Salt I wrote an article about this a few years ago but since I don’t have a backup of old articles I might aswel write a new version with new information. To get started: What is salting passwords? Wikipedia has a detailed explanation for it but in short it means adding a prefix/suffix to your user passwords making them more complex without forcing users to use complexer passwords.

Example

User A has a password “hello”. This is a very simple password, a cracker/hacker/bot would crack it in a hartbeat. Why? Because it is only 5 characters short and it is a common word.

password: hello
md5: 5d41402abc4b2a76b9719d911017c592
cracktime: 0.023 seconds

As a developer you have the amazing power to make this more complex by adding a prefix or suffix to the password:

<?php
$password = 'hello';
$salt = 'EgO8LQhvFBNN';

// truncaten salt and password and creating a md5 hash
$aUser['password'] = md5($salt.$password);

# new userpassword: EgO8LQhvFBNNhello
# new password hash: af82d9692551c4d21d522e9cc81e8dee
?>

This makes the password hash more complex and it will take a lot more time to crack. But with the hardware getting faster and faster we need to take extra precautions by hashing the salt and password individually first:

// truncaten salt and password and creating a md5 hash
$aUser['password'] = md5(md5($salt) . md5($password));

You can choose to have a general salt for every user on your website but you could also choose to give every user a different salt. And you could change this user salt every time he log’s in. This would result in a password hash that changes after every login making it much harder for crackers to use dictionary attacks.

I can hear you thinking, what if the cracker gets his hands on the salts? All these precautions would be for nothing. Wrong. Hashing a password is a mathematical calculation, which takes time. The more times you hash a password or salt the longer it will take to crack it. If you use a unique salt per user, a cracker has to recalculate the salt hash for every user. Instead of calculating it once and comparing it with all the other users.

You can’t stop a password from being cracked, you can only delay it.