A hashing algorithm is a program that turns any input into a number. So let’s say we have a hashing algorithm that everyone uses for saving passwords. And this hash says that the number for the password “hunter2” is 45.

Now to save a user’s password we can save 45 instead of hunter2. That way if someone steals our database, they don’t know anybody’s password.

Except what if we are using a hashing algorithm that is really popular? Well what someone can do is generate a big list of hash values for common passwords, so when they see that the password hash we saved is 45, they can deduce that the password was “hunter2” and then they can use that password to try other sites like banking websites for example.

One way we can protect against this kind of attack is by salting the passwords before we apply the hashing algorithm. For example, we could add “eatsglue” to the end of each password before hashing, so when the user says their password is “hunter2”, we add “eatsglue” and hash the whole thing, “hunter2eatsglue”. Then we save that value instead, and maybe it’s 522, instead of 45. So if someone steals our database of hashed passwords, now it’s harder to know what a user’s password really was, and if you want to generate a table of hashed passwords to try to figure it out, you need to know what the salt value is.