Salt
What is Salt?
SaltA unique random value combined with a password before hashing to defeat rainbow tables and ensure each user's hash is distinct.
A cryptographic salt is a non-secret random value mixed with a password before it is fed into a hash function or KDF such as Argon2, scrypt, bcrypt or PBKDF2. Salts ensure that two users with identical passwords receive different stored hashes, defeating precomputed rainbow tables and making large-scale attacks linear rather than batchable. A salt should be at least 16 bytes, generated from a cryptographically secure RNG, unique per credential, and stored alongside the hash; it is not meant to be secret. Modern password-hash formats (PHC string, $argon2id$..., $2b$..., $scrypt$...) embed the salt directly. Salts are also used in HKDF and in randomised public-key encryption schemes for the same diversification purpose.
● Examples
- 01
An Argon2id hash like $argon2id$v=19$m=65536,t=3,p=1$<base64-salt>$<base64-hash>.
- 02
A unique 16-byte random salt generated per user during account creation.
● Frequently asked questions
What is Salt?
A unique random value combined with a password before hashing to defeat rainbow tables and ensure each user's hash is distinct. It belongs to the Cryptography category of cybersecurity.
What does Salt mean?
A unique random value combined with a password before hashing to defeat rainbow tables and ensure each user's hash is distinct.
How do you defend against Salt?
Defences for Salt typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Salt?
Common alternative names include: Cryptographic salt, Password salt.