To List
What is salt in Password

What is salt in Password

2023-11-03
2 min read

Introduction

When you save a password in a DB, you don't have to save the password requested by Client. In most cases, the Hash algorithm is used to store it in the DB. Even if the hashized password is leaked by hackers, it is not easy for hackers to log in.

Problem

However, just as they find answers to everything, hackers found solution to decrypt them. The most well-known decoding method(hacking) is Rainbow table. It's called Rainbow table attack. Rainbow Table has hash result values for many passwords, so hackers compare the content on the table with the password they took and decrypt it. This is called Rainbow Table Attack. In the old days, computers and algorithms weren't good, so it wasn't a big problem. But these days, with the improvement of computers and algorithms, it is possible to decrypt passwords by comparing them to tables at high speed. To solve this problem, you can choose a complex hash algorithm, but this can make password generation time longer, causing inconvenience to users and making DB sizes huge.

SALT

Salt Flow In modern times, we're using the Salt method to solve this problem simply. Salt means the thing, which is used to flavor dishes. Think of it as salt in the password. Salt contains random variables that the developer wants. For example, it could be a strange word like "MyFiRsTSaLt." Salt is usually attached before or after the password. Then hash it and save it in the DB. The Salt Password generated in this way is difficult to decrypt using Rainbow table unless hackers know where Salt and Salt are added. Typically, you create and save columns for salt in Database.

Summary

  • Save as a different variable each time
  • Putting words before or after a password
  • Save to Database

Additional Method

There are many ways other than Salt.

Pepper

Although Pepper is similar to salt, it uses fixed variable. Because the pepper is a fixed variable, it can be stored and used in places such as env, and there is no need for the process of creating variables. However, it's not as good as Salt in terms of security.

Key stretch

Key stretch Flow Keystretch is an additional Hash processes to the hashed Password once or more.

In conclusion, the password is created to add the salt to password and use Key Stretch method in order to make it more secure.

Free open source project made by Youngjin