Final answer:
Salting adds unique data to each password before hashing, thwarting precomputed attack tables. Key stretching prolongs the hashing process, deterring brute-force attacks. Both methods significantly improve the security of password hashes.
Step-by-step explanation:
After a software engineer's recent experiences with brute-force and dictionary attacks, they have turned to salting and key stretching as methods to improve the security of stored password hashes. Salting adds an additional, unique piece of data to the end of each user's password before it is hashed, creating a distinctive hash for each user, even if two users have the same password. This makes it significantly harder for an attacker to crack passwords using precomputed tables (like rainbow tables), as they would need to generate a table for each unique salt, requiring an infeasible amount of time and computational power.
On the other hand, key stretching techniques such as bcrypt or PBKDF2 work by taking the user's password and the salt, and applying a hash function multiple times, which makes the process of verifying the user's password take longer. This delay adds a considerable amount of time to an attacker's attempts at cracking a password, especially in scenarios of brute-force attacks where the attacker has to guess many passwords to find the correct one.
Both of these techniques together increase the work factor for an attacker, which is the amount of effort and resources required to break the security. By employing both salting and key stretching, the software engineer raises the bar for the security of password hashes, making them more robust against potential attacks.