Salting is a security technique that adds a random string of characters (called a salt) to a password before hashing it. Rather than converting 'password123' directly into a hash, the system combines 'password123' with a unique salt value, then converts the result into a hash. Each account gets a different salt, even if users choose identical passwords.
Why salting matters
Without salts, identical passwords produce identical hashes. If attackers obtain a hashed password database, they can use precomputed hash tables (called rainbow tables) to quickly reverse weak passwords. Salting makes these tables useless because the same password will hash to millions of different values depending on which salt was used.
A salt also forces attackers to compute hashes individually for each account they want to crack, which is far slower than looking up precomputed values.
How it works
When you set a password, the system generates a random salt (typically 16-32 bytes), combines it with your password, runs it through a hashing algorithm, and stores both the salt and resulting hash. During login, the system retrieves your salt, applies the same hashing process to your entered password, and compares the result to the stored hash.
Common misconceptions
Salts don't need to be secret - they're stored alongside hashes. They're not encryption keys. Their job is only to ensure identical passwords produce different hashes. A proper salt is generated randomly for each password, not reused across multiple accounts.
What you should know
Modern password hashing algorithms like bcrypt, scrypt, and Argon2 include salting as a built-in feature. When evaluating a service's security practices, ask whether they salt and hash passwords - any reputable platform should.