Password Security: Strong Hashing, Salt and Pepper
To protect against those attacks, we're going to do two things: we're going to use a hashing function that's expensive to compute, so that guessing passwords by brute force becomes prohibitively expensive, and we're going to salt passwords with a random unique string, so attackers can't use pre-computed lookup tables.
We'll also include a second kind of salting that's stored on the application server and not on the database at all, so it's less likely to be stolen alongside the database contents.