🧂

Salt (cryptography)

In cryptography, a salt is a unique random string concatenated to a password before applying a hash function. Its purpose: ensure two users with the same password generate different hashes, making rainbow table attacks useless.

Examples

  • bcrypt hash with embedded salt: $2b$12$K1eZ.../9yDXm...
  • PBKDF2 with salt: pbkdf2_sha256$260000$saltbase64$hashbase64
  • Argon2 with salt: $argon2id$v=19$m=65536,t=3,p=4$salt$hash
  • Node.js generation: crypto.randomBytes(32).toString('hex')
  • DB storage: user_id | password_hash | salt_used

FAQ

Can I use the same salt for all my users?

No. That's called a 'pepper' and serves a different purpose. Salt MUST be unique per user, otherwise an attacker can precompute rainbow tables for your shared salt.

Where do I store the salt securely?

In the same column as the hash. Tools like bcrypt embed it automatically. If you use manual PBKDF2, you can store it in a separate column in plain text. It doesn't need encryption.

Does salt protect against brute force attacks?

Indirectly. Salt prevents mass parallel attacks with precomputed tables, forcing the attacker to crack each hash individually. But you need bcrypt/Argon2 (slow) so each attempt takes long enough.