Home/ Questions/Q 6205891
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T05:21:09+00:00

I’ve read on SO (and from other websites found on Google after I tried

  • 0

I’ve read on SO (and from other websites found on Google after I tried to look into it a little bit more) that the correct secure way to store passwords in a database is to store the hashed + salted value of a password. On top of that, the salt should be different for each user so hackers can’t do harm even if they have the encrypted values.

I’m not quite sure what salting means. From my understanding, you hash the password, then you use another value that you hash (the salt) and combine those two together so the algorithm to retrieve the original password is different for every user.

So basically, what I’d have to do is hash a password, then use a different hash on a different value for each user (ie: the user name or email address) and then I can do a simple math operation on those two values to get the encoded password.

Is that correct or did I just not understand anything about password hashing + salting?

A simple explanation or example would prove to be helpful as the sites I’ve found don’t quite explain clearly what salting a password is.

Edit: After reading comments and answers left so far, I understand that I didn’t really understand what a salt was because I’m missing some key concepts and I was making false assumption.

What I’d like to know is: how do you consistently get the same salt if it is randomly-generated? If the salt is stored in the database like some people have mentioned, then I can see how you keep getting the same salt, but that brings another question: How does it make the passwords more secure if anyone with access to the database have access to the salt? Couldn’t they just append the (known) salt to all the passwords they try and the result would be the same (bar some minor time loss) than not having one at all?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Let me try and clarify a little bit with a somewhat oversimplified example. (md5() is used for example purposes only – you should not use it in practice.)

    A salt is just a random string of characters that is appended to the password before it is hashed. Let’s say you have the password letmein, and you hash it like this…

     echo md5('letmein')

    …you’ll get the output 0d107d09f5bbe40cade3de5c71e9e9b7. If you google this, you’ll get a number of pages telling you that this is the MD5 hash for letmein. A salt is intended to help prevent this sort of thing.

    Let’s suppose you have a function, randomStringGenerator() that generates a random $x-character string. To use it to salt a password, you’d do something like this:

     $password = 'letmein';
 $salt = randomStringGenerator(64); //let's pretend this is 747B517C80567D86906CD28443B992209B8EC601A74A2D18E5E80070703C5F49

 $hash = md5($password . $salt);

    You’d be then performing md5(letmein747B517C80567D86906CD28443B992209B8EC601A74A2D18E5E80070703C5F49), which returns af7cbbc1eacf780e70344af1a4b16698, which can’t be “looked up” as easily as letmein without a salt.

    You’d then store BOTH the hash and the salt, and when the user types in their password to log in, you’d repeat the process above and see if the password the user entered with the stored salt appended hashes to the same thing as the stored hash.

    However! Since general hashing algorithms like MD5 and SHA2 are so fast, you shouldn’t use them for storing passwords. Check out phpass for a PHP implementation of bcrypt.

    Hope that helps!

    • 0