Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Data Science Community Knowledge Base

What is a cryptographic "salt"?

Simply, a “Salt” is a random string. Typically used in the context of password managers, it’s use prevents against brute force attacks.

Let us use the example of logging into a computer. The user inputs a password and the computer checks that this password “matches” the stored information for this user. Now, storing passwords in the clear in the system is a bad security practice. A one way function (a hash function such as SHA256 is an example of such a function) comes to the rescue by taking any input and transforming it into a finite space (256-bits). This allows for easy forward computing (given the input, it is easy to compute the value of the function, i.e., the 256 bits) but the reverse is “hard” (given 256-bits, find out the input).

The way a hash function is used in the password system is that instead of storing the password, the computer stores a hash of the password. When a login attempt is made, the computer computes the hash of the user input password and compares that hash with the string stored for that user – a match implies the user should be allowed to login and a mismatch reports the error “incorrect password”.

For the same reason it is bad to store passwords in the clear, it is also bad to store just the hash of the passwords. The reasons are twofold (1) hash is deterministic, i.e., the sha256 hash of the password “qwerty123456” is always 3a5745a05f87ddee1db68b217dc043bfa206d1c7aaa1dd0a7dd76b852a733597 (2) humans choose passwords from a low-entropy source - most passwords come from a common pool of passwords. As a consequence, a brute force attack can compute the hash of the most commonly chosen passwords just once and then compare it against the hash on my machine to find my password.

A salt solves this problem by concatenating itself to the password in the authentication process. So the computer stores two things (1) a random salt (2) hash(salt || password). When a user makes an attempt, the hash(salt || attempt_password) is compared against the stored  hash(salt || password) to allow entry. This makes attacking computationally infeasible as it would take a long time for a password cracking program to run because to break into my machine the attacker needs to generate a hash of common passwords with my particular salt.

View All Knowledge Base Questions

See how Devron can provide better insight for your organization

Request a Demo