hash - What is the purpose of the "salt" when hashing?

Question

Ok, I’m trying to understand the reason to use salt.

When a user registers I generate a unique salt for him/her that I store in DB. Then I hash it and the password with SHA1. And when he/she is logging in I re-hash it with sha1($salt.$password).

But if someone hacks my database he can see the hashed password AND the salt.

Is that harder to crack than just hashing the password with out salt? I don’t understand …

Sorry if I’m stupid …

Answer 1

If you don't use a salt then an attacker can precompute a password<->hash database offline even before they've broken into your server. Adding a salt massively increases the size of that database, making it harder to perform such an attack.

Also, once they've broken in they can guess a commonly used password, hash it, and then check all of the passwords in the database for a match. With a different salt for each user, they can only attack one password at a time.

There's an article at Wikipedia about salts in cryptography.