A salt may not have been enough to protect the passwords : if it is not complex enough, the presence of common passwords like "password" or "123456" make a brute-force attack on the salt itself possible in some case. I have performed a benchmark on that point in particular, and was able to retrieve a salt in five days, without strong optimization. A bit long to give all the numbers and code here, so the ref is http://gouigoux.com/blog/?p=46
