I have recently read an article about keeping passwords safely and I have a few misunderstandings. I found out 4 ways of storing users’ passwords: 1). Just keep them in plain text 2). Keep passwords in plain text, but encrypt the database 3). Hash a password 4). Use "salt hashing". Generate a random string and use a hashing algorithm after concatenation entered user’s password and randomly generated string. And I also have to store this string to let user in.
The best way was 4-th. Then my main misunderstanding is about: "what do we want to protect from?". As I understand – from the case when hacker gets access to our server and gets the database and the server-side source code. In this case I, as a developer, jeopardize accounts of those users, who have same passwords on all websites. Hacker gets a password from my database and then knows, what password does this user have on other websites/apps. That is why I want to to make passwords as secure as it is possible. In this case I do not understand the difference between ways 3 and 4 (1 and 2 are obviously bad, I think).
To crack passwords in way 3 the hacker gets my hashing algorithm and just tries to hash some passwords (either brute force or maybe some db of common passwords) and compare gotten string to the database. To crack way 4 the hacker has to try passwords like in the way 3, but, when hashing, his program will just take stored random string from my base and use it when hashing. It will be a bit longer for hacker, but not a lot (I think). So why the way 4 should be a lot more secure than the 3 one, or what do not I understand in the 4th way?