Can someone explain to me what 'salted' is?
Salting is the name given to mixing something with a password, prior to "hashing".
There is a weakness with storing hashes of passwords, which is that it is now becoming practical to build dictionaries, which you can use to match a has with it's password.
Let's take a naive approach of just storing the hash of a user's password. Let's assume user Alice sets a password of "password" and that the site uses an MD5 hash. "password" gets hashed to "5f4dcc3b5aa765d61d8327deb882cf99". The hash "5f4..." gets stored in the database.
A hacker then manages to steal the database, and they find the hashed password "5f4...". The hash value "5f4..." cannot be used to back-calculate the password. However, it is practical for an attacker with a powerful computer(s) to build a dictionary of "common" passwords over a period of weeks, months or years. Then following a hack, they can simply look the hashes up in their dictionary and see if they get any hits.
Without a hash, is that the same dictionary will work to attack any database that uses the same algorithm. This makes building dictionaries (especially sophisticated dictionaries, like "rainbow tables") an extremely economical job for hackers. They only have to build the dictionary once, and can use it over and over again.
A better security method is to "salt" the passwords. At a basic level, the site admin could think up a random string, e.g. "AHigherSecurity". In this case, the database would store the password by adding the salt. i.e. "AHigherSecuritypassword", then calculating the MD5 and storing that. (79fea0e5e53d267f8897540ebf74453f)
In this case, a hacker may be thwarted because the hash "79f..." is for a long and complex password, and is unlikely to be in an attacker's pre-calculated dictionary.
This works fine, but there is still a weakness. If the attacker finds out the salt, and the database has a lot of passwords of high value, then they could simply set out and build themselves a new dictionary with the salt taken into account. However, in this case, the attacker would have to build a new dictionary for each and every site that they attack. A pre-made dictionary won't work. They have to build it after the attack.
The preferred way to get around this is to use a different salt for each password. You then store the salt along with the hash. In this case, an attacker would be wasting their time with dictionaries, as each dictionary could only be used for 1 password. The only option is brute force and ignorance (which would require a disproportionate amount of computer resources). It doesn't matter if a hacker finds out what the salt is because all the salt is for is to stop the salt/password combo from appearing in a dictionary.
Some security experts recommend double salting. This means using a salt for each password, and a 2nd salt which is the same for all users. The individual user salts are stored in the database, but the application salt is stored in the app code itself, which means that the hacker would need to get hold of both the database and the application code in order to try extracting passwords. The double salting also makes the passwords even longer and more complex making brute force attacks even less practical.