Glossary
Salt (Cryptography)
A salt is a unique, random value added to each password before hashing, so identical passwords get different hashes and precomputed rainbow tables fail.
A salt is a random value generated per password and combined with it before hashing. Salts are unique per user and stored alongside the hash — they are not secret. Their job is twofold:
- Defeat precomputation. A unique salt makes rainbow tables and other precomputed attacks useless, because the attacker would need a separate table for every salt.
- Hide duplicates. Two users with the same password get completely different stored hashes, so a breach does not reveal who shares a password.
Salts are built into modern password hashes: bcrypt embeds a 128-bit salt in its $2b$ string, and Argon2, scrypt, and PBKDF2 all take one. A salt alone is not enough, though — you also need a slow work factor. For the full approach, see password hashing done right, and compare salted hashes in the generator.