Salting

To increase security, a plain text password is added to a random string of characters (salt).

Jun 25, 20252 min read

For enhances safety, before a password is stored, a special algorithm is used to convert the plaintext password into an encrypted hash value. The problem is that if two or more users use the same password, the hash value will be identical. That makes it easier for attackers to find these passwords by trial and error. Furthermore, rainbow tables are already available for many algorithms, and can be used to correlate passwords and hash values.

This is where salting comes in. With this method, a random string (the salt) is added to a password before it is hashed. The salt can be placed at the beginning or the end of the password. For example, the salted password “p2f5e9kRedRoses12!” or “RedRoses12!p2f5e9k” is created from the password “RedRoses1212!”.

To make it more difficult to use a rainbow table, it would be sufficient for the salt to be the same for all users, since the mapping of the passwords to the hash values is different. However, if attackers were to obtain the salt, all user accounts would be at risk. This can be prevented by assigning each user a different, randomly generated salt value when the account is created. This ensures that all hashes differ from each other, even if users use the same password.

The salt is only known to the server and is stored in the database together with the other user data. Attackers could still systematically try out passwords if they know a salt value, but then they would have to repeat this process for each user because of the different salts.