Salt Length Recommendation Calculator
A salt is random data added to a password before hashing so that identical passwords produce different hashes and precomputed attack tables become useless. NIST SP 800-132 recommends a salt of at least 128 bits. This calculator converts any salt length in bits to the equivalent number of bytes, hexadecimal characters, and base64 characters, and uses the birthday bound to show roughly how many random salts you could generate before expecting a collision. The recommended minimum is a sourced, user-editable default, so you can model any length your standard requires.
Salt length formula
bytes = ceil( bits / 8 )
hex characters = bytes * 2
base64 characters = ceil( bytes / 3 ) * 4
salts before expected collision = 2 ^ ( bits / 2 )
Each byte holds 8 bits and prints as 2 hexadecimal characters. Base64 encodes every 3 bytes as 4 characters, padding to a multiple of 4. The birthday bound says you should expect a collision after generating about the square root of the salt space, which is 2 to the power of half the bit length.
Worked example
For a 128-bit salt: bytes = 128 / 8 = 16. Hex characters = 16 * 2 = 32. Base64 characters = ceil(16 / 3) * 4 = 6 * 4 = 24. Since 128 is at least the recommended 128-bit minimum, it meets the standard. Salts before an expected collision = 2 to the 64th, about 1.84e19, so collisions are not a practical concern.
Salt length: frequently asked questions
How long should a password salt be?
NIST SP 800-132 recommends a salt at least 128 bits (16 bytes) long, generated by an approved random bit generator. A longer salt does not weaken security, so 128 bits is a safe minimum and 256 bits is common. The salt should be unique per password and stored alongside the hash.
How many hex or base64 characters is a 128-bit salt?
Each byte is 8 bits. A 128-bit salt is 16 bytes. In hexadecimal that is 32 characters (2 hex characters per byte). In standard base64 it is 24 characters including padding (4 base64 characters encode every 3 bytes). This calculator shows all three lengths.
What is the collision probability for a salt length?
Salts are random, so two users could in principle receive the same salt. By the birthday bound, you can expect a collision after roughly the square root of the salt space, which is 2 to the power of half the bit length. For a 128-bit salt that is about 2 to the 64th, or 18 quintillion salts, so collisions are effectively impossible at any realistic scale.
Does a salt need to be secret?
No. A salt does not need to be secret; it is stored in the clear next to the hash. Its purpose is to make precomputed rainbow tables useless and to ensure two users with the same password get different hashes. Its security value comes from being unique and random, not hidden.
Official sources
- NIST: SP 800-132, Recommendation for Password-Based Key Derivation, which states the salt shall be at least 128 bits.
- The bit-to-byte, hex and base64 conversions and the birthday bound are fixed mathematical relationships computed directly by this tool.
Reviewed by the CalculatorHub team, edited by James Graham, 19 June 2026. See our methodology.