What is Salting in Security? (Password Protection Explained)

In 2012, LinkedIn's password database was breached. 117 million accounts. The passwords were stored as unsalted SHA-1 hashes. Within days, security researchers had cracked over 90% of them using pre-computed rainbow tables — databases that map known hashes back to their original passwords. The passwords had been hashed, technically, but without salting the protection was nearly worthless.

The same year, Adobe lost 153 million records — also using unsalted MD5 with an added twist: they used the same encryption key ('hint') for all passwords, meaning if you cracked one user with a given hint, you got every user with that hint simultaneously.

Salting is not a complicated concept. It is three lines of code. But failing to do it correctly — or at all — is one of the most common and consequential security mistakes in web development. This guide explains exactly what salting is, why it works, and how to implement it correctly in 2026.

Hashing Without Salt — The Rainbow Table Problem

A hash function converts a password to a fixed-length digest: SHA-256('password123') always produces the same 64-character hex string. This is deterministic — and that determinism is the vulnerability.

An attacker who steals your password database does not need to 'decrypt' anything. They can:

Pre-compute a rainbow table: Hash every word in a dictionary, every common password, every string up to 8 characters. Store the (hash → plaintext) mapping. This costs computation time once but can be reused against any unsalted database forever.

Lookup: For each stolen hash, look it up in the table. If found, they have the plaintext password in O(1) time.

Scale: SHA-256 is designed to be fast — roughly 500 million hashes per second on a GPU. Cracking a 10-million-entry database of unsalted SHA-256 hashes of common passwords takes minutes, not years.

import hashlib

# VULNERABLE — never do this in production
def bad_hash_password(password: str) -> str:
    return hashlib.sha256(password.encode()).hexdigest()

# Every user with 'password123' gets the SAME hash
print(bad_hash_password('password123'))
print(bad_hash_password('password123'))  # identical

# A rainbow table lookup would crack both instantly
# Real rainbow tables cover all passwords up to 8 chars:
# That's 95^8 ≈ 6.6 quadrillion possibilities — pre-computed once, reused forever

How Salting Works

A salt is a cryptographically random string generated uniquely per user, stored alongside their hash. The password + salt combination is hashed together.

The salt does not need to be secret — it is stored in plaintext in your database next to the hash. Its purpose is not confidentiality but uniqueness: even two users with identical passwords will have different salts and therefore different hashes. A rainbow table built against unsalted hashes is completely useless against salted ones — the attacker would need to rebuild the table for every possible salt value, which is computationally infeasible.

import hashlib
import os

# CORRECT manual salting (for illustration — use bcrypt in production)
def hash_password(password: str) -> tuple[str, str]:
    # Generate a unique 32-byte random salt per user
    salt = os.urandom(32).hex()
    # Hash password+salt together
    digest = hashlib.sha256((password + salt).encode()).hexdigest()
    return digest, salt  # store BOTH in database

def verify_password(password: str, stored_hash: str, stored_salt: str) -> bool:
    digest = hashlib.sha256((password + stored_salt).encode()).hexdigest()
    return digest == stored_hash

# Same password → completely different hashes
hash1, salt1 = hash_password('password123')
hash2, salt2 = hash_password('password123')

print(f'Hash 1: {hash1[:32]}...')
print(f'Hash 2: {hash2[:32]}...')
print(f'Same?   {hash1 == hash2}')  # False — salts are different

# Verification works correctly
print(verify_password('password123', hash1, salt1))  # True
print(verify_password('wrongpassword', hash1, salt1)) # False

The Right Way: bcrypt, Argon2, PBKDF2

The salting example above still uses raw SHA-256 — which is designed for speed, not password security. On a GPU, an attacker can try billions of SHA-256 hashes per second. The solution is not just salting but using a dedicated password hashing function that:

1. Handles salting automatically — generates and stores the salt internally
2. Is deliberately slow — configurable work factor that can be tuned as hardware gets faster
3. Is memory-hard (Argon2) — requires large amounts of RAM per attempt, making GPU/ASIC attacks expensive

bcrypt: The battle-tested default. Cost factor doubles computation time per increment. Cost 12 takes ~250ms — comfortable for users, brutal for attackers trying 10 billion guesses.

Argon2id: 2015 Password Hashing Competition winner. Memory-hard: an attacker needs GBs of RAM per guess, not just compute. The modern recommendation for new systems.

PBKDF2-SHA256: SHA-256 iterated 100,000+ times with salt. FIPS-approved. Django's default.

# pip install bcrypt argon2-cffi
import bcrypt
from argon2 import PasswordHasher

# ── bcrypt ──────────────────────────────────────────────────────
def bcrypt_hash(password: str) -> bytes:
    # bcrypt generates and embeds the salt automatically
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

def bcrypt_verify(password: str, hashed: bytes) -> bool:
    return bcrypt.checkpw(password.encode(), hashed)

hashed = bcrypt_hash('mysecretpassword')
print(f'bcrypt hash: {hashed}')
print(f'Verify correct:   {bcrypt_verify("mysecretpassword", hashed)}')
print(f'Verify incorrect: {bcrypt_verify("wrongpassword", hashed)}')

# ── Argon2id (recommended for new systems) ───────────────────────
ph = PasswordHasher(time_cost=2, memory_cost=65536, parallelism=2)

def argon2_hash(password: str) -> str:
    return ph.hash(password)  # salt embedded in the hash string

def argon2_verify(password: str, stored_hash: str) -> bool:
    try:
        return ph.verify(stored_hash, password)
    except Exception:
        return False

arg_hash = argon2_hash('mysecretpassword')
print(f'\nArgon2 hash: {arg_hash}')
print(f'Verify: {argon2_verify("mysecretpassword", arg_hash)}')

Hashing vs Salting vs Encryption — Comparison Table

These three terms are frequently confused. They serve different purposes and have different threat models:

| | Hashing | Salted Hashing | Encryption | |---|---|---|---| | Reversible? | No | No | Yes (with key) | | Purpose | Integrity verification | Password storage | Confidential data storage | | Key required? | No | No | Yes | | Rainbow tables? | Vulnerable | Immune | Not applicable | | Same input = same output? | Yes | No (different salt each time) | Yes (same key) | | Example use | File checksums, git commits | User passwords | Credit card numbers, PII | | Examples | SHA-256, MD5 | bcrypt, Argon2, PBKDF2 | AES-GCM, RSA |

Rule of thumb: Passwords → salted hashing (bcrypt/Argon2). Sensitive data you need to retrieve → encryption (AES-GCM). File integrity → plain hashing (SHA-256).

Never encrypt passwords. If your database and encryption key are both compromised, all passwords are recoverable. Properly salted bcrypt hashes remain computationally infeasible to crack even after a database breach.

What Good Password Storage Looks Like in Production

A production-grade password system has several layers beyond just salting:

Pepper: An additional secret value (unlike salts, peppers are NOT stored in the database — stored in application config or HSM). Even if an attacker gets your database, they cannot crack passwords without the pepper.

Rehashing on login: When a user logs in successfully, check if their stored hash uses an outdated algorithm or cost factor. If so, rehash with the current settings and update the database. This lets you upgrade your password security without requiring password resets.

Timing-safe comparison: Use hmac.compare_digest() not == when comparing hashes. Regular string equality short-circuits on first mismatch — creating a timing side channel. Timing-safe comparison always takes the same time.

import bcrypt
import hmac
import os
from functools import wraps

PEPPER = os.environ.get('PASSWORD_PEPPER', '').encode()

def hash_password(password: str) -> str:
    """Production-grade password hashing with pepper + bcrypt."""
    # Combine password with pepper before hashing
    peppered = password.encode() + PEPPER
    return bcrypt.hashpw(peppered, bcrypt.gensalt(rounds=12)).decode()

def verify_password(password: str, stored_hash: str) -> bool:
    """Timing-safe password verification."""
    peppered = password.encode() + PEPPER
    candidate = bcrypt.hashpw(peppered, stored_hash.encode())
    # Timing-safe comparison — prevents timing oracle attacks
    return hmac.compare_digest(candidate, stored_hash.encode())

def needs_rehash(stored_hash: str, target_rounds: int = 12) -> bool:
    """Check if stored hash should be upgraded."""
    return bcrypt.checkpw(b'', stored_hash.encode()) == False or \
           bcrypt.gensalt(rounds=target_rounds)[:7] != stored_hash.encode()[:7]

# Usage
hashed = hash_password('MySecurePassword!')
print(f'Stored: {hashed}')
print(f'Valid:  {verify_password("MySecurePassword!", hashed)}')
print(f'Wrong:  {verify_password("WrongPassword", hashed)}')

Frequently Asked Questions