what are password salts and how do they work?

Password salts are random strings of data added to a password before it is hashed, ensuring that even if two users choose identical passwords, their resulting hashes will be completely different^[1]. The process begins by generating a unique, unpredictable salt—typically using a cryptographically secure random number generator—and then combining it with the user’s plain-text password (for example, by appending or prepending the salt) before the combined input is fed into a hash function like SHA-256, bcrypt, PBKDF2, or Argon2^[2]. This approach guarantees that even if the same password is used by more than one user, the corresponding salted hashes stored in the database are unique, thereby preventing attackers from leveraging precomputed tables (rainbow tables) or dictionary attacks to reverse-engineer passwords^[3]. After hashing, both the salt and the hashed result are stored—commonly in plain text for the salt—which means that if a database breach occurs, the attacker must individually crack each salted hash rather than reusing a single precomputed table for identical passwords^[4]. It is important to note that while salting greatly enhances the security of stored credentials, it does not prevent online brute-force login attempts; its primary role is to protect against offline attacks against a stolen database of hashes^[8]. In addition, salts need to be created with sufficient length and randomness to ensure maximum security, so that techniques like rainbow table attacks become impractical since each individual salt forces attackers to recompute hashes for every single password separately^[9]. Overall, by ensuring that the same password never produces the same hash, password salting represents a critical defense layer in a multi-faceted security strategy designed to protect user credentials^[10].