Home > Glossary > CompTIA Security+ Certification Exam > Salting

📖 What is Salting?

Salting is the process of adding a unique, random string of characters to a password before it is hashed. This ensures that two users with the same password have different hashes, preventing attackers from using precomputed rainbow tables.

🥋 Sensei Says:

"Remember that the salt is stored in plaintext alongside the hash; its purpose is to defeat precomputation, not to keep the salt secret."

📚 Certification: CompTIA Security+ Certification Exam (SY0-701)

🔑 What are the Key Concepts of Salting?

▸ Prevents rainbow table attacks by ensuring that precomputed hash lists cannot be used to quickly reverse passwords across a large user database.
▸ Requires a unique salt for every user, ensuring that two individuals with the same password will have completely different stored hash values.
▸ The salt is stored in plaintext within the database alongside the hash, allowing the system to retrieve it during the authentication process.
▸ Operates by concatenating a random string to the plaintext password before the hashing algorithm is applied, creating a unique input for the function.
▸ Focuses on defeating precomputation attacks rather than preventing brute-force attempts, although it forces attackers to target users individually rather than in bulk.

🎯 How does Salting appear on the SY0-701 Exam?

A scenario might describe a security audit where a database of password hashes is found to be vulnerable to rainbow table attacks; you must identify salting as the primary mitigation.

You may be asked to analyze a password storage mechanism and determine why two users with the identical password 'Password123' have completely different hashes in the database, requiring you to identify the use of salting.

Expect questions where you must differentiate between salting and peppering, specifically focusing on whether the random value is stored in the database alongside the hash or in a separate secure location like an HSM.

❓ Frequently Asked Questions

Does salting protect against brute-force attacks?

No, salting primarily defeats precomputation attacks like rainbow tables. An attacker can still brute-force a specific salted password by hashing guesses with the known salt, but they must do this individually for every single user.

Why is the salt stored in plaintext if it is a security measure?

The salt is not a secret key; it is a uniqueness modifier. The system must be able to retrieve the salt to hash the user's login attempt and compare it to the stored hash.

Related Terms from CompTIA Security+ Certification Exam

Denial of Service (DoS) Cryptography Cross-Site Scripting (XSS) Red Team Security Baseline Risk Appetite

📝 Related Study Guides

Study Guide 9 min read

How to Pass CompTIA Security+ (SY0-701) on Your First Try

To pass CompTIA Security+ SY0-701 on your first try, build a structured 6-8 week study plan covering all five domains, prioritize understanding concepts over memorization, practice with scenario-based questions daily, and consistently score 85% or higher on practice exams before scheduling your test. Hands-on lab experience is essential for performance-based questions.

Deep Dive 8 min read

Zero Trust Architecture: Security+ (SY0-701) Deep Dive

Zero Trust architecture is a security framework based on the principle "never trust, always verify." Unlike traditional perimeter security, it assumes breaches are inevitable and requires strict identity verification for every person and device attempting to access resources, regardless of whether they are inside or outside the network perimeter.

Exam Tips 8 min read

Security+ PBQs: Master Firewall ACLs & Incident Response

Security+ Performance-Based Questions (PBQs) are scenario-driven simulations requiring you to apply knowledge to real-world tasks. To master them, focus on firewall ACL rule ordering, the "implicit deny" principle, and analyzing system logs for incident response. Consistent practice with high-fidelity simulations is the most effective way to ensure exam success.