Salts make it difficult for hackers to crack passwords. A password salt is clearly a random string that is appended to the password before it’s encrypted. The random string could be anything, say, the “username” or the target “sessionid”, or any other random value. Salts are always unique and constant per user, which means that even if two users have the same password, the encrypted passwords (hashes) would be unique.
For instance, if a user has a password “abcd”, the hash would be generated with the formula of MD5 (“random-salt”+“abcd”). If another user has the same password “abcd”, both salts would be different and the password hashes would look different, thereby making it harder for hackers to use brute force and dictionary-based attacks.
Most of the times the salt values are saved in the same database table; a disadvantage of this method is that if an attacker obtains access to the database, he would easily dump the password salts and could use them to generate the password because the salt value for every other user is known. Though this process is more complex and time-consuming, it’s worth the effort.
