Salting works by adding an extra secret value to the input, extending the length of the original password.

In this example, the password is Blumira and the salt value is Security.Wiki. The hash value would be made up from the combination of the two. This provides some protection for those people who use common words as their password.

However, if someone learns of the salt value that is used, then they just add it to the end (or start) of each dictionary word they try in their attack. To make brute forcing attacks more difficult, random salts can be used, one for each password.

Salts can also be created from multiple parts such as the current date-time, the username, a secret phrase, a random value, or a combination of them. Bcrypt, for example, is a hashing algorithm that includes the use of unique salts per-hash by default.

« Back to Glossary Index

Security news and stories right to your inbox!