What are password salts? Here’s everything you need to know, from its definition, importance, and best practices.
Scroll down to learn more.
Password Salts are one of the most important security enhancements in password security. They are used to add randomness and to make brute-force attacks against hashing algorithms harder.
The salt is a unique set of characters that is appended to the user’s password before it is hashed.
As a result, the user’s password hashed value isn’t the same as other users’ password hashed value.
In layman’s terms, a salt serves as a unique “surprise” that’s added to your account password before it gets encrypted.
It makes it harder for hackers to crack your password because they have to go through the whole process again for each password hash.
Here’s an example:
Suppose you’re a bank customer, and your password is “mad8t3ch.” When you sign in or reset your password, you’ll notice that the bank put an extra letter “w” at the end of your password value, like this: mad8t3chw. This extra letter is called a salt.
When you log back in, the bank will remove this “salt” and use your actual password value instead.
Why Do We Need Password Salts?
Salts are important because they add unique values to each user’s hashed passwords, making it harder for hackers to crack them.
They work with many hashing algorithms and enable users to create strong passwords without having to rely on weak ones.
Because they’re easy to implement, salts should be part of every system that stores passwords (or hashes) for authentication purposes.
That said, not all salts are equal; some provide better protection than others.
The best salting schemes have a few things in common:
- Random values stored with the passwords
- Additional work required by the attacker
When properly used, salts can protect against pre-computed hash tables, rainbow tables, and brute-force attacks. They can also reduce the risk of storing plain text passwords.
As a result, it can help thwart dictionary attacks by adding more bits of entropy to each value.
Best Practices of Using Password Salts
Make sure both the hashes and the salts are stored safely and are not accessible by anyone. Also, salt values should be stored in a separate table from the password hashes.
It’s also critical to not follow common patterns for salts. Instead, use cryptographically strong salt values.
You can also use random or pseudo-random salts, not sequential or repeating ones.
They should be at least 64 bits (12 characters) if you’re using a hash function like SHA-256 or bcrypt. If you’re using Argon2, scrypt, HMAC-SHA2, or PBKDF2, then you should use at least 128 bits (20 characters).
Conclusion: Why Password Salts Matter?
Password salting is a simple but effective security measure that can be used to strengthen password hashing schemes and make brute-force attacks harder to execute.
It makes your passwords more difficult to crack by making them unique and forces an attacker to run through the whole process again for each password value he wants to crack.