Password security is a vital part of cybersecurity. Passwords are used everywhere. When you log into an account, you enter a password, used to verify your identity.

You might've heard of the term "salting" in relation to passwords, so what is salting? How are passwords actually kept safe from hackers? And does salting keep your passwords safe?

What Is Salting?

Salting is the process of adding unique random strings of characters to passwords in a database or each password before the password is hashed (a term we'll come back to). This is done to change the hash and make passwords more secure. The string of characters added to the password is called the salt. A salt can be added in front or behind a password.

The salt is not made public and is known to only the site.

How Does Salting Work?

When you create an account on a website or app, the password you use has to be stored, so you can be verified the next time you visit the site. But this password cannot be stored as plaintext i.e without any form of formatting or coding. The password has to be hashed to prevent hackers from easily accessing your account.

Say you sign in to a site with this password: myPassword. Before that password gets hashed, a salt value is added to it. If the salt value for that particular site or user is MUOrocks%, your salted password becomes myPasswordMUOrocks%.

The salted password is then hashed and stored in the database alongside other password hashes.

What Is the Difference Between Encryption, Hashing, and Salting?

Salting, hashing, and encryption are security techniques used every day across sites and systems. They are cryptography terms necessary for password security. But how do they differ?

Encryption

Encryption is a form of cryptography where information is encoded mathematically and can only be accessed and decoded by a person with an authorized key. The information that needs to be secured is translated from plaintext to ciphertext using an algorithm that makes the information undecipherable to unauthorized users.

Encryption is a two-way process, which means that encrypted data can be reversed and read, but only by those with the right decryption key.

Hashing

Hashing is the process of transforming information that you want to be kept secure into a string of characters also known as the hash. It's basically scrambling information using an algorithm.

Hashing is a one-way cryptographic function and this means that, unlike encryption, it cannot generally be reversed. The only way you can decipher a hash is by comparing it with another hash with a known plaintext value.

Hashing is used to validate your authenticity. When you log into a website and type in your password, the hash of your password is compared to the hash identified with your account. If the two hashes are the same, you are granted access to the site.

Salting

Salting is another layer of security added to hashing. To make a hash more secure, unique strings of characters are added to the password before hashing to change the hash altogether.

Why Are Passwords Salted?

Salting is very important in security. It helps reduce the risk of malicious hackers getting the passwords.

Simply storing passwords in databases as is is a very unsecure method of keeping users privacy. Any skilled hacker could get into the database and have access to all the accounts on the site.

Then came hashing. It improved the security of the passwords until hackers got the better of it. Hackers use brute-force attacks, dictionary attacks, password spraying, or rainbow tables to reverse engineer the passwords to obtain login credentials.

To Strengthen Weak Passwords

Salting adds another level of security to the site. When a salt value is added to a password, the hash is changed completely. This makes it very hard to reverse engineer the password and renders the rainbow table useless. Here's an example.

As you can see in the table, the hashes are completely different. The password remains the same when you visit the site, but the hash is more secure against exploitation. Salting is especially important when users use weak and popular passwords like "password" or "12345". Salting lowers the risk that comes from weak passwords.

To Make Password Hashes Unique

Salting is also important when two or more users have the same passwords. Adding different randomized salts to each password helps to make each unique. For example, if your password is iL0veCh3ese! and another user, Chioma, has that exact password, salting is used to make those password hashes unique.

Now these passwords, although the same, have completely different hashes. When you look at the hashes, you will never be able to recognize that the two users share a password.

Choosing a Good Salt

Choosing a good salt is as important as choosing a password. A good salt should be unique. Ensure you use unique characters and/or symbols that would make your hash more secure. The salt or salts you choose for your website shouldn't be predictable or easily guessed, like the name of the site or user. Another added plus is using long salts.

The best way to choose a unique and strong salt is to use salt-value generators. These help you create random and strong salts to increase your security.

Do not store salts along with the password database, and do not use the same salts for all passwords. Another good salting tip is to change the salt every time a user changes their password.

Is Salting Effective in Boosting Security?

Yes. Salting does increase the security of a password. When you salt a password, it is impossible for a hacker to crack a password using dictionary tables or rainbow tables. Brute forcing the hashed password is also futile because it would take a very long time before the perfect combination of the hash is found. This way, passwords are more secure and safer from hackers.