I have to agree - if I know your salt value, running a brute-forced, dictionary attack takes the same amount of time as doing it if it weren't salted. Brute-forcing takes the same amount of time as if it were unsalted. The only thing (I see) a salt protecting you from is a rainbow table that wasn't computed *with* the salt. Which is a semi-valid protection assuming your password is of a large-enough keyspace and length to make rainbow tables prohibitly expensive.
If I discover my sysadmins are using '432' as their salt, I can go compute rainbow tables using that salt and then come back in a week/month/year with tables to use.
Doesnt the concept of salts depend on the concept of security through obscurity? I don't know your salt, or your mix-the-username-and-password function - and that's why it's more secure?
Slashdot Mirror
I have to agree - if I know your salt value, running a brute-forced, dictionary attack takes the same amount of time as doing it if it weren't salted. Brute-forcing takes the same amount of time as if it were unsalted. The only thing (I see) a salt protecting you from is a rainbow table that wasn't computed *with* the salt. Which is a semi-valid protection assuming your password is of a large-enough keyspace and length to make rainbow tables prohibitly expensive. If I discover my sysadmins are using '432' as their salt, I can go compute rainbow tables using that salt and then come back in a week/month/year with tables to use.
Doesnt the concept of salts depend on the concept of security through obscurity? I don't know your salt, or your mix-the-username-and-password function - and that's why it's more secure?