diff --git a/Gemfile b/Gemfile
index 8713905d3b1..8a48d6e149d 100644
--- a/Gemfile
+++ b/Gemfile
@@ -9,6 +9,7 @@ gem 'american_date'
 gem 'browserify-rails'
 gem 'coffee-rails', '~> 4.1.0'
 gem 'devise', '~> 4.1'
+gem 'devise-encryptable'
 gem 'dotiw'
 gem 'figaro'
 gem 'foundation_emails'
diff --git a/Gemfile.lock b/Gemfile.lock
index 3318c0e4115..25cada64f88 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -190,6 +190,8 @@ GEM
       railties (>= 4.1.0, < 5.1)
       responders
       warden (~> 1.2.3)
+    devise-encryptable (0.2.0)
+      devise (>= 2.1.0)
     diff-lcs (1.2.5)
     docile (1.1.5)
     dotenv (2.1.1)
@@ -618,6 +620,7 @@ DEPENDENCIES
   database_cleaner
   derailed
   devise (~> 4.1)
+  devise-encryptable
   dotiw
   email_spec
   factory_girl_rails
@@ -682,4 +685,4 @@ DEPENDENCIES
   xmlenc (~> 0.6.4)
 
 BUNDLED WITH
-   1.12.5
+   1.13.1
diff --git a/app/models/user.rb b/app/models/user.rb
index 68847db77bf..9c4ed2e6cfd 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,7 +3,7 @@ class User < ActiveRecord::Base
 
   after_validation :set_default_role, if: :new_record?
 
-  devise :confirmable, :database_authenticatable, :recoverable, :registerable,
+  devise :confirmable, :database_authenticatable, :encryptable, :recoverable, :registerable,
          :timeoutable, :trackable, :two_factor_authenticatable, :omniauthable,
          omniauth_providers: [:saml]
 
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index b786082a63b..658d152acc6 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -204,7 +204,7 @@
   # REST_AUTH_SITE_KEY to pepper).
   #
   # Require the `devise-encryptable` gem when using anything other than bcrypt
-  # config.encryptor = :sha512
+  config.encryptor = :sha512
 
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
diff --git a/db/migrate/20160929142953_add_users_salt.rb b/db/migrate/20160929142953_add_users_salt.rb
new file mode 100644
index 00000000000..49146c84c55
--- /dev/null
+++ b/db/migrate/20160929142953_add_users_salt.rb
@@ -0,0 +1,5 @@
+class AddUsersSalt < ActiveRecord::Migration
+  def change
+    add_column :users, :password_salt, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 6f2ec5995c4..ff427a05523 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160915202036) do
+ActiveRecord::Schema.define(version: 20160929142953) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -132,6 +132,7 @@
     t.datetime "idv_attempted_at"
     t.integer  "idv_attempts",                              default: 0
     t.string   "recovery_code"
+    t.string   "password_salt"
   end
 
   add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree