Need help understanding password security

Question

i need help understanding password security. concept of salts, nonce etc.

i read http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords but its quite advanced for me. i don't really understand what problems salts etc solve, and how it is implemented, maybe from the basics

// basics i learnt from school, using md5 for user input
SELECT UserID, Username FROM Users 
WHERE Username = "user1" 
AND Password = MD5("pass1")

i guess the problem is hackers can have a dictionary of common passwords hashed with MD5() to find out user passwords? and just curious, they do this so they can find out which user uses which password? provided they got the user database? if i am wrong, what is the issue of using just MD5?

i think i need help understanding what is the problem with using MD5 only, then progressively, how does salts help, different hashing methods etc.

as i do not develop really secure apps, i also want to consider performance. i dont want a very secure but slow app :) so no need overkills, which will likely confuse me anyway

UPDATE

i dont a very basic example seeing of my logic of authenticating users with salts is right. basically, i need to get the salt of the user from the database using the username then do the actual authentication query right?

mysql_connect("localhost", "root");
mysql_select_db("test");

// simulate user entry 
$username = "user1";
$password = "password1";

// get salt for username 
$result = mysql_query("SELECT salt FROM users WHERE username = '$username'");
if ($row = mysql_fetch_assoc($result)) {
  $salt = $row["salt"];

  // actual authentication
  $sql = "SELECT id FROM users WHERE username = '$username' AND password = '" . hash_hmac("sha256", $password, $salt) . "'";
  $result = mysql_query($sql);
  if ($row = mysql_fetch_assoc($result)) {
    echo "login success. userid = " . $row["id"];
  } else {
    // wrong password
    echo "login failed";
  }
} else {
  // wrong username
  echo "login failed!";
}

Answer 1

Salting stops someone from a rainbow table attack against any stolen hashes they may have.

For example, if your password in the database is stored as the md5 hash "098f6bcd4621d373cade4e832627b4f6", you can look that up in a rainbow table (a pre-calculated table FULL of hashes), and see that this hash is the word "test".

Now, lets say we salt the very-easy to crack password above with some data such as "jiewmengasked14minsago" and put "test" onto the end of it. We get "819217402cd5e9755d28fefb26adad52", and you probably won't find this in the rainbow table. Obviously, use a more random string than that.

I would advise to use a salt for each user, not the entire database. This way, if someone learns the salt, they might just generate their own rainbow table (granted, this takes a lot of time), but if everyone has their own hash, you've made it extra hard for them to take everything.

The problem with md5 is that the algo used to generate your hash is not as secure against modern cracking techniques, try using something like SHA-256.

Hashing and salting will NOT hurt preformance to any massive degree. You are putting all your users at great risk, because people share passwords. Thanks to products like MSN messneger ("windows live"), which clearly don't care either, are the reason we get so many problems: they didn't bother to secure to password data, and can be cracked in seconds with programs like Cain. This will expose your user to a world of hurt because they're using that same password for 5 emails, google, stack overflow, banking, and who knows what else. Even though YOU might not care about password security, I do, so don't screw with me, I'm your user.