I use sha1() to hash my users passwords, but recently a friend told me that if someone get the hash then they could use dictionary attack and he recommended using salts.
I implemented a random salt for each user and asked the users to reset their passwords. Is the passwords now protected against dictionary attack?
I believe there are some misconceptions that needs to be corrected. First of all, a dictionary attack is a brute-force attack, but with a special assumption. In the case of hashed passwords, it assumes that the password is a word of the dictionary (or some mutation of it) and then goes over each and every word in the dictionary, hashes it and then compares it to the stolen hash to find a match.
When your friend said "dictionary attack" he probably meant rainbow tables, and a proper salt does indeed protect against rainbow tables (pre-computing a gigantic list of hashes for quick comparison right after stealing the hashes), but it almost has nothing to do with dictionary attacks. Proper salting has other benefits as well, such as preventing the attack from cracking two passwords at the same time.
Having that said, I'm also concerned about how fast your current hashing scheme is. I highly recommend learning how to securely hash passwords by using slow schemes that are especially designed for this purpose, such as BCrypt or PBKDF2.
