I've been trying to research more about salts to further understand the purpose and I'm having a difficuilt time getting anywhere. Here's my problem - I understand a salt can prevent two hashed passwords from appearing the same (because their salts are unique) in a database if the system is compromised, but what I don't get is how this makes dictionary attacks hard?

A salt is always stored in a database along with the hash(password,salt) value. If I wanted, I could retrieve a list of passwords and their associated salts. I can then take my dictionary attacking app, and run through converting each "common password" to the salted hash equivalent for a particular record, then continue that process for all records in the passwords table. Sure, it would take a little longer, but not *that* long, right?

A 2 GHz machine can do 2 billion cycles / second and an MD5 on a simple string takes roughly 64 cycles - so you're talking 3/10 of a second to hash 1,000,000 passwords with a particular salt. If you have 1,000 users to crack, you could get that done in, oh, a minute or less right?

I *know* I'm missing something here, I just can't figure out what. Please help me understand how salts really help here.

Thanks!