redwall_hp comments on Gawker/Gizmodo does not salt their passwords, uses DES for hash, and now 1.3 million passwords vulnerable: "Using MD5 hashes as an example, basically:
I hash the phrase 'KnightsOfTheRoundTable,' which translates to '2704a525ca6db579cbc5a18b153d0383.'
Since I have access to the database of username/password pairs, I can just run a MySQL SELECT command to find all records where the hashed password matches '2704a525ca6db579cbc5a18b153d0383.' Since I know what that hash means, I can log in to any of the user accounts that show up with that password.
Now if they used the usernames as a salt, they would hash your password like this: md5($yourUsername.$yourPassword). That means if your username was KingBob and your password was 'KnightsOfTheRoundTable,' the hash would be '60b99f51bcaf8c3afc0b064b451412f2' instead. This means every user who has 'KnightsOfTheRoundTable' as a password will have a different hash, as their username is tacked onto the front. This makes it much harder to brute-force passwords, since they have to start all over again for each user instead of trying it on every user at once.
Just think of all the people who have 'password' or '12345678' or 'hunter2' as their passwords. Those would be the first ones to try, yielding plenty of compromised accounts."
