A salt is a piece of random data added to a password before it is hashed and stored. Adding a salt to stored passwords is a security process used alongside the hashing of passwords before they are stored.
Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.
A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.
Hashing and Salting
By first adding salt to a password that is going to be hashed, all of the hashes are less sensitive to being reverse-engineered. Because adding the salt creates a completely different hash than would otherwise be created, the real hash value of the password is hidden.
The salt and the password (or its version after key stretching) are concatenated and fed to a cryptographic hash function, and the output hash value is then stored with the salt in a database. The salt need not be encrypted, because knowing the salt would not help the attacker.
Salt played a crucial role in the development of ancient civilizations. It was used as a seasoning and a preservative for food, which allowed people to store food for longer periods and travel farther distances. In addition to its culinary uses, salt was also used for religious ceremonies and as a trading commodity.
As the human diet moved away from salt-rich game to grains, more salt was needed. Surface salt is relatively rare and mining was difficult – and so, as civilisation spread, it became a precious commodity and trading routes were established all around the world.
Salting isn't an alternative to encryption or hashing; it is actually a function that can be added to the hash to make it more secure. It's a way to defeat a rainbow table. A rainbow table is a tool that a cybercriminal might use to try to get around a hashing algorithm.
Hashing is a one-way process that converts a password to ciphertext using hash algorithms. A hashed password cannot be decrypted, but a hacker can try to reverse engineer it. Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password.
This salt is unique to each user, and is stored in the database along with the username and salted-hashed password. An example username-password database using the SHA256 hashing function with a salt.
It is named "salt" because it is similar to adding table salt to food—it modifies the food slightly and improves it. A string being encrypted is improved by adding a salt value because the algorithm outputs a different hash than what it would without the salt.
Salt is still used as money among the nomads of Ethiopia's Danakil Plains. Greek slave traders often bartered salt for slaves, giving rise to the expression that someone was "not worth his salt." Roman legionnaires were paid in salt—salarium, the Latin origin of the word "salary."
To salt a password hash, a new salt is randomly generated for each password. The salt and the password are concatenated and then processed with a cryptographic hash function. The resulting output (but not the original password) is stored with the salt in a database.
A salt/hash cannot be decrypted. Again, hashing is a one way process.
To crack a salted password, the attacker should know both the hash and salt values. This makes it harder to crack hashes using methods such as Rainbow tables.
It's important to note that salts are useless for preventing dictionary attacks or brute force attacks.
With an additional step of salting, the authentication process will be a little bit different. In practice, the salt, the hash, and the username are usually stored together.
Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this “salt” is placed in front of each password. The salt value needs to be stored by the site, which means sometimes sites use the same salt for every password.
Salting has several benefits for your information security. First, it increases the entropy, or randomness, of your hashes, making them more resistant to brute-force attacks. Second, it protects your passwords from being exposed by common or weak passwords that are shared by many users.
To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.
The moment a hashing function is broken, however, it is possible to reverse the outcome. There are several hashing functions that are no longer secure, including MD2, MD4, MD5 and SHA1. Currently, SHA-256 is considered the safest hashing algorithm by many experts.
SHA-256 is one of the hashing algorithms that's part of the SHA-2 family (patented under a royalty-free U.S. patent 6829355). It's the most widely used and best hashing algorithm, often in conjunction with digital signatures, for: Authentication and encryption protocols, like TLS, SSL, SSH, and PGP.
In Roman times, and throughout the Middle Ages, salt was a valuable commodity, also referred to as "white gold." This high demand for salt was due to its important use in preserving food, especially meat and fish. Being so valuable, soldiers in the Roman army were sometimes paid with salt instead of money.
China is the world leader in terms of salt production, with 64 million metric tons of salt produced in 2022.
Recorded history also soundly refutes the myth that salt was more valuable than gold. YouTube historian Lindybeige cites Venetian trade documents from the height of the salt trade in 1590 that establish the value of 1 ton of salt as 33 gold ducats.