When using salts, instead of storing hash(password), an application stores hash(password + salt) in the database along with the salt (a random value per user). While this does not make the encryption of a single password stronger, it improves the overall encryption of the entire user base against so-called dictionary/rainbow table attacks: If an attacker has a precomputed set of hashes along with clear text passwords, and a Camunda user database with encrypted passwords, it is much more likely to compromise passwords when using no salts.
- add SALT_ field to user table
- decide sensible length of salt
- ensure backwards compatibility with unsalted passwords