Add Salt to the Password for Taste đ§đ
Why Seasoning is Essential in Security
âFrom the earliest times, salt has been a symbol of lasting alliances, sacred rituals, and even rebellion.â â Mark Kurlansky, Salt: A World History
Salt once shaped empires, sparked wars, and preserved entire civilizations. It helped our ancestors store food during long journeys and harsh winters. In Salt: A World History, Mark Kurlansky traces the remarkable influence of this humble mineral, describing how it carved trade routes, powered economies, and quietly shaped the course of history.
Salt still preserves in our modern, digital worldânot food this time, but something just as vital: our online identities. Without salting, even the most complex passwords can be cracked in minutes, leaving personal data exposed and vulnerable.
In this post, weâll explore how a simple pinch of salt can disrupt even the most sophisticated attacks. If that sounds mysterious or technical, donât worry â weâll break it down gently. Think of it like a recipe: no dish is complete without a bit of salt, and no password system is secure without it, either.
Image Source: XKCD
The Problem with Passwords
Passwords are one of the oldest tools we have for identification and authentication. If we trace their history, we can go all the way back to the Roman army, where soldiers used watchwords to prove they belonged to a particular unit. Fast forward a bit, and we get the secret codes whispered at speakeasies during Prohibition â the price of admission for a sip of forbidden liquor. The first digital password was introduced at MIT in 1961 by Fernando J. CorbatĂł, a pioneering computer scientist who wanted to increase access to shared machines while keeping usersâ data private.
Passwords have stuck around since then, but theyâve also become one of the weakest links in our digital defenses. On a human level, most of us reuse the same password across multiple accounts or choose ones that are far too easy to guess (password123, iloveyou, etc.). Even when we try to be clever, the truth is â humans arenât great at randomness. And hackers know that.
Worse still, some systems continue to store passwords in plain text. Yes, in plain text â as recently as 2019, Meta (the parent company of Facebook) discovered it had stored over 600 million user passwords in searchable plain text files dating back years. In 2021, a GoDaddy breach exposed the plain-text passwords of 1.2 million users. Storing passwords in plain text is exactly as bad as it sounds. Itâs like writing down your deepest secrets in a diary and leaving it unlocked on a public bench. If anyone gains access, they can read everything. To fix that, developers use hashing, which turns passwords into scrambled, fixed-length codes that are difficult to reverse. For example, instead of storing this:
| User Name | Password |
|---|---|
| User1 | ItIsWhatItIs |
| User2 | MyVeryStrongPassword345!@23 |
| User3 | Password1 |
| User4 | ILoveThisWebsite |
We use a hashing function to transform it into this:
| User Name | Hashed Password |
|---|---|
| User1 | $2y$10$xKySiD8229yRa.zimaCd.eEEOKi057YSMJqH.doAiXnIAI5pIPySK |
| User2 | $2y$10$jbbc6lg0Yo3wdA8WKVy7B.AYd5Y4udMs6XcPb2uvhCM2bd7oSTtm. |
| User3 | $2y$10$CZRnyru6S3pEFsTRbIPZ.eFSlntphgVURyy8qrtNXSSovAi4JfIb6 |
| User4 | $2y$10$UBVekw9siGufgeM.3nbye.WspumDpK0LVgW7PJAGZBJ0qtXyqZKdu |
This way, even if an attacker gets the data, they see only hashes â not the actual passwords. When a user logs in, the password they enter is hashed, and the system compares it to the stored hash.
But hashing isnât bulletproof. If two users choose the same password, their hashes will be identical â making it easier for attackers to spot patterns. Hackers also use rainbow tables , which are massive precomputed lists of common passwords and their corresponding hashes. And brute-force attacks like dictionary attacks can try billions of combinations per second. The more predictable the system â or the hashing function â the easier it is for attackers to win.
So how do we throw them off the scent? How do we make even predictable passwords harder to crack?
Thatâs where salt comes in.
So⌠What is a Salt?
In the world of password security, a salt is a random string of characters added to a password before itâs hashed. It doesnât have to be long or fancy â though a long enough salt almost eliminates the risk of a rainbow table attack. This tiny addition completely changes the outcome of the hash, even if two users pick the exact same password.
Think of it like a secret spice in a recipe. Two chefs might start with the same dish, but if one adds cinnamon and the other adds chili, youâll end up with very different flavors. Thatâs what salt does: it makes every âdishâ â in this case, every password hash â unique.
Letâs break it down with an example.
Suppose two users both choose the same (very strong!) password: password.
If we hash it without any salt, theyâll get the exact same result:
Hash("password") â $2y$10$LYkedKLZX3qDb06Hd17zWuybj9EhqUWKFjOjqSRBKF6q3rE3ldcsq
Now, letâs say we add a unique salt for each user:
User1: Salt = X8g72!
Hash("X8g72!password") â $2y$10$DebUSiinkd2GvJZ0uqgsFOvvfDClW.kvnZ7R3g/DLmMh/XySy00hu
User2: Salt = Lz91#k
Hash("Lz91#kpassword") â $2y$10$mIzd3Z5y.dwyTVD.EpCeV.vZOp8dPUSzY3SRt.Whrj.o8kDAIDhaq
Even though both users chose the same password, their final hashes are completely different. That means a hacker canât easily tell they started from the same input. And because salts are generated randomly, rainbow tables become practically useless â an attacker would have to compute a new table for every possible salt, which is computationally impractical.
Using the earlier example from the hashing section, we can now see how salting changes whatâs stored in the database. First, hereâs how we build the salted password:
| User Name | Password | Salt | Salted Password |
|---|---|---|---|
| User1 | ItIsWhatItIs | aQ4$eP | ItIsWhatItIsaQ4$eP |
| User2 | MyVeryStrongPassword345!@23 | rT9^xB | MyVeryStrongPassword345!@23rT9^xB |
| User3 | Password1 | D3@u1Z | Password1D3@u1Z |
| User4 | ILoveThisWebsite | Mn*7cV | ILoveThisWebsiteMn*7cV |
And hereâs how we safely store both the salt and the resulting hash:
| User Name | Salt | Hashed Password |
|---|---|---|
| User1 | aQ4$eP | $2y$10$4dgl.RSifOPIrB29WzKOB.i60f2Z8up6jwRp6dSdpPe9p/ryTU8je |
| User2 | rT9^xB | $2y$10$s07QB8CrMackdGawjJpFIO3rPWPrczd31LSQR20Pdz8cYtEXGXG7W |
| User3 | D3@u1Z | $2y$10$IeXB26bNQjj96CPML5s50OM6RyZxhT2/p7mY.V7gaT8kEe34GTU7O |
| User4 | Mn*7cV | $2y$10$EE2Ga1X.qaUsnyzZCvO79.raQwn1IcThHq3VMk52AB0/a2NJedeFm |
By storing the salt alongside the hash, systems can reliably re-hash a password during login for comparison without compromising security. The salt itself doesnât need to be secret. It just needs to be unique and unpredictable.
Itâs important to emphasize, however, that salting doesnât make passwords stronger. It only makes attacks harder â and that distinction matters.
Common Mistakes
Image Source: XKCD
âYou are the salt of the earth. But if the salt loses its saltiness, how can it be made salty again? It is no longer good for anything, except to be thrown out and trampled underfoot.â - Jesus, Matthew 5:13
Like any good recipe, salting only works if you do it right. One of the biggest mistakes is reusing the same salt for every user â which completely defeats the purpose. If everyone gets the same seasoning, all the hashes for identical passwords will still look the same. Thatâs no better than unsalted hashing. Salts must be unique per user â and ideally unique per password reset â to offer real protection.
Another common pitfall is using salts that are too short, predictable, or not truly random (we can talk about generating secure random values in a follow-up post). A salt like 123456 or admin isnât fooling anyone â certainly not a hacker with a rainbow table and some spare time. Ideally, a good salt should come from a strong random number generator, be at least 16 characters long, and draw from a broad character set. You can dig deeper in this Stack Overflow conversation on optimal salt lengths.
Other frequent missteps include forgetting to store the salt or storing it insecurely. While the salt doesnât need to be hidden, it does need to be reliably retrievable. If you lose or corrupt it, you cannot re-hash and verify a userâs password correctlyâitâs like losing the recipe for your signature dish.
And finally, one of the most unfortunate (and surprisingly common) mistakes is hashing without salting. (You can find examples in the reference links below.) This still shows up in legacy systems or rushed codebases â and it leaves users dangerously exposed to the kinds of attacks weâve already discussed. Modern systems should always salt and hash passwords with a strong algorithm like Argon2, or bcrypt. Even though limitations in bcrypt contributed to the recent Okta security vulnerability, itâs still widely used â and I have some thoughts on Okta Security coming soon, so stay tuned).
For practical implementation tips, I also highly recommend the OWASP Password Storage Cheat Sheet.
Bonus: Salt Alone Isnât Enough (Use Pepper too)
Salt is powerful â but itâs not a magic shield. While it protects against attacks like rainbow tables and ensures every password hash is unique, itâs just one part of a broader security recipe.
Some systems add another secret ingredient: a pepper. Like salt, a pepper is a string added to the password before hashing â but unlike salt, the pepper is kept secret and shared across all users. Think of it as a house spice blend only the kitchen staff knows. Even if attackers access the database, they still need the pepper to recreate the hashes.
That said, pepper comes with tradeoffs. Because it must be stored securely (usually in the application code or an environment variable), managing it introduces additional complexity. As with any ingredient, thereâs ongoing debateâsome security experts argue that pepper doesnât always add meaningful protection and may not be worth the added risk.
Then thereâs the matter of how we hash. Not all algorithms are created equal. General-purpose functions like SHA-256 are fast â which is excellent for performance, but unfortunately, itâs also great for attackers. Thatâs why we use key-stretching algorithms like bcrypt, scrypt, or Argon2, which are intentionally slow. These algorithms increase the cost of each password guess, making brute-force and dictionary attacks much less practical.
And, of course, password storage is just one layer of defense. A secure system should also include rate limiting (to prevent automated guessing or bot-like behavior), multi-factor authentication (MFA) (so a stolen password alone isnât enough), and regular audits of how passwords and credentials are managed.
Security is layered. Salt is essential, but it canât carry the weight alone. It works best when combined with solid algorithms, thoughtful design, and strong overall hygiene. Like seasoning a meal, security is not just about one ingredientâbalance, technique, and attention to detail.
Conclusion: Security Recipe Card
As a bonus, I created the hashes in the examples above using one of the common key-stretching algorithms. If you can figure out which one, let me know. Iâd be curious to learn how you did it.
Salting might seem like a quirky detail in the vast world of cybersecurity, but as weâve seen, itâs one of the simplest and most powerful tools we have for protecting passwords. By adding randomness to each hash, salts break patterns, frustrate attackers, and help ensure that even identical passwords donât leave identical traces.
For developers, salting should be a non-negotiable part of your password storage process. And for the curious reader â whether youâre learning, building, or just staying security-conscious â itâs worth digging into how your favorite platforms handle password protection. Do they use proper salting? Do they mention bcrypt or Argon2? Is MFA available? These are questions worth asking.
Password security doesnât have to be complicated â but it does have to be thoughtful. So yes: salt your food, and your passwords.
Finally, while this post focused on password security, my next post will take a deeper look at digital identity â and how it shapes, protects, and sometimes complicates our lives online. Hope to see you there.
Till then, stay salty, stay safe. đ§đ
References and Resources to Learn More
- Hackers Stole Access Tokens from Oktaâs Support Unit
- Unpacking the Okta Data Breach
- Is salted MD5 or salted SHA considered secure?
- Why an unsalted MD5 hash is bad practice
- How NOT to Store Passwords! - Computerphile
- ELI5: What does it mean if a password is stored as unsalted MD5 hash?
- What does it mean if a password is stored as an unsalted MD5 hash?
- The Evolution of Password Hashing
- Legacy app with md5 hashes: how to add salt and SHA1?
- What is bcrypt and how does it work?
- Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory - Nov 1, 2024
- How Bcryptâs Limitations Contributed to Oktaâs Vulnerability: A Lesson for Developers
- Is it an good idea of Using password itself as an salt
- Best Practices: Salting & peppering passwords?
- Password Hashing and Storage Basics
- Password Salting
- Interesting Conversation from Y Combinator News
- Adding Salt to Hashing: A Better Way to Store Passwords
- What is a rainbow table attack and how to prevent it?
- Salt â Preventing Rainbow Attacks against Password Stores
- Salt Hashing and How It Can Lower The Chances of Exposing Login Credentials
- The History and Future of Passwords
- The Worldâs First Computer Password? It Was Useless Too
- (Part I of III) The History of Passwords
- The Secret Password to Enter the Speakeasy
- Meta stored 600 million Facebook and Instagram passwords in plain text
- A Brief History of Passwords
- Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years