When we are saving passwords in our systems everyone seems to be in agreement that the password should be encrypted if stored in a database for future retrieval and verification. Some are more careful and save it as a one way encryption so that if the user forgets their password it cannot be retrieved. The only thing the system will do is compare a freshly encrypted password with the one stored in the system for verification. If they forget their password a whole new password has to be generated.
In many situations this may be considered adequate. The problem is that if a hacker somehow captures your key, they can derive the password easier because all passwords use the same exact key. To make this harder, many systems Salt their passwords prior to encrypting it so that an attacker must figure out not only the key, but the salting algorithm.
I was digging into how to Salt passwords and came across this article on Code Project. If this area is new to you, and you store passwords in your system, it is worth a few minutes to read. The author does a good job of explaining the problem, methods used to attack your system, and ways to thwart hacking efforts. It goes beyond just Salt with other techniques to keep your passwords secure.
I wonder if I could have a little pepper with that salt.
Cheers,
Ben