How salting works.
This will be boring to most, and obvious to many others, but it came up recently, so just for kicks, a quick rundown of salting.
Your website has users, who have passwords. Since you’re mindful of security, you want to make sure that someone who steals your database can’t learn your users’ passwords. So, instead of storing your passwords in your database in a way anyone can read, you encrypt the passwords using a hash function. Now whenever a user logs in, you take the password they give you, hash it, and compare that to what’s stored in your database. Yay, right?
Unfortunately, if this is all you do, an attacker can use a rainbow table to figure out most of your passwords. A rainbow table is just a giant list of strings and their precomputed hashes; all an attacker has to do to recover a password is check if the hashed value that’s stored in your database is in the rainbow table.
This is where salting comes in. A salt is just a random sequence of characters that you prepend to a password before computing the hash. When a user signs up for your service and provides you with their password, you generate a new random salt, prepend it to their password, hash the result, and store the hash, as well as the salt. Then when the user logs in, you take the password they gave you, prepend their stored salt, calculate the hash of the resulting string, and then compare that to what’s in your database. Yay, for real this time.
A common question at this point is, “Why do we store the salt? Wouldn’t the data thief see it?”. Yes, they would see it, but that doesn’t matter. Rainbow tables are effective because they’re precomputed. Since the salt is randomly generated for each user, the likelihood that there’s a precomputed rainbow table for that prefix plus passwords is very low, and brute-forcing a handful of users (assuming your users have marginally non-crappy passwords, it could never be more than a handful) is probably not worth it to the attacker, though, of course, ymmv on this point.
So there you go. Salting. Next week: how to sky dive from a burning jet while pleasuring a supermodel and wailing a killer guitar solo.