[proxy_user]

That is not really the whole story. If the hashing algorithm is known, and hackers steal the table of hashed passwords, they will often try hashing commonly used passwords and searching the table for matches.

In order for hashing to work, the hash for ‘test123’, ‘password’, and such commonly used passwords will always be the same. Hackers can take thousands of commonly used passwords, hash them, and get large numbers of hits on table.

The best way to avoid this is to salt the hash with something known only at the website. For example, I could take the first 3 characters of your first name, append the password to that, and then apply the hashing algorithm.

[kevkrom]

Oh, there are definitely good hashin algorithms and bad ones. For password security, you want a cryptographically sound one. But in layman's terms, the idea works that my password might be (not actually, of course) "Freeper1998", which the hashing function transforms into some form of gibberish like "a#G32!n1". That hashed value is what's stored on the server, never my actual password.

Anyone who gets hold of the hashed value ("a#G32!n1") can't actually reconstruct my password from it, even if they know the hashing algorithm.

Now, a poor implementation that uses the exact same hash for all users, as you describe, basically becomes solvable like a cryptogram puzzle in a newspaper through the use of brute force and statistical patterns. That is, common hashes would indicate common passwords, and throwing the insecure passwords that unknowledgeable users often go with with will be enough to compromise multiple accounts. So a good hashing algorithm mixes in something else (part of the user id, whether it's the name or the internal ID number, for example) to make my "Freeper1998" hash differently from your "Freeper1998" even though they're the same password.