Salting the Hash

In our Lotus Notes R5 implementation the Internet password is unsalted. That is to say when the word “password” is hashed it alway returns the same answer (beginning with 355). In Lotus the password hash is revealed to the public via LDAP, via the notes client viewing the names.nsf database or viewing the names.nsf database through a web browser. It would be possible to determine the user passwords. Access to databases such as names.nsf should be restricted where possible.
Fortunately beginning in R5 it is possible to salt the hash. A password salt is combined with the original password and the hashing algorithm so that a given password will not always have the same stored hash. The provides added security and helps to prevent password cracking.