Salt
A salt is a unique value added to each password-hashing or key-derivation operation to make equal inputs produce different outputs.
Definition
A salt is a value added to a password or other input before password hashing or key derivation. Its main job is to make the derived output unique even when two users choose the same password.
A salt usually does not need to be secret. It is stored with the hash or encoded output so the verifier can repeat the same calculation later.
How it works
For every password, the system generates a fresh random salt and feeds both the password and salt into a password-hashing function such as Argon2id, bcrypt, or PBKDF2. During verification, the stored salt is reused with the candidate password.
Unique salts prevent identical passwords from producing identical stored hashes and make precomputed lookup tables much less useful. They do not make weak passwords strong; the password-hashing function still needs an appropriate cost setting.
Salt, key, pepper, and nonce
A salt is public uniqueness, not a secret authentication key. A pepper is a separate secret value kept outside the password database, and a nonce is a number used once in a specific protocol or encryption operation.
For new systems, generate salts with a cryptographically secure random source and let the password-hashing library store them in its standard encoded format when possible.
No. A salt should be unique and preferably random, but it can be stored next to the hash.
They should not. Random salts make accidental reuse unlikely and prevent equal passwords from being visible as equal hashes.
No. Use a password-hashing function with suitable cost parameters, secure random salts, rate limiting, and monitoring.