What are the four steps of the salting procedure when a user creates an account?
Generate salt → append to password → hash the combination → store both salt and hash (NOT the password).
* Registration stores salt+hash; login recomputes hash(submitted+salt) and compares. *

* A per-user salt is mixed in before hashing. — KryptoKek, CC BY-SA 4.0, via Wikimedia Commons. *
The four steps:
-
Generate salt — Random unique value, ideally per-user. Use a CSPRNG (cryptographically secure RNG), not
Math.random(). -
Append salt to password — Combine before hashing:
combined = password + salt(or salt + password — order doesn't matter as long as it's consistent) -
Hash the combination — Run through your hash function:
stored_hash = hash(password + salt) -
Store salt and hash — Both go to the database. The plaintext password is discarded. The salt is NOT secret.
Database row example:
user_id | username | salt | hash