What Is Password Salting? Why It Stops Mass Cracking

Password salting is a technique websites use to store passwords safely. A "salt" is a unique, random value added to your password before it's hashed and stored. It's a small step, but it defeats one of the most efficient password-cracking strategies attackers have.

The problem without salt

When a service stores passwords, it doesn't keep them in plain text — it stores a hash, a one-way scrambled version. But there's a weakness: the same password always produces the same hash. That means:

• If two users pick "password123", their stored hashes are identical.
• Attackers can precompute hashes for millions of common passwords into a lookup table (a rainbow table) and instantly match them against a stolen database.

So even though the passwords are "hashed," a stolen database of unsalted hashes can be cracked at terrifying speed for any common password.

How salting fixes it

Before hashing, the system generates a unique random salt for each user and combines it with the password. Now:

• "password123" + salt A produces a totally different hash than "password123" + salt B.
• Two users with the same password have different stored hashes.
• Precomputed rainbow tables become useless, because the attacker would need a separate table for every possible salt.

The salt isn't secret — it's usually stored right next to the hash. Its job isn't to be hidden; it's to make every hash unique so attacks can't be done in bulk.

Salt vs. pepper

You may also hear about a "pepper." A pepper is an additional secret value, kept separately from the database (not stored with each hash). If the database leaks but the pepper doesn't, even salted hashes get an extra layer of protection. Salt makes hashes unique; pepper adds a hidden secret on top.

Salting + slow hashing = the real defense

Salting alone stops bulk attacks, but it doesn't slow down cracking a single password. That's why modern systems combine salting with a deliberately slow key derivation function like PBKDF2, bcrypt, or Argon2. Together they make cracking both un-batchable (salt) and slow per guess (iterations) — see how hackers crack passwords for the full picture.

What this means for you

You don't control how a website salts and hashes its passwords — but you do control how hard your password is to guess in the first place. Salting protects everyone equally; a strong, unique password is what protects *you* if a salted database still gets attacked. And using a unique password per site means one cracked hash never unlocks your other accounts.

Where Passlock fits

Passlock makes the "unique password per site" rule effortless by storing your credentials in the native macOS Keychain and generating strong, random passwords on demand. Salting and hashing happen on the websites' side; your job is to never reuse a password, so that even a worst-case breach is contained to a single account. Passlock is built to make that the easy default.