Yesterday we spoke about hash and rainbow tables. It turned out that pure hashing theoretically protects against password exposure, but if you use a common password, an attacker can quickly recover your password from a hash using rainbow tables. Is there really nothing you can do?

The good thing is that you can. Just add some salt and you are done:)

Let's make a small example to understand what salt is. Assume I typed my password in a Google password field. Google does not store pure passwords and instantly calculates the hash from my password. But instead of writing an untouched hash against my name in their user table, Google does a little trick with this hash.

Google has a secret transformation in its sleeve that they apply to every hash before saving it. The same transformation is applied to every password. Google just substitutes every symbol in my hash with another symbol. "a" is changed to "c", "b" -> "d", "c" -> "e" and so on. Google transforms like above, and Yandex in some other way. So everyone applies its own transformation and never reveals it to the public. Remember, this is a secret. This transformation is called "adding salt".

If some intruder steals my salted hash from Google and tries to recover from it my password using rainbow tables, s/he could not! My hash was changed, and it won't match to anything reliable. To recover a password from a hash an intruder needs to substitute letters in the backward direction, but s/he does not know Google's secret transformation. In fact, malefactor does not know my original hash. Google has hidden it with its secret transformation.

If you are a developer, you must add salt to every password you store. That will help to protect users even with common password from passwords recovery.