Does your application ‘salt’ passwords when encrypting/hashing?

password hashing

Hashing is a way to store passwords that cannot be read so that they can be used to access the system. By using random salt added to the password during hashing, the hashed password cannot be checked against a list of pre-hashed passwords.  Hashing itself is related to encryption, but is a one way function.  An entered password can be hashed and compared to the stored hashed password and if they match, authentication is confirmed.

Why are they asking this?

Failure to properly hash passwords means if the password file or table is stolen, it can be compared to a precomputed list to find passwords for users.

What do they expect?

It is expected that all passwords are hashed with a random salt before they are stored in a password file or table.