Examples
bcrypt hash with embedded salt: $2b$12$K1eZ.../9yDXm...PBKDF2 with salt: pbkdf2_sha256$260000$saltbase64$hashbase64Argon2 with salt: $argon2id$v=19$m=65536,t=3,p=4$salt$hashNode.js generation: crypto.randomBytes(32).toString('hex')DB storage: user_id | password_hash | salt_used
FAQ
Can I use the same salt for all my users?
No. That's called a 'pepper' and serves a different purpose. Salt MUST be unique per user, otherwise an attacker can precompute rainbow tables for your shared salt.
Where do I store the salt securely?
In the same column as the hash. Tools like bcrypt embed it automatically. If you use manual PBKDF2, you can store it in a separate column in plain text. It doesn't need encryption.
Does salt protect against brute force attacks?
Indirectly. Salt prevents mass parallel attacks with precomputed tables, forcing the attacker to crack each hash individually. But you need bcrypt/Argon2 (slow) so each attempt takes long enough.