Salt (cryptography)
In cryptography, a salt is a random string of data that is used to augment a password or passphrase before it is hashed. The primary purpose of a salt is to defend against dictionary attacks, rainbow table attacks, and other precomputation attacks where an attacker pre-calculates hashes for a large number of common passwords.
When a user creates a password, the system generates a unique, random salt specifically for that password. This salt is then concatenated with the password (either before or after), and the combined string is then passed through a cryptographic hash function. The resulting hash, along with the salt itself, is stored in the system's password database.
The crucial aspect of a salt is that it is unique for each password. Even if two users choose the same password, the use of unique salts will result in different hash values. This prevents an attacker from being able to use precomputed hash tables (like rainbow tables) to quickly identify common passwords. If the same salt were used for multiple passwords, an attacker could compromise all passwords with that salt once a single one is cracked.
When a user attempts to authenticate, the system retrieves the stored salt associated with their account. The entered password is then concatenated with this salt, hashed using the same hash function used during password creation, and the resulting hash is compared to the stored hash value. If the two hashes match, the authentication is successful.
The security provided by a salt depends on several factors, including the length of the salt, the randomness of the salt generation process, and the strength of the hashing algorithm used. Longer and more random salts provide better protection against attacks. Generally, salts should be at least 16 bytes (128 bits) in length and generated using a cryptographically secure pseudorandom number generator (CSPRNG).
Using salts in conjunction with password hashing is considered a best practice for password security and is an essential component of modern authentication systems.