It was brought to my attention during a discusion of passwords that apparently SHA1, by itself, is not adequate for protecting passwords. Namely because for 5 or 6 letter passwords it can actually be forced somewhat quickly enough that it would be worth it, but in addition there are reverse lookup SHA1 databases out there for hundreds of thousands of commonly used passwords, or derivatives there of.

Consequently, it is a good idea to go one step beyond SHA1, by “salting” the password before storing it. Salting is where you come up with some kind of random string when the password is initially set. This can be anything… let the user mash the keyboard, and generate some random series of alpha numerics. However you want to do it, doesn’t matter. You then take this salt string and prepend it or append it to the the user’s actual password, and *then* run SHA1 on it and store that SHA1 string as the password.

Then its simply a matter of storing that salt string in a settings file or a database table, and everytime you do a user authentication process, grab that salt string, prepend it to the password, then compare SHA1 hashes for authenticity. This virtually guarantees that no one could ever brute force or guess the password, since not even the user knows what their *actual* password is.