Password Salting

Password salting is the process of securing password hashes from something called a Rainbow Table attack. The problem with non-salted passwords is that they do not have a property that is unique to themselves – that is, if someone had a precomputed rainbow table of common password hashes, they could easily compare them to a database and see who had used which common password.

So how do we make each hashed password in a database unique? We add something called a salt to the input to the hash function. Usually the salt is some random data stored with the user in the database, but it could be something else unique to the user such as their login name or registration date. Why is this effective?

Every user now has something that is unique to them, that is added on to their password before it is hashed and stored in the database. Now, if someone were to try the same rainbow table attack with a list of common password hashes – none of the hashes would match. The salts change the output of the hash function completely, so even the common passwords are safe. If an attacker wanted to crack the passwords now, they would have to add the salt for each individual user – increasing the amount of time required to brute force all of the passwords exponentially.

Support Organizations