Learn/Cryptography/Glossary/

What is a Salt

A salt is a random value generated for each password before it is hashed. Instead of computing hash(password), the system computes hash(salt + password) and stores both the salt and the resulting hash. Even if two users choose the same password, their different salts produce completely different hashes. Salts are not secret -- they are stored in plaintext alongside the hash.

How it works

Without salts, an attacker who obtains a database of password hashes can use a rainbow table -- a precomputed mapping from common passwords to their hashes. Computing SHA-256("password123") always produces the same output, so the attacker simply looks up each hash in the table. A rainbow table for all 8-character passwords with SHA-256 is a one-time computation that can crack millions of accounts.

Salts defeat this attack entirely. Because each password is hashed with a unique random salt, the attacker cannot use a precomputed table. They must brute-force each password individually, multiplying the attack cost by the number of accounts.

A good salt is:

  • Random -- generated by a cryptographically secure random number generator, not derived from the username or any predictable value.
  • Unique per password -- every hash operation gets its own salt. Reusing a salt across accounts partially defeats the purpose.
  • Long enough -- at least 16 bytes (128 bits). This makes the salt space too large for any precomputed table to cover.

Modern password hashing algorithms like bcrypt, scrypt, and Argon2 generate and embed the salt automatically. The output string includes the algorithm identifier, cost factor, salt, and hash in a single portable format. You never need to manage salts manually when using these algorithms.

Why it matters

Salting is a non-negotiable requirement for password storage. Without it, a single stolen hash database can be cracked in bulk using precomputed tables. With proper salts and a slow hashing algorithm, each password must be attacked individually, making large-scale breaches dramatically more expensive for attackers.

See How Hashing Works for the full walkthrough of hash functions, salting, and password storage.

Related

This concept appears in