Salting your password?
3 min readFeb 21, 2025
Salting is not a technology. It is just a technique.
Before I explain Salting, lets see how an un-salted password works.
Un-Salted Passwords
- Let’s say you and your friend create a Facebook account.
- You both chose the same password — “Password12”.
- If the password is simply hashed using one of the most common algorithm, SHA256, both you and your friend will end up with the same hash value at the end.
- Meaning if 2 people choose the same password in the same system, and the system uses the same SHA256 hashing algorithm on both their passwords, technically their hashed password would be the same.
Drawbacks of Un-Salted Passwords
At this point if a bad actor gets access to this hashed password via the network or on a database, they can simply take it and search for a matching hashed password on the Internet.
There are huge lists of common or leaked passwords and their corresponding hashes easily available. Just look up “Rainbow tables” or read up on them.
From there, when the hashed string matches, they can find the password by just looking up the corresponding plain text version in the Rainbow Table.
What does Salting your password mean?
- Salting is a quick and easy way of strengthening your password hashing methods.
- Like mentioned earlier it is not a technology. Its just a technique.
- Meaning this usually can be implemented with your existing password hashing process.
- Adding a “Salt” to your password just means appending another string to the password a user chooses.
- An example would be: If the password is “Password12” a salt, at a simple level, would be the user’s first name. So the salted password would look like “Password12John” if John is setting a password.
- What would this do? See screenshots below
- Even if both John and Jane enter the same password, because of the salt, the hashed value this time is completed different from each other.
- This however, if not fully prevent a “Rainbow table” attack, but reduces the risk drastically.
Lets look at both un-salted and salted again.
- As you can see both choose the same password, but because of the salt ended up with very different hash values.
- You can try it yourself here: SHA256 Hash Generator and Calculator Online Tool
I will make another article that explains what hashing is and how it works.
Will come back and edit this page with the link.
Summary (Recap):
- Salting is simply appending a plain text password with another relevant string like “firstname” before sending it to the hashing algorithm.
- Example: If password is “Password12” and the Salt you chose is “firstname”, then the password for John would be “Password12John”.
- This done to make sure users who chose the same password have different hash values.
- Salting is done to reduce the probability of “Rainbow Table” attacks.
- Do not confuse hashing with “encryption”. Hashing and encryption are completely different.
