Msg#: 4505733 posted 8:39 am on Oct 9, 2012 (gmt 0)
the salt is used to encrypt the password and then the salt is stored with the encrypted password so future attempts to authenticate will use the same salt to encrypt. therefore you can never read the clear-text password in the database but you can match it if you know it.
Msg#: 4505733 posted 11:41 am on Oct 9, 2012 (gmt 0)
A salt is added to avoid those laying their hands on your hashes to be able to see hey this one has the same salt as this one, so they have the same password (likely a case of both using "password" as password. Or Of somebody having constructed the hashes of all known words in a dictionary (a so called rainbow table), and hence able to reverse all hashes from all weak passwords with a simple lookup.
Salt: make sure it is *random* (cryptographically random) and long. Just store it along the hash.
| | v
server: concatenate password and salt (retrieved from database) hash the above very with the stored hash
Upon password change: get a new random salt and hash the concatenation of the new password and the new salt). Sotre the new hash and the new salt.