Understanding Salt & Hashing: How Websites Store Your Passwords

Introduction

Have you ever used a "Forgot Password" feature, and the website emailed you your old password in plain text?

Run. Delete your account immediately.

That website is committing a cardinal sin of security: storing passwords in Plain Text. Competent websites never store your password. They store a mathematical fingerprint of your password called a Hash.

📢 Ad Placement
ID: article_after_intro

In this guide, we are looking under the hood of the database to explain how Hashing, Salting, and Peppering protect your data even when a server gets hacked.

Encryption vs. Hashing: The One-Way Street

People confuse these terms constantly.

Encryption is Two-Way. It is like a safe. You can lock it (encrypt) and unlock it (decrypt) if you have the key.
Hashing is One-Way. It is like a blender. Once you blend a smoothie, you cannot un-blend it back into a strawberry.

Websites use Hashing. When you type your password to login, they blend your input (Password123) and compare the resulting smoothie to the smoothie they have on file. If they match, you get in.

What is a Hash Function?

A hash function is a math algorithm (like SHA-256) that turns any input into a fixed-length string of characters.

Input: Cat -> Hash: 77af...
Input: Dog -> Hash: 0f1a...

💡The Avalanche Effect

If you change just one letter of the input, the Hash changes completely. Input: Cat -> Hash: 77af... Input: Catz -> Hash: b94d... (Totally different).

The Problem: Rainbow Tables

In the early days, hackers realized that Password123 always hashes to the same string: e7b....

So they pre-calculated the hashes for every word in the dictionary and stored them in a massive database called a Rainbow Table.

If they hacked a database and saw e7b..., they didn't need to crack it. They just looked it up in their table and instantly knew it meant Password123.

The Solution: Add some Salt

📢 Ad Placement
ID: article_mid_content

To defeat Rainbow Tables, developers invented Salt.

A Salt is a random string of characters added to your password before it is hashed.

User A password: password + Salt: Xy9 -> Hash: a84f...
User B password: password + Salt: Lm2 -> Hash: c91b...

Now, even though User A and User B have the same password, their hashes look completely different in the database. The hacker's Rainbow Table is useless because it doesn't contain hashes for passwordXy9.

🔑Key Takeaway

Salting ensures that every user's hash is unique, even if they share the same password. It forces the hacker to crack every single password individually, which is too slow to be profitable.

Pepper: The Secret Ingredient

Some high-security systems go a step further and add Pepper.

Salt is stored in the database next to the password.
Pepper is stored somewhere else (like in the application code or a secure hardware module).

If a hacker steals the database (SQL Injection), they get the Hashes and the Salts. But they don't get the Pepper. Without the Pepper, they can't crack a single password, even if they have infinite time.

Why This Matters to You

Understanding this explains why password reuse is so dangerous.

If you use the same password on Site A (Good Security, Salted & Hashed) and Site B (Bad Security, Plain Text):

Hacker breaches Site B. They get your plain text password.
They try that password on Site A.
They get in.

The math of Hashing protects you from a breach at Site A. But nothing protects you from a breach at Site B except having a unique password.

Conclusion

Modern cryptography is amazing. Algorithms like Argon2 and Bcrypt are designed to be deliberately slow, making them incredibly resistant to GPU attacks.

But math can only protect a secret if it stays secret. The moment you type your password into a phishing site or reuse it on a sloppy forum, all the hashing in the world can't save you.