How should I incorporate the salt in my password hash?

Question

How much stronger would

return sha1($salt.sha1($passwd));

be compared to just:

return sha1($salt.$passwd);

$salt is a per-user string of length 12 consisting of strong random ASCII.

Answer 1

It's exactly twice as strong, because the attacker needs to perform twice as many SHA1 calculations for a brute force attack.

Of course, that is still not exactly impressive. On the other hand, doing the SHA1 5000 times in a loop is practical for authorization, but makes attacks take 5000 times longer - this technique is known as key strengthening. It is, however, really just a poor man's substitute for the adaptible-cost hash algorithms that Jacco mentions.