dark mode light mode Search Menu

Hash and Salt

Jen Arrr on Flickr

When it comes to storing passwords on websites, the process should resemble a delicious potato dish: hashed, then sprinkled with a little salt and pepper. Anything less makes your password easy to steal!


Ever wondered why websites make you reset your password?

If severs stored passwords in plaintext, and a hacker broke into their system, the thief would be able to snatch a full list of usernames and passwords right out of the database. Many people reuse passwords, so that single hack can result in dozens of compromised accounts.

To minimize the fallout from database leaks, websites don’t keep your plaintext password. They only keep its hash.


A “hashing algorithm” (or hash function) is a sequence of mathematical operations that transform a piece of plaintext into a string of gibberish. The output of a hash function has a fixed length, usually somewhere between 128 and 512 bits. Needless to say that the bitstring doesn’t look anything like its original password. If a hacker steals a hash they won’t be able to reverse-engineer it.

To be an effective algorithm, every tiny change in the original plaintext should produce a big change in the hash. If the hashes of ‘password123’ and ‘password124’ are similar, that’s an important clue the hacker can use to guess your password.

MD5 is an example of an old, broken hash algorithm. SHA-1 was the next contender, and it’s also considered unsafe, followed by the modern SHA-2 and SHA-3.

When you log into your account, the website hashes your password and compares the output to the hash in its database. If they match — bingo! You’re logged in. This means that hash functions need to be reliable, and they must always output the same hash for the same text input.


While it’s impossible to reverse a hash, the algorithm used to generate the hash is accessible to everyone. All a hacker has to do is try every single password combination one at a time (aaaaaa, aaaaab, aaaaac). They feed the guesses through the MD5 or SHA-1 or SHA-2 algorithm and compare the result to the stolen hash until they find a match.

If you’ve ever cracked a 4-digit combination lock by hand, you know that this “brute force” approach is gruelling work. Even a 6-letter password has almost 750 billion possibilities! But a good GPU can do up to 10 billion guesses per second, which exhausts all those possibilities in 75 seconds. If a hacker uses a refined strategy like a “dictionary attack” the process might go even faster.

Another tool that hackers use are databases called “rainbow tables”, which store gigabytes of billions of common passwords next to their pre-computed hashes. If your password happens to be in a rainbow table, it only takes a few milliseconds to crack!


A “salt” is a long, randomly-generated string of characters that is automatically added to the end of your password. So if your original password was ‘bumblebee12’ and your salt is ‘6h7jk!2’, then the website treats your password as ‘bumblee126h7jk!2’ when it hashes it.

The salt is stored inside the web database alongside your other personal info, so if a hacker breaks in, brute forcing your password isn’t longer or more complicated. However, rainbow tables are no longer an option! ‘Bumblebee12’ might be in a rainbow table, but ‘bumblee126h7jk!2’ definitely isn’t.


A pepper is a different type of randomly-generated character sequence that’s added onto your password. Peppers are much shorter than salts — maybe 64 bits instead of 256. There are two ways to use them.

In the first, the pepper isn’t stored at all! The hashing algorithm tries out your password with all possible combinations of peppers, and if one of them matches, you’re in. Now, even an 8-bit pepper has 256 possibilities. That means hashing 256 different passwords, and possibly taking 256 times as long to log in! It only gets worse as peppers get longer.

If it only takes the website a few milliseconds to authenticate, then slowing the process down won’t be noticeable to humans. But it will make lengthy brute force attacks exponentially longer!

In the second pepper method, the pepper is stored in a file separate from the database — like a configuration file — so that it won’t be affected by leaks. The same pepper is used for all passwords on the website. While this method is significantly faster, it’s still possible for the pepper to be stolen, in which case we’re back to square one.


Hashes, salts, and peppers are password culinary techniques for website severs to worry about — not you! But it’s important to understand that even the best security systems have loopholes. As a user, make sure that you use strong passwords and that you don’t reuse passwords. After all, if your password is ‘password123’, no seasoning in the world will save you!

Learn More

Computerphile: How NOT to Store Passwords!


Computerphile: Hashing Algorithms and Security


hashing algorithm


Hash, salts, and peppers




Password salting


hash function


Rainbow tables


Rainbow table attack


Encryption for kids


Break the code games