There have been many blog postings lately on the value of salting passwords to prevent attackers from discovering the actual password values. Salting is very effective tool when implemented properly to protect passwords, but the problems are bigger than salting the passwords. Attackers are able to access the systems where the passwords are stored and once they own the system then they can pretty much do whatever they want to. Most will take the entire credential database and try to break the encryption/hashing schemes. In addition to that, a lot of credential stores also include various bits of information about the users that own the passwords. Encrypting/hashing/salting passwords is not enough and corporations need to go the next step of not only treating these as highly sensitive crown jewels of the company, but putting the controls on these systems to prevent/thwart the attackers/attacks in the first place.