← Lessons

quiz vs the machine

Gold1380

Security

Salting and Peppering Passwords

How a per user salt and a secret pepper defeat precomputed attacks.

5 min read · core · beat Gold to climb

Why Raw Hashes Are Weak

Storing a plain hash of a password is unsafe. Attackers precompute giant tables of hashes for common passwords, called rainbow tables, and match them instantly. Worse, two users with the same password get the same stored hash, revealing reuse.

Salting

A salt is a unique random value generated per user and stored next to the hash. It is mixed into the password before hashing so that identical passwords produce different stored values. This defeats precomputed tables, because the attacker would need a separate table for every salt.

  • The salt is not secret but must be unique and random per user.
  • Store the salt alongside the hash so login can recompute it.

Peppering

A pepper is an additional secret value mixed in, but unlike the salt it is not stored with the hash. It lives in application configuration or a secrets manager. If only the database leaks, the pepper remains unknown, adding a second barrier.

Key idea

Give every password a unique stored salt to defeat precomputed tables and add a secret pepper kept outside the database so a database leak alone cannot crack the hashes.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a per user salt accomplish?

2. How does a pepper differ from a salt?

3. Does the salt need to be secret?