how salt can be implemented to prevent pre-computation dictionary attack on password

Question

A salt makes every users password hash unique, and adding a salt to a password before hashing to protect against a dictionary attack. But how?

Answer 1

What's the md5 hash of "superCommonPassword"? That's easy to pre-calculate.

It's b77755edafab848ffcb9580307e97414

If you steal a password database and see that hash value, you know the password is probably "superCommonPassword".

What's the md5 hash ("aStringYouDontKnowUntilYouStealAPasswordDatabase" + "superCommonPassword")? Oh, you can't calculate that until you steal the database.

An unknown salt means pre-calculating hashes of common passwords is useless. An unknown salt per user means you need to calculate hashes of common passwords for each user. This slows down the attacker and increases his costs.

Don't use md5 for password hashing though. Use bcrypt or scrypt or PBKDF2.