPhone).

Derived Passwords

There’s another clever solution to the storage problem: don’t store anything at all. Instead of generating random passwords that need to be securely stored, you simple derive all your passwords from things you already know. Specifically, your password for a given website is generated from your master password, the site’s domain name (like google.com) and your account user name (which is probably your email address). This creates strong, unique passwords for each website without having to store anything at all.

While this sounds like a clever solution, it has serious drawbacks. First of all, if you ever have to change a password, the only way to do that is to change your master password. That would then change every single other password, too. Second, if bad guys know or guess that you’re using this method, they might be able to reverse-engineer your master password. If they have your user name and the domain name, they could try to crack that one password to find your master password. And if they guess or steal your master password, they have everything they need to access all your accounts. They don’t have to somehow steal your encrypted password vault.

So, while this method is intriguing, I can’t recommend it. If you’re curious, though, check out LessPass.

Double-Blind Passwords

If you want the convenience of a cloud-synced password vault, but don’t fully trust your vault holder, there is another option. It will take a little more work, but I think it’s a good compromise. I ran across an article recently from a great site called All Things Secured. He described a method called “double blind passwords” (sometimes called Horcruxing or peppering). At a high level, you split your password into two parts: a crazy, random base password that you store in your password manager and a short secret suffix that you either remember or store separately. It’s easier to watch the video, but here’s how it works.

When setting or updating a password, use your password manager to generate a strong password, as usual. Have the password manager fill that in for you. Then, before submitting your password change, tack on a short suffix of your choosing. That is, extend the password with another, short secret. For example, if your password manager generates “o35F@CuWO%”, you can then add “6J9D” to make “o35F@CuWO%6J9D”. That’s your actual password. But you only save the first part in your password vault.

If your password vault is somehow stolen and cracked, the bad guys will only have part of each of your passwords. They wouldn’t have the “pepper” – they’ll still have to guess that, assuming they figure out why none of your passwords are working. (Salt and pepper are actual cryptographic terms, by the way.)

Here’s the Catch

This means you have to somehow remember that “6J9D” part. You’ll either need a separate password vault or commit it to memory. But you could come up with a formula for deriving the suffix, too. For example, for “amazon.com” you could make the suffix “amaz” or “AmAz” or “-amaz”… you get the idea. That’s predictable, but the bad guy would somehow have to guess the crazy base password and then figure out your pattern.

Also, your password manager is now going to constantly ask you “do you want to update your password?” because it will see that what you submitted isn’t what it has stored. Crucially, you can never accidentally say “yes”, as this will now store the entire password. This is what you’re trying to avoid.

If this sounds interesting but too difficult, consider maybe only using this technique for the really important passwords. That would be things like financial, medical, email and maybe social media.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top