"The only way to salt an existing hash is to recalculate the hash after a user logs in, or for the users to have all changed their passwords," Wisniewski said.

Silveira's comments about only a few hashed passwords being decoded and published are also puzzling, he said. "Why they believe only a small percentage have been solved is confusing. While only a small percentage have been published, most all of them have been discovered, according to many sources who have been trying to crack them," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at or subscribe to . His e-mail address is .

See .

in Computerworld's Cybercrime and Hacking Topic Center.