Home > Glossary > CompTIA Security+ Certification Exam > Salt (Cryptography)

📖 What is Salt (Cryptography)?

Salt is a random string of characters added to a password before it is hashed to protect against rainbow table attacks. By ensuring that identical passwords result in different hashes, salting makes it computationally expensive for attackers to crack passwords using pre-computed tables.

🥋 Sensei Says:

"Do not confuse salting with peppering; salts are typically stored in the database alongside the hash, while peppers are stored in a separate secure location."

📚 Certification: CompTIA Security+ Certification Exam (SY0-701)

🔑 What are the Key Concepts of Salt (Cryptography)?

▸ Prevents rainbow table attacks by ensuring that pre-computed hash tables cannot be used to quickly reverse password hashes into plain text.
▸ Requires a unique salt for every user to ensure that identical passwords result in different hash values within the database.
▸ Stored in plain text within the database alongside the resulting hash, as the salt is required to verify the password during login.
▸ Forces attackers to perform brute-force attacks on a per-user basis rather than attacking the entire password database simultaneously.

🎯 How does Salt (Cryptography) appear on the SY0-701 Exam?

You may be asked to identify the best method to protect a database of hashed passwords from rainbow table attacks when identical passwords are producing identical hashes.

A scenario might describe a security audit where salts are stored in the database but a secret key is stored in a hardware security module, asking you to distinguish between salting and peppering.

❓ Frequently Asked Questions

If salts are stored in plain text in the database, doesn't that make them useless to an attacker?

No, because the salt's purpose is not to be a secret, but to ensure uniqueness. It prevents the use of global pre-computed tables, forcing the attacker to compute hashes for each specific salt.

How does salting differ from key stretching techniques like bcrypt?

Salting prevents rainbow table attacks by adding uniqueness. Key stretching intentionally slows down the hashing process using multiple iterations, making brute-force and dictionary attacks computationally expensive.

Related Terms from CompTIA Security+ Certification Exam

ARP Poisoning Multi-Factor Authentication Mean Time to Recover (MTTR) Symmetric Encryption Least Privilege Remote Authentication Dial-In User Service (RADIUS)

📝 Related Study Guides

Study Guide 9 min read

How to Pass CompTIA Security+ (SY0-701) on Your First Try

To pass CompTIA Security+ SY0-701 on your first try, build a structured 6-8 week study plan covering all five domains, prioritize understanding concepts over memorization, practice with scenario-based questions daily, and consistently score 85% or higher on practice exams before scheduling your test. Hands-on lab experience is essential for performance-based questions.

Deep Dive 8 min read

Zero Trust Architecture: Security+ (SY0-701) Deep Dive

Zero Trust architecture is a security framework based on the principle "never trust, always verify." Unlike traditional perimeter security, it assumes breaches are inevitable and requires strict identity verification for every person and device attempting to access resources, regardless of whether they are inside or outside the network perimeter.

Exam Tips 8 min read

Security+ PBQs: Master Firewall ACLs & Incident Response

Security+ Performance-Based Questions (PBQs) are scenario-driven simulations requiring you to apply knowledge to real-world tasks. To master them, focus on firewall ACL rule ordering, the "implicit deny" principle, and analyzing system logs for incident response. Consistent practice with high-fidelity simulations is the most effective way to ensure exam success.