[dragonsky]

As they have the Web code base, you must assume that they have the salt to the hashing... If they actually want to get these passwords, all they have to do is generate rainbow tables using SHA1 and the appropriate salt. We're back to relying on the length and bit depth (range of characters) of the passwords you are trying to find.

[pkteison]

Salts, done properly, vary per user not per server.

[engtech]

but I'm assuming that if they have the code base, the plaintext user names (emailaddys) and the salted password, then they would have whatever the per user salt is.

[Kadin]

Right, but if the salt varies per user, then you end up doing a bruteforce on each user's password; it's no longer a precomputation attack. There are no "Rainbow tables" in this case.

However, if you find Hale's bcrypt page (http://codahale.com/how-to-safely-store-a-password/) convincing, and I do, salting really doesn't matter because with modern GPUs you can bruteforce a reasonably-sized alphanumeric password, if the hash algorithm is a general-purpose (read: fast) one.

The solution is not salt, the solution is to use a purposely slow hash function.