In AP Cybersecurity, a salt is a random value added to data (usually a password) before it's run through a hash function, so two identical inputs produce two different hashes and attackers can't use precomputed tables to crack them.
A salt is a chunk of random data you tack onto something before hashing it. Most often that something is a password. You take the password, glue on a unique random salt, then feed the whole thing into a cryptographic hash function. The result is a hash that's tied to both the password AND that specific salt.
Why bother? Without a salt, the password "password123" always hashes to the exact same value. So an attacker can build (or download) a giant lookup table of common passwords and their hashes, then match stolen hashes in seconds. A salt breaks that. Because every user gets a different random salt, two people with the identical password end up with completely different stored hashes. The attacker's precomputed table is now useless, since it never accounted for your random salt.
Salting lives in Unit 5: Securing Applications and Data, specifically topic 5.3 Protecting Stored Data with Cryptography. The learning objective there, AP Cybersecurity 5.3.A, is about using cryptography to protect files and stored information, and salting is how you protect stored passwords in particular. The CED ties cryptography's purpose to hiding information (EK 5.3.A.1), and salting strengthens that protection for data at rest. It pairs naturally with hashing concepts because a salt is meaningless on its own; it only matters once it's combined with a hash function. Understanding salt shows you grasp not just what hashing does, but why raw hashing alone isn't enough to keep stored credentials safe.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryCryptographic hash function (Unit 5)
A salt only does its job when it's fed into a hash function alongside the password. The hash function turns the salted input into a fixed-length value, and the salt guarantees that value is unique even for repeated passwords.
SHA-256 (Unit 5)
SHA-256 is a real hash algorithm you'd salt with. Hash 'password' + a random salt through SHA-256 and you get a one-way fingerprint that's safe to store, since you can't reverse it and can't match it against a generic table.
MD5 and SHA-1 (Unit 5)
These older hash functions are weak partly because attackers built huge precomputed tables for them. Salting helps even with stronger functions, which is exactly why salt and hash strength are two separate parts of the same defense.
Cryptography (Unit 5)
Salting sits under the broader goal of cryptography, which is hiding information (EK 5.3.A.1). Encryption hides data so you can recover it later; salted hashing hides passwords so you never have to recover them at all, just compare hashes.
Salt shows up in Unit 5 multiple-choice questions about protecting stored data. A typical stem describes a database of password hashes getting stolen and asks why salting makes the attacker's job harder, or asks what salting prevents (the answer is precomputed/lookup-table attacks and identical hashes for identical passwords). You should be able to explain, in plain terms, that a salt is random data added before hashing and that its main payoff is making each stored hash unique. No released College Board FRQ has used the word 'salt' verbatim, but the underlying idea supports the kind of 'how would you protect this stored data' reasoning that 5.3 expects. Be ready to contrast salting with encryption, since the exam likes testing whether you know hashing is one-way and encryption is reversible.
Encryption is reversible: you encrypt plaintext into ciphertext and can decrypt it back with a key. Salting plus hashing is one-way, meaning you can't recover the original password, you can only check whether a new input produces the same hash. A salt isn't a key and it isn't secret; it's just random data stored alongside the hash to make that hash unique.
A salt is random data added to a password before it goes through a hash function.
The point of a salt is to make identical passwords produce different hashes, which defeats precomputed lookup tables.
A salt is not secret and not a key; it's stored right next to the hash and that's fine.
Salting is a one-way protection used for stored passwords, unlike encryption, which is reversible.
Salt belongs to topic 5.3 in Unit 5 and supports objective AP Cybersecurity 5.3.A on protecting stored data.
A salt is random data added to a password before it's hashed, so that two people with the same password still end up with different stored hashes. This is part of topic 5.3 on protecting stored data.
No. Unlike an encryption key, a salt isn't secret and is usually stored right alongside the hash. Its job is to be unique and random per user, not hidden, which is enough to break precomputed attack tables.
Encryption is reversible, so you can decrypt ciphertext back to plaintext with a key. Salting plus hashing is one-way, meaning you can never get the original password back, you can only re-hash an input and compare. A salt also isn't a key.
Without a salt, 'password123' always hashes to the same value, so attackers match stolen hashes against a precomputed table instantly. A unique random salt per user makes every hash different, so that table no longer works.
You add the salt to the password first, then run the salted password through the hash function. The salt goes in before hashing, not after.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.