"The only way to salt an existing hash is to recalculate the hash after a user logs in, or for the users to have all changed their passwords," Wisniewski said.
Silveira's comments about only a few hashed passwords being decoded and published are also puzzling, he said. "Why they believe only a small percentage have been solved is confusing. While only a small percentage have been published, most all of them have been discovered, according to many sources who have been trying to crack them," he said.
Sign up for CIO Asia eNewsletters.