adding salt into password before storing it into database

Question

By using salt, I understand that password would be added with an random generated salt before storing into database. However, I dont quite sure whether the salt is unique for each passwords or all password is only mixed the same "random generated" salt

For example，　 Under my application, there are two users and there two passwords: user1password1 and user2password2 Their passwords would be mixed with salt for sure. But, before storing into db, the results are user1password1 + salt , user2password2 + salt or user1password1 + salt1 , user2password2 + salt2

Answer 1

Ideally your salt should be unique per user or per password.

Now, as you said before storing the password in a DB, you should hash them with a password-based KDF such as Argon2. (Not with a hash function.)

Using a single salt

There is one main problem if you use the same salt for all of your password: it lowers the cost of an attack against your database because an adversary, Eve, can take a dictionary of "common password" let us call it "rockyou.txt", and it is enough for her to try and hash all of the passwords contained in rockyou.txt once using that salt to try and break some of your users' password.

Basically this means the work-factor to find the pre-images of multiple hashes in your database is low.

Using different, randomized salts

Whereas using a different salt for each user (or each entry in the password database even) means that Eve has to re-do the computations where she tries to hash all the words in the rockyou.txt dictionary to try and find the pre-image of a single hash in your database.

So here, the work-factor is large, since it has to be re-computed for each single password hash.

So if you can store one large (128 bits ideally or more, but 64 bits would be okay-ish is storage is a concern) random salt per password, please do it and make sure you are never storing plaintext password, but only their hashes.