[miguelpais]

>> "And if the passwords were salted before the hash is applied? Well, more than a third of the passwords were easily found in a common dictionary so it’s just a matter of having the compute power to brute force them and repeat the salt plus hash process."

Well, assuming that you know the hash, because if you don't, things don't get that easy. I'm assuming systems that salt passwords don't store the salt in a row of their database, but with security, or the lack of it, everything seems to be possible.

[jbri]

Where else would you store the salt?

If you're storing it in a place more secure than where you're storing the password hashes, why not store the password hashes there in the first place?

[miguelpais]

If the salt is the same for all the users you can have it on the source code that hashes the passwords. Not always being SQL injected means having the back-end code leaked.

[tedunangst]

That defeats the purpose. The whole point is to have a unique salt per user to force the cracker to spend time on every password.