Hash and Salt

Learn the delicious-sounding secrets that websites use to keep your passwords safe from hackers.

When it comes to storing passwords on websites, the process should resemble a delicious potato dish: hashed, then sprinkled with a little salt and pepper. Anything less makes your password easy to steal!


Ever wondered why websites make you reset your password?

If severs stored passwords in plaintext, and a hacker broke into their system, the thief would be able to snatch a full list of usernames and passwords right out of the database. Many people reuse passwords, so that single hack can result in dozens of compromised accounts.

To minimize the fallout from database leaks, websites don’t keep your plaintext password. They only keep its hash.


A “hashing algorithm” (or hash function) is a sequence of mathematical operations that transform a piece of plaintext into a string of gibberish. The output of a hash function has a fixed length, usually somewhere between 128 and 512 bits. Needless to say that the bitstring doesn’t look anything like its original password. If a hacker steals a hash they won’t be able to reverse-engineer it.

To be an effective algorithm, every tiny change in the original plaintext should produce a big change in the hash. If the hashes of ‘password123’ and ‘password124’ are similar, that’s an important clue the hacker can use to guess your password.

MD5 is an example of an old, broken hash algorithm. SHA-1 was the next contender, and it’s also considered unsafe, followed by the modern SHA-2 and SHA-3.

When you log into your account, the website hashes your password and compares the output to the hash in its database. If they match — bingo! You’re logged in. This means that hash functions need to be reliable, and they must always output the same hash for the same text input.


While it’s impossible to reverse a hash, the algorithm used to generate the hash is accessible to everyone. All a hacker has to do is try every single password combination one at a time (aaaaaa, aaaaab, aaaaac). They feed the guesses through the MD5 or SHA-1 or SHA-2 algorithm and compare the result to the stolen hash until they find a match.

If you’ve ever cracked a 4-digit combination lock by hand, you know that this “brute force” approach is gruelling work. Even a 6-letter password has almost 750 billion possibilities! But a good GPU can do up to 10 billion guesses per second, which exhausts all those possibilities in 75 seconds. If a hacker uses a refined strategy like a “dictionary attack” the process might go even faster.

Another tool that hackers use are databases called “rainbow tables”, which store gigabytes of billions of common passwords next to their pre-computed hashes. If your password happens to be in a rainbow table, it only takes a few milliseconds to crack!


A “salt” is a long, randomly-generated string of characters that is automatically added to the end of your password. So if your original password was ‘bumblebee12’ and your salt is ‘6h7jk!2’, then the website treats your password as ‘bumblee126h7jk!2’ when it hashes it.

The salt is stored inside the web database alongside your other personal info, so if a hacker breaks in, brute forcing your password isn’t longer or more complicated. However, rainbow tables are no longer an option! ‘Bumblebee12’ might be in a rainbow table, but ‘bumblee126h7jk!2’ definitely isn’t.


A pepper is a different type of randomly-generated character sequence that’s added onto your password. Peppers are much shorter than salts — maybe 64 bits instead of 256. There are two ways to use them.

In the first, the pepper isn’t stored at all! The hashing algorithm tries out your password with all possible combinations of peppers, and if one of them matches, you’re in. Now, even an 8-bit pepper has 256 possibilities. That means hashing 256 different passwords, and possibly taking 256 times as long to log in! It only gets worse as peppers get longer.

If it only takes the website a few milliseconds to authenticate, then slowing the process down won’t be noticeable to humans. But it will make lengthy brute force attacks exponentially longer!

In the second pepper method, the pepper is stored in a file separate from the database — like a configuration file — so that it won’t be affected by leaks. The same pepper is used for all passwords on the website. While this method is significantly faster, it’s still possible for the pepper to be stolen, in which case we’re back to square one.


Hashes, salts, and peppers are password culinary techniques for website severs to worry about — not you! But it’s important to understand that even the best security systems have loopholes. As a user, make sure that you use strong passwords and that you don’t reuse passwords. After all, if your password is ‘password123’, no seasoning in the world will save you!

Learn More

Computerphile: How NOT to Store Passwords!


Computerphile: Hashing Algorithms and Security


hashing algorithm


Hash, salts, and peppers




Password salting


hash function


Rainbow tables


Rainbow table attack


Encryption for kids


Break the code games



  • Patricia Foster

    Patricia Foster is a computer science student at Carleton University. In addition to working professionally as a software developer, she spends her time reading and writing.

Also In The October 2019 Issue

Bring out your virtual carving knives — it’s time to give your digital pumpkins some spooky faces!

30+ ideas for STEAM-theme gifts for kids of all ages!

Teach kids basic coding skills by letting them program Botley to zoom around the room, draw shapes, and even avoid obstacles!

How 3D printing could help us get to Mars, and create new tools, homes, spacecrafts — even organs!

No discussion of design is complete without the history of lorem ipsum. It's more than placeholder text you stuff into a visual design.

"Hello World!" is one of the first programs you learn how to code. Here's the phrase in 4 languages with links to 100 more examples.

Learn the delicious-sounding secrets that websites use to keep your passwords safe from hackers.

A simple, quirky theorem with big applications, from picking socks to counting hairs.

Are you ready to create your virtual own solar system? With a little Python code and a little math, the sky’s the limit!

Learn some of the tricks game developers use to simulate an extra dimension.

How scammers can trick you into downloading malware onto your own computer.

There are pros and cons to networking all the “smart” devices in your home. What surprises does the future hold?

Sometimes, even the most dynamic languages need to classify and check data. Now, you can add your own types to any language!

Is it possible to steal software? And how do we know who owns code?

Check out this nifty feature that helps programs distinguish between variables with different scopes.

Create a simple electronic game with CircuitPython and Adafruit, and test your reflexes against friends and family!

Links from the bottom of all the October 2019 articles, collected in one place for you to print, share, or bookmark.

Interested but not ready to subscribe? Sign-up for our free monthly email newsletter with curated site content and a new issue email announcement that we send every two months.

No, thanks!