I’m assuming if you’re reading this blog you already know about password hashing and the superior security it provides if you have a full database dump stolen. The client’s password is hashed either an algorithm such as md5, sha and is never stored as plain text. But with new services such as GData that allow you to look up hashes without having to do any cracking hashing a password isn’t enough.

Salting is a technique that you can use to give your stored passwords a higher level of security, even in the event of a physical or database compromise. It’s very simple to implement and can be added to any website’s user system with a minimal amount of code. All you do is take the inputed password, and before you hash it, you add a small string of text, it can be anything, and all you need is a few characters. You can see my full example in PHP here or below for just the important bits.

$salted = $_GET[password] . '!7'; //The !7 is the salt.
$salted = md5($salted);

The beauty of salting is that no matter what, even if an attacker compromises the database it’s self; there is no way to get the password back. It is, as of now, very secure. However if the salt is compromised, a new table could be created with the salt added on the end and you would subject to the same type of table based lookup attack.