Salted vs Unsalted

A lot of people seem to think that it's okay to use something like salted SHA-1, without any key stretching, as a password hash.  The following graphic shows how many guesses an attacker would be able to make per user on a daily or monthly basis assuming that he can make either one thousand or one billion guesses per second.  One thousand guesses per second indicates a password hash such as bcrypt or PBKDF2 that includes stretching to slow down the hash.  One billion guesses per second is a reasonable estimate for a single iteration of MD5 or SHA-1 (depending on your hardware) .

Click for full-size

It should be obvious that salting is not enough.  Even with a site that has 10 million users, an attacker can make millions of guesses per user per day against salted SHA-1* or MD5. A strong password hash literally makes password cracking a million times harder.  If an attacker can only guess a handful of passwords per day, per user, then any user with a password that isn't his name, username, or on one of the worst passwords lists is probably going to be okay.  There is some safety in numbers.

If an attacker targets a single account, he can still make millions of guesses per day, even with a strong password hash.  There is no safety in numbers once the attacker is focused on you.  Pick good passwords.

* I used SHA-1 as an example because it's common.  The SHA-2 family are stronger cryptographic hashes, but they don't provide any significant benefit beyond SHA-1 for password hashing.

Edit: I'd like to point out that, for simplicity, these numbers do not factor in the number of passwords that are actually cracked along the way.

Edit #2: I expanded the graphic to include user counts of 10k, 100k, and 10M.  Thank you Solar Designer for the suggestion.